Virtumonde [Archive] - Safer-Networking Forums

View Full Version : Virtumonde

fatima_22

2008-09-22, 01:39

I have been experiencing difficulties with my computer in which the greatest problem is that i am unable to load any pages on the internet without scanning my computer with spybot every few hours. Everytime virtumonde.dll, vortumonde.prx, virtumonde.sci come up. I read the posting on the etiquettes to follow to post in the forums already and have noticed that the first step to take is to scan with HJT and past the log file. My log file for HJT is provided below...PLEASE HELP :(

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:38:23 PM, on 9/21/2008
Platform: Windows 2003 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 (6.00.3790.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [78a7b802] rundll32.exe "C:\WINDOWS\system32\tdmkkptf.dll",b
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [BM7b948b9e] Rundll32.exe "C:\WINDOWS\system32\vfnknlgj.dll",s
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA8473] command /c del "C:\WINDOWS\system32\mlJAqrRh.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3033] cmd /c del "C:\WINDOWS\system32\mlJAqrRh.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9468] command /c del "C:\WINDOWS\system32\vfnknlgj.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1616] cmd /c del "C:\WINDOWS\system32\vfnknlgj.dll_old"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB1680] command /c del "C:\WINDOWS\system32\mlJAqrRh.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2618] cmd /c del "C:\WINDOWS\system32\mlJAqrRh.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8306] command /c del "C:\WINDOWS\system32\vfnknlgj.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1181] cmd /c del "C:\WINDOWS\system32\vfnknlgj.dll_old"
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O20 - AppInit_DLLs: ztwvmq.dll

fatima_22

2008-09-22, 01:45

oops i didnt post the whole thing:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:38:23 PM, on 9/21/2008
Platform: Windows 2003 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 (6.00.3790.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [78a7b802] rundll32.exe "C:\WINDOWS\system32\tdmkkptf.dll",b
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [BM7b948b9e] Rundll32.exe "C:\WINDOWS\system32\vfnknlgj.dll",s
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA8473] command /c del "C:\WINDOWS\system32\mlJAqrRh.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3033] cmd /c del "C:\WINDOWS\system32\mlJAqrRh.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9468] command /c del "C:\WINDOWS\system32\vfnknlgj.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1616] cmd /c del "C:\WINDOWS\system32\vfnknlgj.dll_old"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB1680] command /c del "C:\WINDOWS\system32\mlJAqrRh.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2618] cmd /c del "C:\WINDOWS\system32\mlJAqrRh.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8306] command /c del "C:\WINDOWS\system32\vfnknlgj.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1181] cmd /c del "C:\WINDOWS\system32\vfnknlgj.dll_old"
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O20 - AppInit_DLLs: ztwvmq.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Websense CPM Report Scheduler (bi4oii8memooa6pi) - Unknown owner - C:\WINDOWS\system32\mymmyr.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--
End of file - 2806 bytes

pskelley

2008-09-27, 17:52

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
The junk can be tough to remove, so do not expect fast or easy.

Posting additional comments or logs before a volunteer responds, can push you back instead of forward, because your thread ends up with a newer date. Also, helpers may think you are already being assisted because of the post count.
The Waiting Room
http://forums.spybot.info/forumdisplay.php?f=37
I apologize that you were overlooked, but you can see from the information I posted why this happened. If you still need help I would like to give it, but first I must ask about this:

O23 - Service: Websense CPM Report Scheduler (bi4oii8memooa6pi) - Unknown owner - C:\WINDOWS\system32\mymmyr.exe (file missing)
http://www.castlecops.com/o23list-2854.html

Related to Websence increase web security and employee productivity through internet policy enforcement.

Note: When the infected computer in question is a company machine in the workplace, and you are an employee.

Your organization must give their permission for assistance to be received in the removal of malware. The intention of this forum is not to replace a company's IT department.

More than one machine could be at stake, possibly even the server. If sensitive material has been compromised by an infection, the company could be held liable.

Please inform your IT department or Supervisor when a workplace computer has been infected, immediately.

Thanks for your understanding.

fatima_22

2008-09-28, 07:47

from what you have replied to my hjt lot somehow it seems that my computer is from work but this is my home computer. I do not understand why this is happening. Is there some way to fix it?

pskelley

2008-09-28, 12:28

"but this is my home computer" <<< that is all you needed to say, I am wondering why you would have this program:
Websense installed on a home computer? Proceed like this:

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.

Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Remove any old copies of combofix before you proceed.

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop.

Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and a new HJT log.

Thanks

fatima_22

2008-09-30, 06:58

i followed the prompts for combofix and a dialog box appears that says that my OS ids not compatible. Is there any other program i can use? I also pasted my new hjt log below.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:56:25 AM, on 9/30/2008
Platform: Windows 2003 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 (6.00.3790.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Winamp Remote\bin\OrbTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ca.rd.yahoo.com/customize/ycomp/defaults/sp/*http://ca.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ca.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.rd.yahoo.com/customize/ycomp/defaults/su/*http://ca.yahoo.com
R3 - URLSearchHook: Winamp Search Class - {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - C:\Program Files\Winamp Toolbar\winamptb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [78a7b802] rundll32.exe "C:\WINDOWS\system32\gqkjmxgi.dll",b
O4 - HKLM\..\Run: [BM7b948b9e] Rundll32.exe "C:\WINDOWS\system32\fqdupbfc.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O20 - AppInit_DLLs: hwntpi.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Websense CPM Report Scheduler (bi4oii8memooa6pi) - Unknown owner - C:\WINDOWS\system32\mymmyr.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--
End of file - 3666 bytes

pskelley

2008-09-30, 14:38

Windows 2003 <<< I apologize I did not notice the Operating System:sad: Had I, I would not have responded since I know nothing about that system. Since I have I will do my best. Let's see if MBAM will run.

Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file & a new HJT log in your next reply.

and it might not?

I did a little looking for Windows 2003 and found that:
http://www.microsoftcom/downloads/details.aspx?familyid=ad724ae0-e72d-4f54-9ab3-75b8eb148356&displaylang=en
Is supposed to target this infection:
http://support.microsoft.com/?kbid=890830
Win32/Virtumonde (http://go.microsoft.com/fwlink/?linkid=37020&name=Win32/Virtumonde) March 2008 (V 1.39) Moderate
http://www.microsoft.com/security/portal/Entry.aspx?name=Win32%2fVirtumonde

So after you try MBAM (even if it works) give this tool a try, it may find stuff MBAM misses.

Let me know how it goes.

Thanks...Phil

fatima_22

2008-09-30, 23:15

thank you so much for all your help i ran mbam. i am posting the new hjt anf mbam log below.

MBAM:

Malwarebytes' Anti-Malware 1.28
Database version: 1222
Windows 5.2.3790

9/30/2008 5:02:11 PM
mbam-log-2008-09-30 (17-02-10).txt

Scan type: Quick Scan
Objects scanned: 153760
Time elapsed: 1 hour(s), 2 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 6
Registry Keys Infected: 27
Registry Values Infected: 6
Registry Data Items Infected: 3
Folders Infected: 5
Files Infected: 147

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\awttTKaB.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\ulvrkvsw.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\hwntpi.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\mlJAqrRh.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\elchrohf.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\temvdp.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4e8ee053-8bd8-4030-aa32-11feaef9fe5b} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4e8ee053-8bd8-4030-aa32-11feaef9fe5b} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{982e216b-ca3c-4725-bfcb-a208421d2747} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{982e216b-ca3c-4725-bfcb-a208421d2747} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b19e6f60-54e8-4579-a4da-3dc0580397d1} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ayjcutwk (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{b19e6f60-54e8-4579-a4da-3dc0580397d1} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e525b124-28e1-4d57-b784-b2aabfbbfa66} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mljaqrrh (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{e525b124-28e1-4d57-b784-b2aabfbbfa66} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7d2977a2-37ce-4041-8afe-47eea052e7f9} (Trojan.BHO.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{7d2977a2-37ce-4041-8afe-47eea052e7f9} (Trojan.BHO.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{90b5a95a-afd5-4d11-b9bd-a69d53d22226} (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\secdrv (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\secdrv (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\secdrv (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\meedia (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FMTR (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\78a7b802 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{e525b124-28e1-4d57-b784-b2aabfbbfa66} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bm7b948b9e (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\awtttkab -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\awtttkab -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\Reza\Local Settings\Temp\NI.UGA6P_0001_N111M1707 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Reza\Application Data\AVSystemCare (Rogue.AVSystemcare) -> Quarantined and deleted successfully.
C:\Documents and Settings\Reza\Application Data\AVSystemCare\Logs (Rogue.AVSystemcare) -> Quarantined and deleted successfully.
C:\Documents and Settings\Fatima\Application Data\AVSystemCare (Rogue.AVSystemcare) -> Quarantined and deleted successfully.
C:\Documents and Settings\Fatima\Application Data\AVSystemCare\Logs (Rogue.AVSystemcare) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\temvdp.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\awttTKaB.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\BaKTttwa.ini (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\BaKTttwa.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\windows\system32\kllfkll.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mlJAqrRh.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\aptjaqvh.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hvqajtpa.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ellnbwmw.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wmwbnlle.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fhokntte.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ettnkohf.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gafynjbq.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qbjnyfag.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gjxllwhx.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xhwllxjg.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gqkjmxgi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\igxmjkqg.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ksonxqsg.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gsqxnosk.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mfvgmvsh.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hsvmgvfm.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\oubivwbd.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dbwvibuo.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\phpkovha.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ahvokphp.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tdmkkptf.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ftpkkmdt.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\txusojlh.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hljosuxt.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tyyijpnn.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nnpjiyyt.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ucdtvyeq.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qeyvtdcu.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ulvrkvsw.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\wsvkrvlu.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xknrxvdr.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rdvxrnkx.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ytwuabpi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ipbauwty.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\d3dx9_2.dll (Trojan.BHO.H) -> Delete on reboot.
C:\WINDOWS\system32\hwntpi.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\elchrohf.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\opnxam.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pdjriz.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cclcwi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nevjcn.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\agyvsx.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\axoeyn.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dicsubrv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dmreewrv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fmqhtv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dvfeqmfi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ebsect.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\eoubae.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fynuateo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gadbxupf.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gfwwyn.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gmoascyf.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gnmaxonm.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hwpaslpp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jrcshjrr.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\knufhbeq.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nuuhwnyi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nvjmydob.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\phbrnfmb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\poxaoo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rhulqc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rlmebout.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tckcsaow.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tkufuyly.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vstajvnh.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ogyfsfmd.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qbumesdt.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qdnvkyax.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wprpomvi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lgvhcbay.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lxwdov.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xcduel.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xggsvbcl.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xijujpdp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xusfbpqy.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ycslamfl.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yfumkn.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yiranljk.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yutgav.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ztwvmq.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zxbksq.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jbznzy.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jdkgelox.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tvbcbvym.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tvfehldn.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\txfddi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tyjgoi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ukexcj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bifhtyun.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qwejpf.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qxmhiias.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\secdrv.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-3924207305-1859986940-3923142012-1006\Dc40.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-3924207305-1859986940-3923142012-1006\Dc41.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-3924207305-1859986940-3923142012-1006\Dc42.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-3924207305-1859986940-3923142012-1006\Dc43.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-3924207305-1859986940-3923142012-1006\Dc44.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-3924207305-1859986940-3923142012-1006\Dc47.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-3924207305-1859986940-3923142012-1006\Dc48.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-3924207305-1859986940-3923142012-1006\Dc49.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-3924207305-1859986940-3923142012-1006\Dc50.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-3924207305-1859986940-3923142012-1006\Dc145.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-3924207305-1859986940-3923142012-1006\Dc181.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-3924207305-1859986940-3923142012-1006\Dc45.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-3924207305-1859986940-3923142012-1006\Dc146.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-3924207305-1859986940-3923142012-1006\Dc147.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-3924207305-1859986940-3923142012-1006\Dc148.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-3924207305-1859986940-3923142012-1006\Dc149.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-3924207305-1859986940-3923142012-1006\Dc152.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-3924207305-1859986940-3923142012-1006\Dc154.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-3924207305-1859986940-3923142012-1006\Dc174.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-3924207305-1859986940-3923142012-1006\Dc176.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-3924207305-1859986940-3923142012-1006\Dc178.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-3924207305-1859986940-3923142012-1006\Dc180.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-3924207305-1859986940-3923142012-1006\Dc182.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-3924207305-1859986940-3923142012-1006\Dc183.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-3924207305-1859986940-3923142012-1006\Dc184.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-3924207305-1859986940-3923142012-1006\Dc185.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-3924207305-1859986940-3923142012-1006\Dc186.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-3924207305-1859986940-3923142012-1006\Dc187.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-3924207305-1859986940-3923142012-1006\Dc240.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-3924207305-1859986940-3923142012-1006\Dc243.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-3924207305-1859986940-3923142012-1006\Dc245.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-3924207305-1859986940-3923142012-1006\Dc246.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Reza\Local Settings\Temporary Internet Files\Content.IE5\FLVCHB3W\upd105320[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Reza\Local Settings\Temporary Internet Files\Content.IE5\MGHN321Z\nd82m0[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Reza\Application Data\install_en[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Reza\Application Data\AVSystemCare\avtasks.dat (Rogue.AVSystemcare) -> Quarantined and deleted successfully.
C:\Documents and Settings\Reza\Application Data\AVSystemCare\Logs\av.log (Rogue.AVSystemcare) -> Quarantined and deleted successfully.
C:\Documents and Settings\Reza\Application Data\AVSystemCare\Logs\ga6Support.log (Rogue.AVSystemcare) -> Quarantined and deleted successfully.
C:\Documents and Settings\Fatima\Application Data\AVSystemCare\Logs\av.log (Rogue.AVSystemcare) -> Quarantined and deleted successfully.
C:\Documents and Settings\Fatima\Application Data\AVSystemCare\Logs\ga6Support.log (Rogue.AVSystemcare) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nnjimptx.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\pskt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM7b948b9e.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM7b948b9e.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lphcpatj0eeat.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Fatima\Local Settings\Temp\dat67.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Fatima\Local Settings\Temp\dat69.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:13:59 PM, on 9/30/2008
Platform: Windows 2003 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 (6.00.3790.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Winamp Remote\bin\OrbTray.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ca.rd.yahoo.com/customize/ycomp/defaults/sp/*http://ca.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ca.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.rd.yahoo.com/customize/ycomp/defaults/su/*http://ca.yahoo.com
R3 - URLSearchHook: Winamp Search Class - {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - C:\Program Files\Winamp Toolbar\winamptb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7D2977A2-37CE-4041-8AFE-47EEA052E7F9} - C:\WINDOWS\system32\d3dx9_2.dll
O2 - BHO: (no name) - {B19E6F60-54E8-4579-A4DA-3DC0580397D1} - c:\windows\system32\kllfkll.dll (file missing)
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O20 - AppInit_DLLs: temvdp.dll
O20 - Winlogon Notify: ayjcutwk - kllfkll.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Websense CPM Report Scheduler (bi4oii8memooa6pi) - Unknown owner - C:\WINDOWS\system32\mymmyr.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--
End of file - 4185 bytes

fatima_22

2008-09-30, 23:18

also i tried to go to the link of the other tool you said to try but it doesnt work.

fatima_22

2008-09-30, 23:19

i thinki fixed the link so im going to try the tool now

fatima_22

2008-09-30, 23:24

it said no malicous software was detected :)

pskelley

2008-10-01, 00:15

Not only were you infected, but you were very badly infected. It's a good thing MBAM targets this infection on Windows 2003.

This is what I want you to do and some instructions are for XP so you might have to figure how to cause them to work on 2003. I am guessing on much of this.

1) View all files and folders:
http://www.bleepingcomputer.com/tutorials/tutorial62.html#winxp

2 Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: (no name) - {7D2977A2-37CE-4041-8AFE-47EEA052E7F9} - C:\WINDOWS\system32\d3dx9_2.dll
O2 - BHO: (no name) - {B19E6F60-54E8-4579-A4DA-3DC0580397D1} - c:\windows\system32\kllfkll.dll (file missing)
O20 - AppInit_DLLs: temvdp.dll -
O20 - Winlogon Notify: ayjcutwk - kllfkll.dll (file missing)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

3) Right click Start > Explore and navigate to these files/folders and delete them if there.

C:\WINDOWS\system32\d3dx9_2.dll <<< delete that file
If you have problems with that file use these instructions:
http://www.bleepingcomputer.com/tutorials/tutorial42.html#delreb

4) Run Clean Manager
http://spyware-free.us/tutorials/cleanmgr/

5) Update MBAM and scan again, post the scan results and a new HJT log.

Tell me how the computer is running.

Thanks

fatima_22

2008-10-01, 01:09

i did everything up to the step that i had to delete the file d3dx9_2.dll off my computer because it says it is protected tgus not able to be deleted. i will still do all the other steps just in case.

pskelley

2008-10-01, 01:28

C:\WINDOWS\system32\d3dx9_2.dll <<< that file has to be deleted and I can not do it for you. If you can not use the "Delete on Reboot" tool, then delete it in safe mode.

http://spyware-free.us/tutorials/safemode/

pskelley

2008-10-07, 23:56

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.