Hello, Thanks for your help. MBAM is detecting this but cannot delete. Here is my HJT File.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:22:34 PM, on 3/27/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\FASTRE~1\IQWebFTPServerEngine.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Mail Enable\Bin\MELSC.EXE
C:\Program Files\Mail Enable\Bin\MEMTA.EXE
C:\Program Files\Mail Enable\Bin\MEPOC.EXE
C:\Program Files\Mail Enable\Bin\MEPOPS.EXE
C:\Program Files\Mail Enable\Bin\MESMTPC.EXE
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\PC TechZone\AuctionMagic7\Snipe.exe
C:\Program Files\Napster\napster.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\AT&T\Internet Security Wizard\ISW.exe
C:\Program Files\Bellsouth\HelpCenter40b\bin\sprtcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\TimeCalendarLE\TCLE.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\V3CallCenter\V3faxecp.exe
C:\Program Files\Microsoft Office\Office\Osa.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 65.194.230.197:3128
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {88096be5-c087-412e-ba7a-9a6880c146e5} - C:\WINDOWS\system32\zuyagewa.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [MerlinSnipe] C:\Program Files\PC TechZone\AuctionMagic7\Snipe.exe quiet
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [ISW.exe] "C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" /AUTORUN
O4 - HKLM\..\Run: [HelpCenter4.1] C:\Program Files\Bellsouth\HelpCenter40b\bin\sprtcmd.exe /P HelpCenter4.1
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [makovejoha] Rundll32.exe "C:\WINDOWS\system32\ferakozo.dll",s
O4 - HKLM\..\Run: [d4f39955] rundll32.exe "C:\WINDOWS\system32\dadutiwo.dll",b
O4 - HKLM\..\Run: [CPMd7c0aac9] Rundll32.exe "c:\windows\system32\morezahe.dll",a
O4 - HKCU\..\Run: [TimeCalendar] "C:\Program Files\TimeCalendarLE\TCLE.exe" auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [makovejoha] Rundll32.exe "C:\WINDOWS\system32\ferakozo.dll",s (User '?')
O4 - HKUS\S-1-5-20\..\Run: [makovejoha] Rundll32.exe "C:\WINDOWS\system32\ferakozo.dll",s (User '?')
O4 - HKUS\S-1-5-21-1957994488-706699826-725345543-1003\..\Run: [TimeCalendar] "C:\Program Files\TimeCalendarLE\TCLE.exe" auto (User '?')
O4 - HKUS\S-1-5-21-1957994488-706699826-725345543-1003\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O4 - S-1-5-21-1957994488-706699826-725345543-1003 Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE (User '?')
O4 - S-1-5-21-1957994488-706699826-725345543-1003 Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE (User '?')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: CallCenter Printer Interface.lnk = C:\Program Files\V3CallCenter\V3faxecp.exe
O4 - Global Startup: Launch Outlook Express.lnk = C:\Program Files\Outlook Express\MSIMN.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: Download using Download &Express - file://C:\Program Files\Download Express\Add_Url.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1223958421265
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1223958690312
O20 - AppInit_DLLs: fnmolg.dll upnptx.dll C:\WINDOWS\system32\bokumevo.dll c:\windows\system32\morezahe.dll wrbwtk.dll zpygbc.dll c:\windows\system32\yirumuno.dll vmqozn.dll
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: CADopia License Manager - Macrovision Corporation - C:\PROGRA~1\CADopia\INTELL~2\LicenseManager\lmgrd.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: MailEnable List Connector (MELCS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MELSC.EXE
O23 - Service: MailEnable Mail Transfer Agent (MEMTAS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MEMTA.EXE
O23 - Service: MailEnable Postoffice Connector (MEPOCS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MEPOC.EXE
O23 - Service: MailEnable POP Service (MEPOPS) - Unknown owner - C:\Program Files\Mail Enable\Bin\MEPOPS.EXE
O23 - Service: MailEnable SMTP Connector (MESMTPCS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MESMTPC.EXE
O23 - Service: Fastream IQ Web/FTP Server (NFService) - Fastream Technologies - C:\PROGRA~1\FASTRE~1\IQWebFTPServerEngine.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

--
End of file - 8504 bytes

Sorry, Spelled it wrong. Trojan.Vundo.H Thanks, Jim


Posting additional comments or logs before a volunteer responds, can push you back instead of forward, because your thread ends up with a newer date.
Also, helpers may think you are already being assisted because of the post count.
The same applies to bumping, please don't.

http://forums.spybot.info/showpost.php?p=219168&postcount=6

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Pinned (sticky) to the top of this forum, and posted above are the directions, make sure you have read and followed them.

Read the directions and disable TeaTimer as instructed, then post a new HJT log.
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

Post also an uninstall list: Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
(You may edit out Microsoft, Hotfixes, Security Update for Windows XP,
Update for Windows XP and Windows XP Hotfix to shorten the list)
Image: http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg

Thanks

Hi Paul, Nice to see you again. The problem has changed. I can now not log on to my computer. It logs me off right after I log on. I'm writing this from my wife's computer. The last time I was able to run MBAM it locked up and reported that RegEdit was disabled. Then the whole computer locked up hard.

I repaired the system from my XP disk but then it wouldn't allow me to run Spybot S&D or MBAM. and after 20 minutes it locked up hard again.

Where do I go from here? Is there any hope?

Thanks Jim

Unfortunately It sounds like the malware is blocking the tools you need to remove it (my guess) I doubt a repair will do it since that will not remove the malware, takes a reformat to do that. If you have the ability to download to the other computer and transfer the tool to the infected one, we can give this a try. I need to send the instructions via a Private Message, please watch for it.

Thanks...Phil

No responses to PM's from this member, closing the topic. If you continue to have issues, start a new thread.

Thanks