Hi, I am using V1.4 updated 27Jul06 but cannot detect two infections, one of which periodically generates a text box in Italian and tries to dail out.

I have run Adaware and Ewido and both have cleaned what they can leaving me with the following Hijack this log. Read on the web that Virtumonde prevents highjackthis from working so renamed it to C:\Archivos de programa\Gary\viewthis.exe. Also, using Fix on the following does not resolve (they return), nor does asking NT to delete on exit.
O20 - Winlogon Notify: sstqq - C:\WINNT\system32\sstqq.dll
O20 - Winlogon Notify: winvlj32 - C:\WINNT\SYSTEM32\winvlj32.dll
O2 - BHO: (no name) - {C6A3D072-C5BC-4982-A8EA-9D422B385715} - C:\WINNT\system32\sstqq.dll

Pls help!



Logfile of HijackThis v1.99.1
Scan saved at 11:14:28, on 28/07/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\svchost.exe
C:\Archivos de programa\ewido anti-spyware 4.0\guard.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Archivos de programa\Spyware Doctor\sdhelp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\mobsync.exe
C:\WINNT\system32\internat.exe
C:\WINNT\TEMP\idd89.tmp.exe
C:\WINNT\TEMP\iddA4.tmp.exe
C:\WINNT\TEMP\iddB9.tmp.exe
C:\WINNT\TEMP\iddCE.tmp.exe
C:\WINNT\TEMP\iddE9.tmp.exe
C:\WINNT\TEMP\iddFE.tmp.exe
C:\WINNT\TEMP\idd113.tmp.exe
C:\WINNT\TEMP\idd12E.tmp.exe
C:\WINNT\TEMP\idd143.tmp.exe
C:\WINNT\TEMP\idd158.tmp.exe
C:\WINNT\TEMP\idd173.tmp.exe
C:\WINNT\TEMP\idd188.tmp.exe
C:\WINNT\TEMP\idd19D.tmp.exe
C:\WINNT\TEMP\idd1B8.tmp.exe
C:\WINNT\TEMP\idd1CD.tmp.exe
C:\WINNT\TEMP\idd1E2.tmp.exe
C:\WINNT\TEMP\idd1FD.tmp.exe
C:\WINNT\TEMP\idd212.tmp.exe
C:\WINNT\TEMP\idd227.tmp.exe
C:\WINNT\TEMP\idd242.tmp.exe
C:\WINNT\TEMP\idd257.tmp.exe
C:\WINNT\TEMP\idd26C.tmp.exe
C:\WINNT\TEMP\idd287.tmp.exe
C:\WINNT\TEMP\idd29F.tmp.exe
C:\WINNT\TEMP\idd2B4.tmp.exe
C:\WINNT\TEMP\idd2CF.tmp.exe
C:\WINNT\TEMP\idd2E4.tmp.exe
C:\WINNT\TEMP\idd2F9.tmp.exe
C:\WINNT\TEMP\idd314.tmp.exe
C:\WINNT\TEMP\idd329.tmp.exe
C:\WINNT\TEMP\idd33E.tmp.exe
C:\WINNT\TEMP\idd359.tmp.exe
C:\WINNT\TEMP\idd36E.tmp.exe
C:\WINNT\TEMP\idd383.tmp.exe
C:\WINNT\TEMP\idd39E.tmp.exe
C:\WINNT\TEMP\idd3B3.tmp.exe
C:\WINNT\TEMP\idd3C8.tmp.exe
C:\WINNT\TEMP\idd3E3.tmp.exe
C:\Archivos de programa\ewido anti-spyware 4.0\ewido.exe
C:\WINNT\TEMP\win76.tmp.exe
C:\Archivos de programa\Gary\viewthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\ARCHIV~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {C6A3D072-C5BC-4982-A8EA-9D422B385715} - C:\WINNT\system32\sstqq.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [!ewido] "C:\Archivos de programa\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs: C:\WINNT\system32\winword.dll
O20 - Winlogon Notify: sstqq - C:\WINNT\system32\sstqq.dll
O20 - Winlogon Notify: winvlj32 - C:\WINNT\SYSTEM32\winvlj32.dll
O23 - Service: Servicio del administrador de discos lógicos (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Archivos de programa\ewido anti-spyware 4.0\guard.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Archivos de programa\Spyware Doctor\sdhelp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

Hello pated

Do you have an antivirus program installed ?

Please download VundoFix.exe (http://www.atribune.org/content/view/24/2/)
to your to the root drive, eg: Local Disk C: or partition where your operating system is installed.
Double-click VundoFix.exe to run it.
Put a check next to Run VundoFix as a task.
You will receive a message saying vundofix will close and re-open in a minute or less(up to five).
Click OK
When VundoFix re-opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Wait two minutes then Turn your computer back on.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

This topic has been closed to prevent others with similar issues posting in it.
If you need it re-opened please send me or your helper a pm and provide a link to the thread.

Applies only to the original topic starter.