Virtumonde found pls help

**grege2000** · 2007-12-07, 19:44

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:36:13 PM, on 12/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\vdvbjwtc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Link...ww.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://localhost:5250/spin/AVClient/...=4&BigButton=3
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [78a41270] rundll32.exe "C:\WINDOWS\system32\adnfxcox.dll",b
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [eCopy Desktop Inbox Monitor] C:\PROGRA~1\eCopy\Desktop\Bin\INBOXM~1.EXE -run
O4 - HKLM\..\Run: [eCopy Desktop Printer Service] C:\PROGRA~1\eCopy\Desktop\PCLprint\mrmlnc32.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1151419262\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrustITM\realmon.exe" -s
O4 - HKLM\..\Run: [Run RunOnce] W:\RunOnce.exe C:\Documents and Settings\Amy\Desktop\UPS\UOWS\ShipUPS.EXE
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Outlook.lnk = C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: UPS WorldShip Messaging Utility.lnk = C:\Documents and Settings\Amy\Desktop\UPS\UOWS\Messages\WSDMessaging.exe
O4 - Global Startup: UPS WorldShip PLD Reminder Utility.lnk = C:\Documents and Settings\Amy\Desktop\UPS\UOWS\PldReminder.exe
O8 - Extra context menu item: &Search - ?p=ZNxdm824YYUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1187924381854
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sackmansuites.private
O17 - HKLM\Software\..\Telephony: DomainName = sackmansuites.private
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sackmansuites.private
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sackmansuites.private
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = sackmansuites.private
O20 - AppInit_DLLs: EQDtpSp.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: EQ Shared Engine (EQSharedEngine) - Equitrac - C:\Program Files\Equitrac\Print Tracking\Client\EQSharedEngine.exe
O23 - Service: iTechnology iGateway 4.0 (iGateway) - Computer Associates International, Inc. - C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
O23 - Service: eTrust ITM RPC Service (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrustITM\InoRpc.exe
O23 - Service: eTrust ITM Realtime Service (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrustITM\InoRT.exe
O23 - Service: eTrust ITM Job Service (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrustITM\InoTask.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7412 bytes

**grege2000** · 2007-12-07, 19:45

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, December 07, 2007 1:31:10 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 7/12/2007
Kaspersky Anti-Virus database records: 475244
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
K:\
W:\

Scan Statistics:
Total number of scanned objects: 92732
Number of viruses found: 35
Number of infected objects: 97
Number of suspicious objects: 0
Duration of the scan process: 00:55:00

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-11212007-135526.log Object is locked skipped
C:\Documents and Settings\Amy\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-69ee0e0e-1df44533.zip/vlocal.class Infected: Trojan-Downloader.Java.Agent.f skipped
C:\Documents and Settings\Amy\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-69ee0e0e-1df44533.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Amy\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-69ee0e0e-71f59e00.zip/vlocal.class Infected: Trojan-Downloader.Java.Agent.f skipped
C:\Documents and Settings\Amy\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-69ee0e0e-71f59e00.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Amy\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-6b26dca8-194c6ac5.zip/vlocal.class Infected: Trojan-Downloader.Java.Agent.f skipped
C:\Documents and Settings\Amy\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-6b26dca8-194c6ac5.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Amy\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Amy\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Amy\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Amy\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Amy\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Amy\Local Settings\History\History.IE5\MSHist012007120720071208\index.dat Object is locked skipped
C:\Documents and Settings\Amy\Local Settings\Temp\Mirar_VC_Setup_876923.exe Infected: not-a-virus:AdWare.Win32.Mirar.i skipped
C:\Documents and Settings\Amy\Local Settings\Temp\mit1E0.tmp/Mirar_VC_Setup_876923.exe Infected: not-a-virus:AdWare.Win32.Mirar.i skipped
C:\Documents and Settings\Amy\Local Settings\Temp\mit1E0.tmp CAB: infected - 1 skipped
C:\Documents and Settings\Amy\Local Settings\Temp\mit1E0.tmp.cab/Mirar_VC_Setup_876923.exe Infected: not-a-virus:AdWare.Win32.Mirar.i skipped
C:\Documents and Settings\Amy\Local Settings\Temp\mit1E0.tmp.cab CAB: infected - 1 skipped
C:\Documents and Settings\Amy\Local Settings\Temp\temp.frEE95 Infected: not-a-virus:AdWare.Win32.Virtumonde.apx skipped
C:\Documents and Settings\Amy\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Amy\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Amy\Local Settings\Temporary Internet Files\Content.IE5\U1FE91SH\poiu[1] Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\Documents and Settings\Amy\ntuser.dat Object is locked skipped
C:\Documents and Settings\Amy\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\angela\Local Settings\Temporary Internet Files\Content.IE5\IJOLA5U7\ptch[2] Infected: Trojan.Win32.BHO.abs skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\U7WXA5I7\upgrade[1].cab/upgrade.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\U7WXA5I7\upgrade[1].cab/upgrade.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\U7WXA5I7\upgrade[1].cab/upgrade.exe/stream Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\U7WXA5I7\upgrade[1].cab/upgrade.exe Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\U7WXA5I7\upgrade[1].cab CAB: infected - 4 skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\sabrina\Local Settings\Temp\winshow.exe Infected: Trojan-Downloader.Win32.VB.bvj skipped
C:\Documents and Settings\sabrina\Local Settings\Temp\wr-1-77.exe Infected: Trojan-Downloader.Win32.Small.gll skipped
C:\Program Files\OneStepSearch\onestep.exe Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\Program Files\OneStepSearch\osopt.exe Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP543\A0027479.exe Infected: Trojan-Downloader.Win32.Agent.fjx skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP546\A0027548.exe Infected: Trojan-Downloader.Win32.Agent.fjv skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP548\A0027601.exe/stream/data0002 Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP548\A0027601.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP548\A0027601.exe/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP548\A0027601.exe NSIS: infected - 3 skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP549\A0027724.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.apx skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP553\A0027891.scr Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP553\A0027898.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.at skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP553\A0027900.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP553\A0027901.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP553\A0027902.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.af skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP553\A0027903.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP553\A0027904.SCR Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP553\A0027905.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP553\A0027906.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP553\A0027907.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.a skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP553\A0027908.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.an skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP553\A0027909.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.aq skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP553\A0027910.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bh skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP553\A0027912.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ax skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP553\A0027914.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP553\A0027916.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP553\A0027917.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ad skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP553\A0027919.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP553\A0027920.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP553\A0027921.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP553\A0027922.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP554\A0027940.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP554\A0027941.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP554\A0027943.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.l skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP554\A0027944.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP554\A0027945.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP554\A0027946.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP554\A0027947.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP554\A0027948.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP554\A0027949.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP554\A0027956.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP554\A0027957.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP554\A0028956.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP554\A0028957.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP554\change.log Object is locked skipped
C:\WINDOWS\b149.exe Infected: Trojan-Dropper.Win32.Agent.ctu skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\system32\awtttqr.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.art skipped
C:\WINDOWS\system32\bqxaiwoc.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ak skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\cbxwvsp.dll Infected: Trojan.Win32.Obfuscated.lf skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\fsstfruw.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\WINDOWS\system32\g2\bemwdll3.exe Infected: Trojan-Downloader.Win32.Small.gll skipped
C:\WINDOWS\system32\gbetmwnw.dll Infected: Trojan.Win32.BHO.abs skipped
C:\WINDOWS\system32\gebcayx.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.art skipped
C:\WINDOWS\system32\hggeeef.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.art skipped
C:\WINDOWS\system32\jkkhhii.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.art skipped
C:\WINDOWS\system32\khfecyx.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.art skipped
C:\WINDOWS\system32\kmkstjnc.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ag skipped
C:\WINDOWS\system32\lbfciyar.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ak skipped
C:\WINDOWS\system32\ljjgfee.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.art skipped
C:\WINDOWS\system32\ljjifca.dll Infected: Trojan.Win32.Obfuscated.lf skipped
C:\WINDOWS\system32\nprvjtvf.dll Infected: Trojan.Win32.BHO.abs skipped
C:\WINDOWS\system32\oeacfhgm.dll Infected: Trojan.Win32.BHO.abs skipped
C:\WINDOWS\system32\pmkjj.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.arw skipped
C:\WINDOWS\system32\pxnosaks.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ae skipped
C:\WINDOWS\system32\rMa01yy\rMa01yy1065.exe Infected: Trojan-Downloader.Win32.VB.bto skipped
C:\WINDOWS\system32\rMa02yy\rMa02yy1099.exe Infected: Trojan-Downloader.Win32.VB.bto skipped
C:\WINDOWS\system32\rugsgmvh.dll Infected: Trojan.Win32.BHO.abs skipped
C:\WINDOWS\system32\sotmomvk.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\WINDOWS\system32\tiydpbjp.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ag skipped
C:\WINDOWS\system32\vdvbjwtc.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\WINDOWS\system32\vturq.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.arw skipped
C:\WINDOWS\system32\vtuuutu.dll Infected: Trojan.Win32.Obfuscated.lf skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wdqlxjpn.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ak skipped
C:\WINDOWS\system32\ykxtcecp.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ae skipped
C:\WINDOWS\Temp\hsperfdata_SYSTEM\1860 Object is locked skipped
C:\WINDOWS\Temp\ONEE6.tmp\upgrade.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\WINDOWS\Temp\ONEE6.tmp\upgrade.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\WINDOWS\Temp\ONEE6.tmp\upgrade.exe/stream Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\WINDOWS\Temp\ONEE6.tmp\upgrade.exe NSIS: infected - 3 skipped

Scan process completed.

**ken545** · 2007-12-08, 03:05

Hello grege2000

Welcome to Safer Networking.

Please read Before You Post
All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen

Please reply to this thread only by using the Submit Reply and not start a new topic or your posts will be all over the forum and we won't be able to keep track of you.

Download VundoFix to your desktop

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

This is important, do this before you post a HJT log
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe<-- Right click on Hijackthis.exe ( looks like a man with a spyglass )and rename it to Scanner.exe

I need to see the Vundofix log, the Combofix log and a new HJT log renamed to scanner.exe and I need you to run HJT in normal windows, not safemode or it wont show the whole picture.

**grege2000** · 2007-12-11, 16:19

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:13, on 2007-12-11
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Equitrac\Print Tracking\Client\EQSharedEngine.exe
C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
C:\Program Files\CA\eTrustITM\InoRpc.exe
C:\Program Files\CA\eTrustITM\InoRT.exe
C:\Program Files\CA\eTrustITM\InoTask.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\PROGRA~1\eCopy\Desktop\PCLprint\mrmlnc32.exe
C:\Program Files\Common Files\AOL\1151419262\ee\AOLSoftware.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\CA\eTrustITM\realmon.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Documents and Settings\Amy\Desktop\UPS\UOWS\Messages\WSDMessaging.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://localhost:5250/spin/AVClient/...=4&BigButton=3
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [eCopy Desktop Inbox Monitor] C:\PROGRA~1\eCopy\Desktop\Bin\INBOXM~1.EXE -run
O4 - HKLM\..\Run: [eCopy Desktop Printer Service] C:\PROGRA~1\eCopy\Desktop\PCLprint\mrmlnc32.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1151419262\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrustITM\realmon.exe" -s
O4 - HKLM\..\Run: [Run RunOnce] W:\RunOnce.exe C:\Documents and Settings\Amy\Desktop\UPS\UOWS\ShipUPS.EXE
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Outlook.lnk = C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: UPS WorldShip Messaging Utility.lnk = C:\Documents and Settings\Amy\Desktop\UPS\UOWS\Messages\WSDMessaging.exe
O4 - Global Startup: UPS WorldShip PLD Reminder Utility.lnk = C:\Documents and Settings\Amy\Desktop\UPS\UOWS\PldReminder.exe
O8 - Extra context menu item: &Search - ?p=ZNxdm824YYUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1187924381854
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sackmansuites.private
O17 - HKLM\Software\..\Telephony: DomainName = sackmansuites.private
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sackmansuites.private
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sackmansuites.private
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = sackmansuites.private
O20 - AppInit_DLLs: EQDtpSp.dll
O20 - Winlogon Notify: yayyaxx - yayyaxx.dll (file missing)
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: EQ Shared Engine (EQSharedEngine) - Equitrac - C:\Program Files\Equitrac\Print Tracking\Client\EQSharedEngine.exe
O23 - Service: iTechnology iGateway 4.0 (iGateway) - Computer Associates International, Inc. - C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
O23 - Service: eTrust ITM RPC Service (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrustITM\InoRpc.exe
O23 - Service: eTrust ITM Realtime Service (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrustITM\InoRT.exe
O23 - Service: eTrust ITM Job Service (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrustITM\InoTask.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8602 bytes

**grege2000** · 2007-12-11, 16:20

ComboFix 07-12-09.1 - amy 2007-12-11 10:03:13.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1415 [GMT -5:00]
Running from: C:\Documents and Settings\Amy\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\sabrina\Start Menu\Programs\MalwareAlarm
C:\WINDOWS\b149.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\adnfxcox.dll
C:\WINDOWS\system32\awtttqr.dll
C:\WINDOWS\system32\b1
C:\WINDOWS\system32\bqxaiwoc.dll
C:\WINDOWS\system32\bwhffewi.ini
C:\WINDOWS\system32\cbxwvsp.dll
C:\WINDOWS\system32\efefteap.dll
C:\WINDOWS\system32\elidtdgt.dll
C:\WINDOWS\system32\g2
C:\WINDOWS\system32\gpyfvqqx.dll
C:\WINDOWS\system32\hmdffxxj.dll
C:\WINDOWS\system32\i2
C:\WINDOWS\system32\ibqtuejo.dll
C:\WINDOWS\system32\indbxfjo.dll
C:\WINDOWS\system32\iweffhwb.dll
C:\WINDOWS\system32\jjkmp.bak1
C:\WINDOWS\system32\jjkmp.bak2
C:\WINDOWS\system32\jjkmp.ini
C:\WINDOWS\system32\jjkmp.ini2
C:\WINDOWS\system32\jjkmp.tmp
C:\WINDOWS\system32\jlcgntkr.dll
C:\WINDOWS\system32\jxxffdmh.ini
C:\WINDOWS\system32\kdmluxph.dll
C:\WINDOWS\system32\kxrkcdsl.dll
C:\WINDOWS\system32\ljjifca.dll
C:\WINDOWS\system32\lmhnuybr.dll
C:\WINDOWS\system32\n8
C:\WINDOWS\system32\nibybnej.dll
C:\WINDOWS\system32\nprvjtvf.dll
C:\WINDOWS\system32\oeacfhgm.dll
C:\WINDOWS\system32\ojfxbdni.ini
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\paetfefe.ini
C:\WINDOWS\system32\pmkjj.dll
C:\WINDOWS\system32\pxnosaks.dll
C:\WINDOWS\system32\qrutv.bak1
C:\WINDOWS\system32\qrutv.ini
C:\WINDOWS\system32\rbyunhml.ini
C:\WINDOWS\system32\rccgmvup.dll
C:\WINDOWS\system32\rMa01yy
C:\WINDOWS\system32\rMa01yy\rMa01yy1065.exe
C:\WINDOWS\system32\rMa02yy
C:\WINDOWS\system32\rMa02yy\rMa02yy1099.exe
C:\WINDOWS\system32\rugsgmvh.dll
C:\WINDOWS\system32\txtcfjsp.dll
C:\WINDOWS\system32\txtepsvc.dll
C:\WINDOWS\system32\ujwiohne.dll
C:\WINDOWS\system32\vberngyw.dll
C:\WINDOWS\system32\wdqlxjpn.dll
C:\WINDOWS\system32\wygnrebv.ini
C:\WINDOWS\system32\xocxfnda.ini
C:\WINDOWS\system32\xqqvfypg.ini
C:\WINDOWS\system32\ykxtcecp.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CORE
-------\LEGACY_DOMAINSERVICE
-------\DomainService

((((((((((((((((((((((((( Files Created from 2007-11-11 to 2007-12-11 )))))))))))))))))))))))))))))))
.

2007-12-11 09:54 . 2007-12-11 09:54 <DIR> d-------- C:\VundoFix Backups
2007-12-11 09:13 . 2007-12-11 09:13 74,304 --a------ C:\WINDOWS\system32\niwpargb.exe
2007-12-10 09:09 . 2007-12-10 09:09 74,304 --a------ C:\WINDOWS\system32\rsegpuqn.exe
2007-12-07 15:28 . 2007-12-07 15:28 74,304 --a------ C:\WINDOWS\system32\gxralevd.exe
2007-12-07 15:23 . 2007-12-07 15:23 74,304 --a------ C:\WINDOWS\system32\ghbgbrxl.exe
2007-12-07 14:03 . 2007-12-07 14:03 74,304 --a------ C:\WINDOWS\system32\drermkab.exe
2007-12-07 13:52 . 2007-12-07 13:52 74,304 --a------ C:\WINDOWS\system32\ucgfetwj.exe
2007-12-07 13:34 . 2007-12-07 13:34 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-07 11:06 . 2007-12-07 11:06 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-07 11:06 . 2007-12-07 11:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-07 09:26 . 2007-12-07 09:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-06 09:14 . 2007-12-07 09:15 834,400 --ahs---- C:\WINDOWS\system32\ervwwgdv.ini
2007-12-05 13:12 . 2007-12-06 09:12 807,675 --ahs---- C:\WINDOWS\system32\fjckucnu.ini
2007-12-05 13:00 . 2007-12-05 13:06 807,528 --ahs---- C:\WINDOWS\system32\ghhxdgab.ini
2007-12-05 09:19 . 2007-12-05 12:51 807,642 --ahs---- C:\WINDOWS\system32\kvmomtos.ini
2007-11-27 11:43 . 2007-12-05 12:49 143 --a------ C:\WINDOWS\system32\mcrh.tmp
2007-11-27 11:05 . 2007-11-27 11:05 <DIR> d-------- C:\Documents and Settings\Amy\Application Data\Lavasoft
2007-11-27 10:50 . 2007-11-27 10:53 176 --ah----- C:\aaw7boot.cmd
2007-11-23 14:41 . 2007-11-23 14:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Winferno
2007-11-23 14:16 . 2007-11-23 14:17 <DIR> d-------- C:\Program Files\The Weather Channel FW
2007-11-23 14:15 . 2007-11-23 14:16 <DIR> d-------- C:\Program Files\VVSN
2007-11-23 14:15 . 2007-11-27 11:19 <DIR> d-------- C:\Program Files\OneStepSearch
2007-11-23 14:15 . 2007-12-07 10:00 <DIR> d-------- C:\Program Files\Free Offers from Freeze.com
2007-11-21 13:55 . 2007-11-21 13:55 <DIR> d-------- C:\Program Files\Windows Defender
2007-11-21 13:52 . 2007-07-09 08:16 582,656 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-11-20 11:20 . 2007-11-21 14:34 <DIR> d-------- C:\WINDOWS\system32\cc1
2007-11-20 11:20 . 2007-12-07 10:40 <DIR> d-------- C:\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-07 15:00 --------- d-----w C:\Program Files\AdwareAlert
2007-12-06 20:23 --------- d-----w C:\Program Files\Google
2007-12-04 19:24 --------- d-----w C:\Documents and Settings\Amy\Application Data\AdobeUM
2007-11-28 21:49 --------- d-----w C:\Program Files\AIM6
2007-11-27 16:09 --------- d-----w C:\Program Files\Lavasoft
2007-11-23 19:15 --------- d-----w C:\Program Files\Yahoo!
2007-11-21 20:12 --------- d-----w C:\Documents and Settings\Amy\Application Data\Yahoo!
2007-11-21 20:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-11-01 15:19 --------- d--h--r C:\Documents and Settings\sabrina\Application Data\yahoo!
2007-10-26 13:11 --------- d-----w C:\Program Files\Viewpoint
2007-10-26 13:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-10-26 13:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-10-19 02:14 184,080 ----a-w C:\WINDOWS\system32\drivers\ino_fltr.sys
2007-05-23 14:41 774,144 ----a-w C:\Program Files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 00:05]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 15:19]
"eCopy Desktop Inbox Monitor"="C:\PROGRA~1\eCopy\Desktop\Bin\INBOXM~1.exe" [2004-11-19 09:26]
"eCopy Desktop Printer Service"="C:\PROGRA~1\eCopy\Desktop\PCLprint\mrmlnc32.exe" [2004-11-19 08:50]
"HostManager"="C:\Program Files\Common Files\AOL\1151419262\ee\AOLSoftware.exe" [2006-05-09 19:24]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 14:32]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 14:36]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 14:35]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 11:59]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" []
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" []
"Realtime Monitor"="C:\Program Files\CA\eTrustITM\realmon.exe" [2005-12-10 00:57]
"Run RunOnce"="W:\RunOnce.exe" []
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 18:42]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 16:48]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]

C:\Documents and Settings\Amy\Start Menu\Programs\Startup\
Outlook.lnk - C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE [2005-07-05 11:14:28]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 00:19:50]
UPS WorldShip Messaging Utility.lnk - C:\Documents and Settings\Amy\Desktop\UPS\UOWS\Messages\WSDMessaging.exe [2006-10-20 08:50:58]
UPS WorldShip PLD Reminder Utility.lnk - C:\Documents and Settings\Amy\Desktop\UPS\UOWS\PldReminder.exe [2006-10-10 13:02:46]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll 2002-02-15 09:51 24638 C:\WINDOWS\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayyaxx]
yayyaxx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=EQDtpSp.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

R2 EQSharedEngine;EQ Shared Engine;"C:\Program Files\Equitrac\Print Tracking\Client\EQSharedEngine.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2007-12-11 08:00:00 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- C:\Program Files\AdwareAlert\AdwareAlert.ex
- C:\Program Files\AdwareAlert
"2007-12-11 06:31:05 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2007-12-07 14:00:18 C:\WINDOWS\Tasks\rpc.job"
- C:\Program Files\Winferno\RegistryPowerCleaner\RegPowerClean.exe
"2007-12-07 15:25:05 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\system32\detoured.dll
-> C:\DOCUME~1\Amy\LOCALS~1\Temp\hodeejfoN.dll
.
**************************************************************************

catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-11 10:10:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-11 10:11:39 - machine was rebooted
.
--- E O F ---

**grege2000** · 2007-12-11, 16:22

Couldn't download from your link (atribune.org), had to get this file from softpedia, hope it was the right one.

VundoFix V6.5.10

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 9:54:14 AM 12/11/2007

Listing files found while scanning....

No infected files were found.

Beginning removal...

VundoFix V6.5.10

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 9:59:48 AM 12/11/2007

Listing files found while scanning....

No infected files were found.

Beginning removal...

**ken545** · 2007-12-11, 18:54

Hello Amy,

A few things to go over if I may.

WSDMessaging <-- this is currently under review and has not be rated as safe or bad yet, if you do not use it then uninstall it.

Messenger Plus I suggest what you do here is uninstall this program and if you want it, reinstall it but as you go through the install do not install any add ons as some could be adware.

Viewpoint Uninstall this program, it installed without your knowledge or consent, uses system resources and is not needed for anything. Its in the process of being rated as Adware.

My link for Vundofix worked on two computers so it must be your browser blocking it. It found no files because Combofix found and removed most of them

Everything we ask you to do is for a reason and you did not rename HJT to Scanner.exe like I asked. The Reason for that is because the thieves that have written Vundo have written it to go undected by HJT and by renaming it to somethings else, Vundo entries will show up on your HJT log. So before you post a new log, follow my previous instructions and rename it please.

We got rid of most of Vundo but still a little more to do. Do this in order please

Please download ATF Cleaner by Atribune to your desktop.

This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up

========================================
Please download SuperAntiSpyware
Install the program

Run SuperAntiSpyware and click: Check for updates
Once the update is finished, on the main screen, click: Scan your computer
Check: Perform Complete Scan
Click Next to start the scan.

Superantispyware scans the computer, and when finished, lists all the infections found.
Make sure everything found has a check next to it, and press: Next
Then, click Finish

It is possible that the program asks to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:

Click: Preferences
Click the Statistics/Logs tab
Under Scanner Logs, double-click SuperAntiSpyware Scan Log

It opens in your default text editor (such as Notepad)

Please provide the SuperAntiSpyware log in your reply, as well as a new HijackThis log.

==================================

Open Notepad and copy all the text inside the quote box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad. Make sure there is no space to the left of and above File::

File::
C:\WINDOWS\system32\niwpargb.exe
C:\WINDOWS\system32\rsegpuqn.exe
C:\WINDOWS\system32\gxralevd.exe
C:\WINDOWS\system32\ghbgbrxl.exe
C:\WINDOWS\system32\drermkab.exe
C:\WINDOWS\system32\ucgfetwj.exe
C:\WINDOWS\system32\ervwwgdv.ini
C:\WINDOWS\system32\fjckucnu.ini
C:\WINDOWS\system32\ghhxdgab.ini
C:\WINDOWS\system32\kvmomtos.ini
C:\WINDOWS\system32\mcrh.tmp

Folder::
C:\VundoFix Backups
C:\Program Files\OneStepSearch

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayyaxx]

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Let me see the SAS log, the New Combofix log and a New HJT log renamed please

Thread: Virtumonde found pls help

Thread Tools

Display

Virtumonde found pls help

Virtumonde found pls help

HJT Log

ComboFix Log

Vundo Fix

Posting Permissions