Unable to remove virtumonde

**mmrose** · 2007-12-31, 16:37

I think I have the virtumonde virus and spybot will get rid of it but then it comes right back. Spybot also detects the virtumode.generic as well. Any thoughts or help would be appreciated.

**ken545** · 2007-12-31, 22:51

Hello mmrose

Welcome to Safer Networking.

Please read Before YouPost
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.

Download Trendmicros Hijackthis to your desktop.
Double click it to install
Follow the prompts and by default it will install in C:\Program Files\Trendmicro\Hijackthis\Highjackthis.exe

The thieves that have written Vundo have written it to go undected by Hijackthis so we need to rename it to something else so those entries will show up on your log.

This is important , do this and post a new Hijackthis log
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe<-- Right click on Hijackthis.exe ( looks like a man with a spyglass ) and rename it to Scanner.exe

Open HJT Scan and Save a Log File, it will open in Notepad
Go to Format and make sure Wordwrap is Unchecked
Go to Edit> Select All.....Edit > Copy and Paste the new log into this thread by using the Post Reply and not start a New Thread.

DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.

**mmrose** · 2008-01-05, 17:56

Below is the HJT log file....thanks for your help with this.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:51:42 AM, on 1/5/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\nslsvice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\GWMDMMSG.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\Scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.gateway.net
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {31A5020B-3032-45E8-BC2A-7DC47C826F79} - C:\WINDOWS\System32\vtutt.dll (file missing)
O2 - BHO: {cc871ec1-060e-1439-15c4-96018c38f5a4} - {4a5f83c8-1069-4c51-9341-e0601ce178cc} - C:\WINDOWS\System32\sobbllbu.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {63BA1D55-59F2-4EBF-A438-1F4AE0C8C296} - C:\WINDOWS\System32\nnnop.dll (file missing)
O2 - BHO: (no name) - {7EEDC5E5-9A95-4F5F-B67E-2F4716344A24} - C:\WINDOWS\System32\nnlif.dll (file missing)
O2 - BHO: BndShell3 BHO Class - {875A1348-7674-42aa-ADAC-B4F36A004A2D} - C:\Program Files\QdrDrive\QdrDrive8.dll (file missing)
O2 - BHO: (no name) - {bc73db20-3d9a-45c6-8bb9-1214971511c1} - (no file)
O2 - BHO: (no name) - {FF64059D-4D2A-4D6B-AA0F-2EE4A2FE3856} - C:\WINDOWS\System32\qomkifc.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [588c1d5f] rundll32.exe "C:\WINDOWS\System32\cochoegf.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [QdrModule10] "C:\Program Files\QdrModule\QdrModule10.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} - ms-its:mhtml:file://c:\\nores.mht!http://adxrnet.net/code/chm/xpre.chm::/xpreload.ocx
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://tsweb.bf.umich.edu/msrdp.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - file://C:\Program Files\Gateway\HelpSpot\StartFirstControl.CAB
O16 - DPF: {CE37E095-ACFF-4380-A856-A560D389E5E1} (XPLControlProject.XPLControl) - file://C:\Program Files\Gateway\HelpSpot\XPLControl.CAB
O20 - Winlogon Notify: qomkifc - qomkifc.dll (file missing)
O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\WINDOWS\System32\nslsvice.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS

--
End of file - 6049 bytes

**ken545** · 2008-01-05, 18:14

Hello,

Your pretty well infected with the Vundo Trojan, lets do a few things.

You need to disable the Tea Timer in Spybot Search and Destroy or it may prevent the fixes from taking.

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer for it to take effect.

===================================

Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

O2 - BHO: (no name) - {31A5020B-3032-45E8-BC2A-7DC47C826F79} - C:\WINDOWS\System32\vtutt.dll (file missing)
O2 - BHO: {cc871ec1-060e-1439-15c4-96018c38f5a4} - {4a5f83c8-1069-4c51-9341-e0601ce178cc} - C:\WINDOWS\System32\sobbllbu.dll
O2 - BHO: (no name) - {63BA1D55-59F2-4EBF-A438-1F4AE0C8C296} - C:\WINDOWS\System32\nnnop.dll (file missing)
O2 - BHO: (no name) - {7EEDC5E5-9A95-4F5F-B67E-2F4716344A24} - C:\WINDOWS\System32\nnlif.dll (file missing)
O2 - BHO: BndShell3 BHO Class - {875A1348-7674-42aa-ADAC-B4F36A004A2D} - C:\Program Files\QdrDrive\QdrDrive8.dll (file missing)
O2 - BHO: (no name) - {bc73db20-3d9a-45c6-8bb9-1214971511c1} - (no file)
O2 - BHO: (no name) - {FF64059D-4D2A-4D6B-AA0F-2EE4A2FE3856} - C:\WINDOWS\System32\qomkifc.dll (file missing)

O4 - HKLM\..\Run: [588c1d5f] rundll32.exe "C:\WINDOWS\System32\cochoegf.dll",b
O4 - HKCU\..\Run: [QdrModule10] "C:\Program Files\QdrModule\QdrModule10.exe"

O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} - ms-its:mhtml:file://c:\\nores.mht!http://adxrnet.net/code/chm/xpre.chm::/xpreload.ocx

O20 - Winlogon Notify: qomkifc - qomkifc.dll (file missing)

===============================

Download VundoFix to your desktop

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

===================================

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

==============================

There is currently a nasty variant of Vundo going around, lets hope you don't have it, the Combofix log will tell.

I need to see the Vundofix log, the Combofix log and a New HJT log please

**mmrose** · 2008-01-06, 15:50

VundoFix log:

VundoFix V6.7.7

Checking Java version...

Sun Java not detected
Scan started at 9:29:29 AM 1/6/2008

Listing files found while scanning....

C:\WINDOWS\system32\aknqwqdd.dll
C:\WINDOWS\system32\aywnjbus.dll
C:\WINDOWS\system32\bxttaymh.ini
C:\WINDOWS\system32\cochoegf.dll
C:\WINDOWS\system32\fgeohcoc.ini
C:\WINDOWS\system32\hmyattxb.dll
C:\WINDOWS\system32\ibglnwgr.dll
C:\WINDOWS\system32\kqqtvwfs.dll
C:\WINDOWS\system32\ohhwsguu.dll
C:\WINDOWS\system32\qktgyokp.dll
C:\WINDOWS\system32\vtlsgbcl.dll
C:\WINDOWS\system32\xmjrxivq.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\aknqwqdd.dll
C:\WINDOWS\system32\aknqwqdd.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\aywnjbus.dll
C:\WINDOWS\system32\aywnjbus.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\bxttaymh.ini
C:\WINDOWS\system32\bxttaymh.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\cochoegf.dll
C:\WINDOWS\system32\cochoegf.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\fgeohcoc.ini
C:\WINDOWS\system32\fgeohcoc.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\hmyattxb.dll
C:\WINDOWS\system32\hmyattxb.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ibglnwgr.dll
C:\WINDOWS\system32\ibglnwgr.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\kqqtvwfs.dll
C:\WINDOWS\system32\kqqtvwfs.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ohhwsguu.dll
C:\WINDOWS\system32\ohhwsguu.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\qktgyokp.dll
C:\WINDOWS\system32\qktgyokp.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vtlsgbcl.dll
C:\WINDOWS\system32\vtlsgbcl.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xmjrxivq.dll
C:\WINDOWS\system32\xmjrxivq.dll Has been deleted!

Performing Repairs to the registry.
Done!

**mmrose** · 2008-01-06, 16:01

Below is the ComboFix log:

ComboFix 08-01-04.1 - Owner 2008-01-06 9:52:50.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.0.1252.1.1033.18.98 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Application Data\WinTouch
C:\Program Files\QdrModule
C:\Program Files\QdrModule\QdrModule10.exe
C:\Program Files\QdrPack
C:\Program Files\QdrPack\QdrPack11.exe
C:\Temp\tpBe12
C:\WINDOWS\Downloaded Program Files.\xpreload.ocx
C:\WINDOWS\system32\aeomlyfn.ini
C:\WINDOWS\system32\filnn.bak1
C:\WINDOWS\system32\filnn.bak2
C:\WINDOWS\system32\filnn.ini
C:\WINDOWS\system32\filnn.ini2
C:\WINDOWS\system32\filnn.tmp
C:\WINDOWS\system32\ineWc01
C:\WINDOWS\system32\kkknnakb.ini
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\ponnn.bak1
C:\WINDOWS\system32\ponnn.bak2
C:\WINDOWS\system32\ponnn.ini
C:\WINDOWS\system32\ttutv.bak1
C:\WINDOWS\system32\ttutv.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE

((((((((((((((((((((((((( Files Created from 2007-12-06 to 2008-01-06 )))))))))))))))))))))))))))))))
.

2008-01-06 09:52 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-06 09:29 . 2008-01-06 09:29 <DIR> d-------- C:\VundoFix Backups
2008-01-05 11:48 . 2008-01-05 11:48 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-29 13:23 . 2007-12-29 13:23 <DIR> d-------- C:\Documents and Settings\Matt Rose\Application Data\Share-to-Web Upload Folder
2007-12-29 13:21 . 2007-12-29 13:21 13,026 --a------ C:\WINDOWS\system32\wpa.bak
2007-12-29 13:14 . 2008-01-06 09:49 512 --a------ C:\WINDOWS\randseed.rnd
2007-12-29 13:09 . 2001-08-30 05:30 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2007-12-29 13:08 . 2001-08-17 22:36 2,134,528 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_smtpsnap.dll
2007-12-29 13:08 . 2001-08-17 22:36 175,104 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_smtpadm.dll
2007-12-29 13:04 . 2001-08-30 05:30 112,128 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-12-29 13:04 . 2001-08-30 05:30 112,128 --a--c--- C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-12-29 13:04 . 2001-08-30 05:30 95,744 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-12-29 13:04 . 2001-08-30 05:30 95,744 --a--c--- C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-12-29 12:09 . 2007-12-29 12:25 <DIR> d-------- C:\Program Files\PC-Doctor for Windows
2007-12-29 12:09 . 1999-09-01 13:55 31,968 --a------ C:\WINDOWS\system32\drivers\PcdrNt.sys
2007-12-29 11:48 . 2001-08-17 22:37 117,248 --a------ C:\WINDOWS\system32\ksproxy.ax
2007-12-29 11:48 . 2001-08-17 22:36 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2007-12-29 11:47 . 2007-12-29 12:12 15,764 --a------ C:\WINDOWS\setupapi.old
2007-12-27 09:17 . 2007-12-29 15:06 431 --a------ C:\WINDOWS\wininit.ini
2007-12-27 08:07 . 2008-01-05 11:43 13,026 --a------ C:\WINDOWS\system32\wpa.dbl
2007-12-23 11:10 . 2007-12-23 13:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-20 20:01 . 2007-12-20 20:01 165,472 --a------ C:\WINDOWS\system32\nrccuygg.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-29 16:47 --------- d-----w C:\Program Files\SIFXINST
2007-12-29 16:47 --------- d-----w C:\Program Files\Gateway
2007-12-15 14:28 --------- d-----w C:\Program Files\Savings Bond Wizard
2007-11-28 18:10 --------- d-----w C:\Documents and Settings\Owner\Application Data\U3
2007-11-25 16:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Maxtor
2007-11-25 16:29 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-25 16:26 --------- d-----w C:\Program Files\MSXML 6.0
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{875A1348-7674-42aa-ADAC-B4F36A004A2D}]
C:\Program Files\QdrDrive\QdrDrive8.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2001-08-02 07:14 1077277]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GWMDMMSG"="GWMDMMSG.exe" [2001-08-15 20:25 100913 C:\WINDOWS\GWMDMMSG.exe]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 09:11 57344]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 20:00 94208]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2005-02-25 15:50 139320]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe" [2003-10-07 09:48 147514]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
HPAiODevice(hp psc 700 series) - 1.lnk - C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe [2002-04-24 01:28:32]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-20 20:15:54]

R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\System32\DRIVERS\AN983.sys [2001-08-17 07:11]
S3 PCDRDRV;Pcdr CPU Helper Driver;C:\WINDOWS\System32\drivers\PCDRDRV.sys []

*Newly Created Service* - ALG
*Newly Created Service* - IPNAT
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-06 09:55:48
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-06 9:57:02 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-06 14:56:41
.
2007-12-16 15:25:07 --- E O F ---

**mmrose** · 2008-01-06, 16:03

Below is the new HJT logfile:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:02:34 AM, on 1/6/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\nslsvice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\GWMDMMSG.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\Scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: BndShell3 BHO Class - {875A1348-7674-42aa-ADAC-B4F36A004A2D} - C:\Program Files\QdrDrive\QdrDrive8.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://tsweb.bf.umich.edu/msrdp.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - file://C:\Program Files\Gateway\HelpSpot\StartFirstControl.CAB
O16 - DPF: {CE37E095-ACFF-4380-A856-A560D389E5E1} (XPLControlProject.XPLControl) - file://C:\Program Files\Gateway\HelpSpot\XPLControl.CAB
O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\WINDOWS\System32\nslsvice.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS

--
End of file - 4807 bytes

**ken545** · 2008-01-06, 16:32

mmrose,

Your Windows Operating System is very outdated, you have not run any windows updates or installed any service packs, in this day and age with all the threats out on the internet this is kind of suicidal. Is there any reason for not installing the updates??

Open Notepad and copy all the text inside the quote box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::

File::
C:\WINDOWS\system32\nrccuygg.dll

Folder::
C:\VundoFix Backups

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{875A1348-7674-42aa-ADAC-B4F36A004A2D}]

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

**mmrose** · 2008-01-06, 17:32

In regards to the updates, I thought I was up-to-date on this desk top which I obviously am not. My laptop gets most of the work in the house and this desk top unfortunately is only on maybe once per month. After I get this taken care I should be able to run the windows update tool, correct?

Here is the ComboFix Log:
ComboFix 08-01-04.1 - Owner 2008-01-06 11:25:58.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.0.1252.1.1033.18.69 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\nrccuygg.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups
C:\VundoFix Backups\addmorefiles.txt
C:\VundoFix Backups\aknqwqdd.dll.bad
C:\VundoFix Backups\aywnjbus.dll.bad
C:\VundoFix Backups\bxttaymh.ini.bad
C:\VundoFix Backups\cochoegf.dll.bad
C:\VundoFix Backups\fgeohcoc.ini.bad
C:\VundoFix Backups\hmyattxb.dll.bad
C:\VundoFix Backups\ibglnwgr.dll.bad
C:\VundoFix Backups\kqqtvwfs.dll.bad
C:\VundoFix Backups\ohhwsguu.dll.bad
C:\VundoFix Backups\qktgyokp.dll.bad
C:\VundoFix Backups\vtlsgbcl.dll.bad
C:\VundoFix Backups\xmjrxivq.dll.bad
C:\WINDOWS\system32\nrccuygg.dll

.
((((((((((((((((((((((((( Files Created from 2007-12-06 to 2008-01-06 )))))))))))))))))))))))))))))))
.

2008-01-06 09:52 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-05 11:48 . 2008-01-05 11:48 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-29 13:23 . 2007-12-29 13:23 <DIR> d-------- C:\Documents and Settings\Matt Rose\Application Data\Share-to-Web Upload Folder
2007-12-29 13:21 . 2007-12-29 13:21 13,026 --a------ C:\WINDOWS\system32\wpa.bak
2007-12-29 13:14 . 2008-01-06 11:24 512 --a------ C:\WINDOWS\randseed.rnd
2007-12-29 13:09 . 2001-08-30 05:30 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2007-12-29 13:08 . 2001-08-17 22:36 2,134,528 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_smtpsnap.dll
2007-12-29 13:08 . 2001-08-17 22:36 175,104 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_smtpadm.dll
2007-12-29 13:04 . 2001-08-30 05:30 112,128 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-12-29 13:04 . 2001-08-30 05:30 112,128 --a--c--- C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-12-29 13:04 . 2001-08-30 05:30 95,744 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-12-29 13:04 . 2001-08-30 05:30 95,744 --a--c--- C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-12-29 12:09 . 2007-12-29 12:25 <DIR> d-------- C:\Program Files\PC-Doctor for Windows
2007-12-29 12:09 . 1999-09-01 13:55 31,968 --a------ C:\WINDOWS\system32\drivers\PcdrNt.sys
2007-12-29 11:48 . 2001-08-17 22:37 117,248 --a------ C:\WINDOWS\system32\ksproxy.ax
2007-12-29 11:48 . 2001-08-17 22:36 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2007-12-29 11:47 . 2007-12-29 12:12 15,764 --a------ C:\WINDOWS\setupapi.old
2007-12-27 09:17 . 2007-12-29 15:06 431 --a------ C:\WINDOWS\wininit.ini
2007-12-27 08:07 . 2008-01-05 11:43 13,026 --a------ C:\WINDOWS\system32\wpa.dbl
2007-12-23 11:10 . 2007-12-23 13:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-29 16:47 --------- d-----w C:\Program Files\SIFXINST
2007-12-29 16:47 --------- d-----w C:\Program Files\Gateway
2007-12-15 14:28 --------- d-----w C:\Program Files\Savings Bond Wizard
2007-11-28 18:10 --------- d-----w C:\Documents and Settings\Owner\Application Data\U3
2007-11-25 16:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Maxtor
2007-11-25 16:29 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-25 16:26 --------- d-----w C:\Program Files\MSXML 6.0
.

((((((((((((((((((((((((((((( snapshot@2008-01-06_ 9.56.23.24 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-06 14:49:56 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-01-06 16:24:45 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-01-06 14:49:56 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-01-06 16:24:45 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-01-06 14:49:56 49,152 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-06 16:24:45 49,152 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-12-29 18:22:55 39,992 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-01-06 14:57:00 39,992 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-12-29 18:22:55 311,604 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-01-06 14:57:00 311,604 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2001-08-02 07:14 1077277]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GWMDMMSG"="GWMDMMSG.exe" [2001-08-15 20:25 100913 C:\WINDOWS\GWMDMMSG.exe]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 09:11 57344]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 20:00 94208]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2005-02-25 15:50 139320]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe" [2003-10-07 09:48 147514]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
HPAiODevice(hp psc 700 series) - 1.lnk - C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe [2002-04-24 01:28:32]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-20 20:15:54]

R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\System32\DRIVERS\AN983.sys [2001-08-17 07:11]
S3 PCDRDRV;Pcdr CPU Helper Driver;C:\WINDOWS\System32\drivers\PCDRDRV.sys []

*Newly Created Service* - ENTDRV51
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-06 11:27:24
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-06 11:27:53
ComboFix-quarantined-files.txt 2008-01-06 16:27:44
ComboFix2.txt 2008-01-06 14:57:03
.
2007-12-16 15:25:07 --- E O F ---

Here is the new HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:32:37 AM, on 1/6/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\nslsvice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\GWMDMMSG.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\Scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://tsweb.bf.umich.edu/msrdp.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - file://C:\Program Files\Gateway\HelpSpot\StartFirstControl.CAB
O16 - DPF: {CE37E095-ACFF-4380-A856-A560D389E5E1} (XPLControlProject.XPLControl) - file://C:\Program Files\Gateway\HelpSpot\XPLControl.CAB
O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\WINDOWS\System32\nslsvice.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS

--
End of file - 4678 bytes

**ken545** · 2008-01-06, 18:24

Log looks fine

As far as windows updates, you need to get all your ducks in a row.

1. Run a system cleaner ( see below)
2. Defrag your drive.
3. Turn off all Anti Virus and Anti Spyware apps from interfering with the install.

Please download ATF Cleaner by Atribune to your desktop.

This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up

You can open Internet Explorer and go to Tools> Windows Updates and go for it, if you like, you can download it directly from here. You can even order the CD for free from Microsoft. Microsoft also offers free support if you have problems installing it.

http://www.microsoft.com/windowsxp/sp2/default.mspx
http://support.microsoft.com/default...r=windowsxpsp2 <-- Contact a support person

Malware Complaints
Are you mad ? I mean really mad, seething mad, so mad your ready to spit, mad that you have taken your hard earned dollars to buy a computer only to have some Miscredents, Dirt Bags and Cyber Criminals install a malicious program on your computer without your knowledge or consent. You can post your complaint at the above site. If you live in the U.S.A. you can also report your grievance to your State Attorney Generals Office and the Federal Trade Commission's Bureau of Consumer Protection.

How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore <-- Do this first to prevent yourself from being reinfected.
WhattheTech
TonyKlein CastleCops
Grinler BleepingComputer
GeeksTo Go
Dslreports

Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster, you can still install Spybot Search and Destroy but do not enable the TeaTimer in Spybot.

Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community

Spybot Search and Destroy 1.5
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
Spyware Blaster It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
Spyware Guard It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
IE-Spyad
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
Firefox 2.0.0.6 It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
Zone Alarm Here is a free Firewall from Zone Labs, I wouldn't access the internet without it.

Glad we could help

Safe Surfn
Ken

Thread: Unable to remove virtumonde

Thread Tools

Display

Unable to remove virtumonde

HJT Log File

Below is the VundoFix log....others to come shortly.

Combofix log

New HJT log

New ComboFix log and New HJT log

Posting Permissions