Virtumonde Removal Assistance

**EtaCar** · 2008-11-23, 18:45

Here is the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:28:51 AM, on 11/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\GetModule\GetModule29.exe
C:\Documents and Settings\Johnson\Application Data\gadcom\gadcom.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uwec.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [10cf41b9] rundll32.exe "C:\WINDOWS\system32\vklruyfk.dll",b
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [GetModule29] C:\Program Files\GetModule\GetModule29.exe
O4 - HKCU\..\Run: [gadcom] "C:\WINDOWS\system32\config\systemprofile\Application Data\gadcom\gadcom.exe" 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10...I.cab55579.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_srl.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/ca..._2.3.6.108.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10...y.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10...t.cab55579.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1201218583078
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn...tDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1201223771718
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/de...e/HPDEXAXO.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games – Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames...e.cab75411.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames...l.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10...y.cab55579.cab
O20 - AppInit_DLLs: snlqmg.dll
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 7091 bytes

**pskelley** · 2008-11-24, 23:25

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
The junk can be tough to remove, so do not expect fast or easy.

1) Post an uninstall list: Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
(You may edit out Microsoft, Hotfixes, Security Update for Windows XP,
Update for Windows XP and Windows XP Hotfix to shorten the list)
Image: http://img.bleepingcomputer.com/tuto...nstall-man.jpg

2) A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Tutorial if needed
http://www.bleepingcomputer.com/comb...o-use-combofix

Thanks

**EtaCar** · 2008-11-25, 01:50

Thank you for the reply.

When I click on the "Save as..." tab in HJT, it immediately quits out of the program and does not give an option for me to save a text file.

Is there any work around to this?

**EtaCar** · 2008-11-25, 03:29

Nevermind. I got HijackThis to work.

Here is the HijackThis File:

Adobe Flash Player ActiveX
Adobe Reader 7.0
AIM 6
Apple Software Update
Athlon 64 Processor Driver
Baldur's Gate & Tales of the Sword Coast
Baldur's Gate Tutu
Baldur's Gate(TM) II - Throne of Bhaal (TM)
Battleground Europe: WWIIOL
BioWare Premium Module: Neverwinter Nights(TM) Kingmaker
Citrix Presentation Server Client - Web Only
Command
Compatibility Pack for the 2007 Office system
Crysis(R) SP Demo
DH Driver Cleaner Professional Edition
Diablo II
DivX Codec
Download Manager 2.3.6
Drivers Install For Linksys Easylink Advisor
EndNote X
ERUNT 1.1j
Far Cry Demo
FEAR SP Demo
FINAL FANTASY XI
FINAL FANTASY XI: Chains of Promathia
FINAL FANTASY XI: Rise of the Zilart
FINAL FANTASY XI: Treasures of Aht Urhgan
FINAL FANTASY XI: Wings of the Goddess
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
HP Product Detection
IrfanView (remove only)
ISI ResearchSoft - Export Helper
Java(TM) 6 Update 10
Linksys EasyLink Advisor 1.6 (0032)
Maple 11
Marvell Miniport Driver
Mass Effect
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Nero Digital
Nero Suite
Network Monitor
Neverwinter Nights
NVIDIA Drivers
PlayGATE Setup
PlayOnline Viewer and Tetra Master
Prism Atomic Data 5.1.0 disk1
Prism Atomic Data 5.1.0 disk2
QuickTime
Realtek AC'97 Audio
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Sid Meier's Civilization 4
Spect3D 6.4.0
Spybot - Search & Destroy
Star Wars JK II Jedi Outcast
Star Wars(R) Knights of the Old Republic(R) II: The Sith Lords(TM)
Star Wars®: Knights of the Old Republic (TM)
System Requirements Lab
TargetSaver
TVAnts 1.0
webHancer Customer Companion
Winamp
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
WinRAR archiver
Yahoo! Messenger

Here is the logfile for ComboFix:

ComboFix 08-11-23.02 - Johnson 2008-11-24 20:13:29.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1559 [GMT -6:00]
Running from: c:\documents and settings\Johnson\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Johnson\Application Data\gadcom
c:\documents and settings\Johnson\Application Data\gadcom\gadcom.exe
c:\documents and settings\Johnson\Application Data\SpeedRunner
c:\documents and settings\Johnson\Application Data\SpeedRunner\config.cfg
c:\documents and settings\Johnson\Application Data\SpeedRunner\SpeedRunner.exe
c:\documents and settings\Johnson\Application Data\SpeedRunner\SRUninstall.exe
c:\documents and settings\Johnson\Local Settings\Temporary Internet Files\bestwiner.stt
c:\documents and settings\Johnson\Local Settings\Temporary Internet Files\CPV.stt
c:\documents and settings\Johnson\Local Settings\Temporary Internet Files\fbk.sts
c:\documents and settings\LocalService\Application Data\NetMon
c:\documents and settings\LocalService\Application Data\NetMon\domains.txt
c:\documents and settings\LocalService\Application Data\NetMon\log.txt
c:\documents and settings\LocalService\Local Settings\Temporary Internet Files\CPV.stt
c:\program files\Common Files\zfmf
c:\program files\Common Files\zfmf\zfmfa.exe
c:\program files\Common Files\zfmf\zfmfa.lck
c:\program files\Common Files\zfmf\zfmfd\class-barrel
c:\program files\Common Files\zfmf\zfmfd\vocabulary
c:\program files\Common Files\zfmf\zfmfd\zfmfc.dll
c:\program files\Common Files\zfmf\zfmfl.exe
c:\program files\Common Files\zfmf\zfmfl.lck
c:\program files\Common Files\zfmf\zfmfm.exe
c:\program files\Common Files\zfmf\zfmfm.lck
c:\program files\Common Files\zfmf\zfmfp.exe
c:\program files\GetModule
c:\program files\GetModule\GetModule29.exe
c:\program files\inetget2
c:\program files\Mjcore
c:\program files\Mjcore\Mjcore.dll
c:\program files\network monitor
c:\program files\network monitor\netmon.exe
c:\program files\webhancer
c:\program files\webhancer\Programs\license.txt
c:\program files\webhancer\Programs\readme.txt
c:\program files\webhancer\Programs\sporder.dll
c:\program files\webhancer\Programs\webhdll.dll
c:\program files\webhancer\Programs\whagent.exe
c:\program files\webhancer\Programs\whagent.ini
c:\program files\webhancer\Programs\whiehlpr.dll
c:\program files\webhancer\Programs\whinstaller.exe
c:\windows\Downloaded Program Files\setup.inf
c:\windows\QW5kcmV3IEpvaG5zb24\
c:\windows\QW5kcmV3IEpvaG5zb24\\asappsrv.dll
c:\windows\QW5kcmV3IEpvaG5zb24\\command.exe
c:\windows\QW5kcmV3IEpvaG5zb24\\kqc4wApaKHDSu3cWvZb.vbs
c:\windows\QW5kcmV3IEpvaG5zb24\command.exe
c:\windows\system32\ahpajsuo.dll
c:\windows\system32\atmtd.dll
c:\windows\system32\atmtd.dll._
c:\windows\system32\cbXPfgeb.dll
c:\windows\system32\efcCvVnK.dll
c:\windows\system32\kfyurlkv.ini
c:\windows\system32\ldiuibmc.dll
c:\windows\system32\ljJASllJ.dll
c:\windows\system32\llxeupfu.dll
c:\windows\system32\msansspc.dll
c:\windows\system32\opnomkHW.dll
c:\windows\system32\ousjapha.ini
c:\windows\system32\pmnkIBsr.dll
c:\windows\system32\rsBIknmp.ini
c:\windows\system32\rsBIknmp.ini2
c:\windows\system32\snlqmg.dll
c:\windows\system32\tsuninst.exe
c:\windows\system32\vsafyz.dll
c:\windows\system32\vtUnmnki.dll.vir
c:\windows\system32\wpv071227228222.cpx
c:\windows\system32\wpv521227390376.cpx
c:\windows\system32\wvUMGaBu.dll
c:\windows\uninstall_nmon.vbs
c:\windows\wiaserviv.log
c:\windows\zfmf
c:\windows\zfmf\wu
c:\windows\zfmf\zfmf.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_NETWORK_MONITOR
-------\Service_cmdService
-------\Service_Network Monitor

((((((((((((((((((((((((( Files Created from 2008-10-25 to 2008-11-25 )))))))))))))))))))))))))))))))
.

2008-11-24 03:17 . 2008-11-24 03:17 <DIR> d-------- c:\documents and settings\Johnson\Application Data\Twain
2008-11-24 03:12 . 2008-11-24 03:12 <DIR> d-------- c:\program files\Webtools
2008-11-23 11:28 . 2008-11-23 11:28 <DIR> d-------- c:\program files\Trend Micro
2008-11-23 10:42 . 2008-11-23 10:42 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-23 10:42 . 2008-11-23 10:42 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-11-23 10:29 . 2008-11-23 10:29 <DIR> d-------- c:\program files\ERUNT
2008-11-23 10:01 . 2008-11-23 10:01 <DIR> d-------- C:\VundoFix Backups
2008-11-23 09:43 . 2008-11-23 10:34 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-23 09:43 . 2008-11-23 09:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-22 22:59 . 2008-11-23 10:36 <DIR> d-------- c:\documents and settings\Johnson\Application Data\GetModule
2008-11-16 10:49 . 2008-11-16 10:49 <DIR> d-------- c:\program files\TVAnts
2008-11-16 10:48 . 2008-11-16 10:48 <DIR> d-------- c:\program files\VideoLAN
2008-10-27 20:58 . 2008-10-27 21:06 47 --a------ C:\CS163Homeworkhomework3out.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-23 16:42 --------- d-----w c:\program files\Java
2008-11-23 16:18 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-21 02:56 --------- d-----w c:\program files\eclipse
2008-11-17 06:36 --------- d-----w c:\documents and settings\Johnson\Application Data\LimeWire
2008-10-29 15:15 --------- d-----w c:\program files\SystemRequirementsLab
2008-10-11 13:47 60,416 ----a-w c:\windows\ALCFDRTM.EXE
2008-10-03 23:30 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-03 23:28 36,864 ----a-w c:\windows\system32\maplec.dll
2008-10-03 23:28 147,456 ----a-w c:\windows\system32\WMIMPLEX.dll
2008-10-03 23:28 --------- d-----w c:\program files\Maple 11
2008-10-03 23:27 --------- d--h--w c:\program files\Zero G Registry
.

------- Sigcheck -------

2007-10-30 10:53 360832 64798ecfa43d78c7178375fcdd16d8c8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2004-08-04 06:00 359040 9f4b36614a0fc234525ba224957de55c c:\windows\$NtUninstallKB941644$\tcpip.sys
2008-07-08 22:15 360064 482ab7f9cd41702e8f856c11cfefb02d c:\windows\system32\dllcache\TCPIP.SYS
2008-07-08 22:15 360064 482ab7f9cd41702e8f856c11cfefb02d c:\windows\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-03-06 50528]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2007-03-05 1103480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVRaidService"="c:\windows\system32\nvraidservice.exe" [2005-08-12 126464]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-01-15 37376]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2006-01-13 196608]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-02 13529088]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-02 86016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-23 136600]
"SoundMan"="SOUNDMAN.EXE" [2005-08-17 c:\windows\SOUNDMAN.EXE]
"nwiz"="nwiz.exe" [2008-05-02 c:\windows\system32\nwiz.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Install Pending Files.LNK - c:\program files\SIFXINST\SIFXINST.EXE [2008-09-15 860160]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=vsafyz.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Games\\CivIV\\Civilization4.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Games\\SWKotOR2\\swupdate.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Games\\CRS\\Battleground Europe\\WW2_sse2.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Games\\BaldursGateTutu\\BGMain.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Games\\Mass Effect\\Binaries\\MassEffect.exe"=
"c:\\Games\\Mass Effect\\MassEffectLauncher.exe"=
"c:\\Games\\CrysisDemo\\Bin32\\Crysis.exe"=
"c:\\Games\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"=
"c:\\Program Files\\eclipse\\eclipse.exe"=
"c:\\Program Files\\Maple 11\\jre\\bin\\maple.exe"=
"c:\\Program Files\\Maple 11\\jre\\bin\\java.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"13747:TCP"= 13747:TCP:Ares

S3 asbp2poa;asbp2poa;\??\c:\docume~1\Johnson\LOCALS~1\Temp\asbp2poa.sys []
S3 SaiH0461;SaiH0461;c:\windows\system32\DRIVERS\SaiH0461.sys [2008-04-02 182528]
.
Contents of the 'Scheduled Tasks' folder

2008-11-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]
.
- - - - ORPHANS REMOVED - - - -

BHO-{852FA2FD-EBDD-4BFF-82D6-7A2A67FB6146} - c:\windows\system32\pmnkIBsr.dll
BHO-{e26b2004-4613-4b55-afa6-7be039709eba} - c:\windows\system32\vsafyz.dll
HKCU-Run-GetModule29 - c:\program files\GetModule\GetModule29.exe

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.uwec.edu/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

c:\windows\Downloaded Program Files\sysreqlab3.dll - c:\windows\Downloaded Program Files\sysreqlab_srl.dll
O16 -: {1E54D648-B804-468d-BC78-4AFFED8E262E}
hxxp://www.srtest.com/srl_bin/sysreqlab_srl.cab
c:\windows\Downloaded Program Files\sysreqlab.osd
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-24 20:17:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(872)
c:\windows\system32\rsaenh.dll

- - - - - - - > 'lsass.exe'(936)
c:\windows\system32\msprivs.dll
c:\windows\system32\rsaenh.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\AIM6\aolsoftware.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Internet Explorer\iexplore.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\AIM6\anotify.exe
.
**************************************************************************
.
Completion time: 2008-11-24 20:18:51 - machine was rebooted [Johnson]
ComboFix-quarantined-files.txt 2008-11-25 02:18:48

Pre-Run: 421,972,529,152 bytes free
Post-Run: 422,153,695,232 bytes free

232

**pskelley** · 2008-11-25, 11:49

Thanks for returning your information, looking at the uninstall list first.

Uninstall list: I look for malware and security issues and will not know all of your programs, but you should.

Hackers are using out of date programs to infect folks more and more,
Here is a small free tool that lets you know when something needs an update if you are interested: https://psi.secunia.com/ While PSI runs in the System Tray for realtime notifications, I personally prefer to turn it off in MSConfig and run it from All Programs when I want to do a check.

Adobe Reader 7.0 <<< out of date, see this information:
http://news.cnet.com/8301-1009_3-100...ml?tag=nl.e433
http://www.filehippo.com/download_adobe_reader/
(if you want a smaller program, look at this one)
Foxit Reader 2.3 for Windows
http://www.foxitsoftware.com/pdf/rd_intro.php

webHancer Customer Companion <<< I would uninstall this junk, see the link:
http://www.cexx.org/webhancer.htm
http://www.symantec.com/security_res...080814-0724-99

Please read and follow all directions carefully:

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

I can not proceed without the New Hijackthis log

**EtaCar** · 2008-11-25, 15:34

Oops, I apologize for not posting that. Here is the new HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:34:26 AM, on 11/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\nvraidservice.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\EtaCar.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uwec.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10...I.cab55579.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_srl.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/ca..._2.3.6.108.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10...y.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10...t.cab55579.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1201218583078
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn...tDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1201223771718
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/de...e/HPDEXAXO.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games – Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames...e.cab75411.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames...l.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10...y.cab55579.cab
O20 - AppInit_DLLs: vsafyz.dll
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 6789 bytes

**pskelley** · 2008-11-25, 17:11

No problem, I know how I would be if one of my computers was sick

LimeWire <<< see this: http://forums.spybot.info/showthread.php?t=282

If your helper detects the presence of such programs on your computer he/she will ask you to remove them. Help will be withdrawn should you not agree to their removal.

1) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

2) Open notepad and copy/paste the text in the codebox below into it:

Code:

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-

Folder::
C:\VundoFix Backups
c:\documents and settings\Johnson\Application Data\Twain
c:\documents and settings\Johnson\Application Data\LimeWire
c:\documents and settings\All Users\Application Data\Viewpoint

Save this as CFScript

Referring to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O20 - AppInit_DLLs: vsafyz.dll <<< may be gone

Close all programs but HJT and all browser windows, then click on "Fix Checked"

4) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

*Cleaning Prefetch may result in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/art...efetch-XP.html

5) Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post the log from CFScript, the log from MBAM and a new HJT log.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Tutorial if needed:
http://www.techsupportteam.org/forum...ware-mbam.html

How is the computer running now?

Thanks...Phil

**EtaCar** · 2008-11-26, 01:22

Thank you again for the reply.

Here is the ComboFix log file:

ComboFix 08-11-23.02 - Administrator 2008-11-25 17:32:09.2 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1756 [GMT -6:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Viewpoint
c:\documents and settings\Johnson\Application Data\LimeWire
c:\documents and settings\Johnson\Application Data\LimeWire\active.mojito
c:\documents and settings\Johnson\Application Data\LimeWire\certificate\limewire.keystore
c:\documents and settings\Johnson\Application Data\LimeWire\createtimes.cache
c:\documents and settings\Johnson\Application Data\LimeWire\downloads.dat
c:\documents and settings\Johnson\Application Data\LimeWire\fileurns.bak
c:\documents and settings\Johnson\Application Data\LimeWire\fileurns.cache
c:\documents and settings\Johnson\Application Data\LimeWire\filters.props
c:\documents and settings\Johnson\Application Data\LimeWire\gnutella.net
c:\documents and settings\Johnson\Application Data\LimeWire\installation.props
c:\documents and settings\Johnson\Application Data\LimeWire\library.dat
c:\documents and settings\Johnson\Application Data\LimeWire\limewire.props
c:\documents and settings\Johnson\Application Data\LimeWire\mojito.props
c:\documents and settings\Johnson\Application Data\LimeWire\passive.mojito
c:\documents and settings\Johnson\Application Data\LimeWire\promotion\promodb.backup
c:\documents and settings\Johnson\Application Data\LimeWire\promotion\promodb.data
c:\documents and settings\Johnson\Application Data\LimeWire\promotion\promodb.properties
c:\documents and settings\Johnson\Application Data\LimeWire\promotion\promodb.script
c:\documents and settings\Johnson\Application Data\LimeWire\questions.props
c:\documents and settings\Johnson\Application Data\LimeWire\responses.cache
c:\documents and settings\Johnson\Application Data\LimeWire\simpp.xml
c:\documents and settings\Johnson\Application Data\LimeWire\spam.dat
c:\documents and settings\Johnson\Application Data\LimeWire\tables.props
c:\documents and settings\Johnson\Application Data\LimeWire\themes\windows_theme.lwtp
c:\documents and settings\Johnson\Application Data\LimeWire\themes\windows_theme\01_star.gif
c:\documents and settings\Johnson\Application Data\LimeWire\themes\windows_theme\02_star.gif
c:\documents and settings\Johnson\Application Data\LimeWire\themes\windows_theme\03_star.gif
c:\documents and settings\Johnson\Application Data\LimeWire\themes\windows_theme\04_star.gif
c:\documents and settings\Johnson\Application Data\LimeWire\themes\windows_theme\05_star.gif
c:\documents and settings\Johnson\Application Data\LimeWire\themes\windows_theme\chat.gif
c:\documents and settings\Johnson\Application Data\LimeWire\themes\windows_theme\forward_dn.gif
c:\documents and settings\Johnson\Application Data\LimeWire\themes\windows_theme\forward_up.gif
c:\documents and settings\Johnson\Application Data\LimeWire\themes\windows_theme\kill.gif
c:\documents and settings\Johnson\Application Data\LimeWire\themes\windows_theme\kill_on.gif
c:\documents and settings\Johnson\Application Data\LimeWire\themes\windows_theme\pause_dn.gif
c:\documents and settings\Johnson\Application Data\LimeWire\themes\windows_theme\pause_up.gif
c:\documents and settings\Johnson\Application Data\LimeWire\themes\windows_theme\play_dn.gif
c:\documents and settings\Johnson\Application Data\LimeWire\themes\windows_theme\play_up.gif
c:\documents and settings\Johnson\Application Data\LimeWire\themes\windows_theme\question.gif
c:\documents and settings\Johnson\Application Data\LimeWire\themes\windows_theme\rewind_dn.gif
c:\documents and settings\Johnson\Application Data\LimeWire\themes\windows_theme\rewind_up.gif
c:\documents and settings\Johnson\Application Data\LimeWire\themes\windows_theme\stop_dn.gif
c:\documents and settings\Johnson\Application Data\LimeWire\themes\windows_theme\stop_up.gif
c:\documents and settings\Johnson\Application Data\LimeWire\themes\windows_theme\theme.txt
c:\documents and settings\Johnson\Application Data\LimeWire\themes\windows_theme\version.txt
c:\documents and settings\Johnson\Application Data\LimeWire\themes\windows_theme\warning.gif
c:\documents and settings\Johnson\Application Data\LimeWire\ttrees.cache
c:\documents and settings\Johnson\Application Data\LimeWire\ttroot.cache
c:\documents and settings\Johnson\Application Data\LimeWire\version.xml
c:\documents and settings\Johnson\Application Data\LimeWire\versions.props
c:\documents and settings\Johnson\Application Data\LimeWire\xml\data\audio.sxml2
c:\documents and settings\Johnson\Application Data\LimeWire\xml\data\video.sxml2
c:\documents and settings\Johnson\Application Data\Twain
c:\documents and settings\Johnson\Application Data\Twain\Twain.exe
C:\VundoFix Backups

.
((((((((((((((((((((((((( Files Created from 2008-10-25 to 2008-11-25 )))))))))))))))))))))))))))))))
.

2008-11-24 03:12 . 2008-11-24 03:12 <DIR> d-------- c:\program files\Webtools
2008-11-23 11:28 . 2008-11-23 11:28 <DIR> d-------- c:\program files\Trend Micro
2008-11-23 10:42 . 2008-11-23 10:42 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-23 10:42 . 2008-11-23 10:42 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-11-23 10:29 . 2008-11-23 10:29 <DIR> d-------- c:\program files\ERUNT
2008-11-23 09:43 . 2008-11-23 10:34 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-23 09:43 . 2008-11-23 09:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-22 22:59 . 2008-11-23 10:36 <DIR> d-------- c:\documents and settings\Johnson\Application Data\GetModule
2008-11-16 10:49 . 2008-11-16 10:49 <DIR> d-------- c:\program files\TVAnts
2008-11-16 10:48 . 2008-11-16 10:48 <DIR> d-------- c:\program files\VideoLAN
2008-10-27 20:58 . 2008-10-27 21:06 47 --a------ C:\CS163Homeworkhomework3out.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-23 16:42 --------- d-----w c:\program files\Java
2008-11-21 02:56 --------- d-----w c:\program files\eclipse
2008-10-29 15:15 --------- d-----w c:\program files\SystemRequirementsLab
2008-10-11 13:47 60,416 ----a-w c:\windows\ALCFDRTM.EXE
2008-10-03 23:30 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-03 23:28 36,864 ----a-w c:\windows\system32\maplec.dll
2008-10-03 23:28 147,456 ----a-w c:\windows\system32\WMIMPLEX.dll
2008-10-03 23:28 --------- d-----w c:\program files\Maple 11
2008-10-03 23:27 --------- d--h--w c:\program files\Zero G Registry
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVRaidService"="c:\windows\system32\nvraidservice.exe" [2005-08-12 126464]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-01-15 37376]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2006-01-13 196608]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-02 13529088]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-02 86016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-23 136600]
"SoundMan"="SOUNDMAN.EXE" [2005-08-17 c:\windows\SOUNDMAN.EXE]
"nwiz"="nwiz.exe" [2008-05-02 c:\windows\system32\nwiz.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Install Pending Files.LNK - c:\program files\SIFXINST\SIFXINST.EXE [2008-09-15 860160]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Games\\CivIV\\Civilization4.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Games\\SWKotOR2\\swupdate.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Games\\CRS\\Battleground Europe\\WW2_sse2.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Games\\BaldursGateTutu\\BGMain.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Games\\Mass Effect\\Binaries\\MassEffect.exe"=
"c:\\Games\\Mass Effect\\MassEffectLauncher.exe"=
"c:\\Games\\CrysisDemo\\Bin32\\Crysis.exe"=
"c:\\Games\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"=
"c:\\Program Files\\eclipse\\eclipse.exe"=
"c:\\Program Files\\Maple 11\\jre\\bin\\maple.exe"=
"c:\\Program Files\\Maple 11\\jre\\bin\\java.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"13747:TCP"= 13747:TCP:Ares

S3 asbp2poa;asbp2poa;\??\c:\docume~1\Johnson\LOCALS~1\Temp\asbp2poa.sys []
S3 SaiH0461;SaiH0461;c:\windows\system32\DRIVERS\SaiH0461.sys [2008-04-02 182528]
.
Contents of the 'Scheduled Tasks' folder

2008-11-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-25 17:33:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(776)
c:\windows\system32\rsaenh.dll

- - - - - - - > 'lsass.exe'(832)
c:\windows\system32\msprivs.dll
c:\windows\system32\rsaenh.dll
.
Completion time: 2008-11-25 17:33:42
ComboFix-quarantined-files.txt 2008-11-25 23:33:25
ComboFix2.txt 2008-11-25 02:18:53

Pre-Run: 422,161,174,528 bytes free
Post-Run: 422,163,628,032 bytes free

166

Here is the New Hijack This file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:18:39 PM, on 11/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\EtaCar.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10...I.cab55579.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_srl.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/ca..._2.3.6.108.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10...y.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10...t.cab55579.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1201218583078
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn...tDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1201223771718
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/de...e/HPDEXAXO.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games – Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames...e.cab75411.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames...l.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10...y.cab55579.cab
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 6037 bytes

Here is the MalWare Bytes log file:

Malwarebytes' Anti-Malware 1.30
Database version: 1423
Windows 5.1.2600 Service Pack 2

11/25/2008 6:17:31 PM
mbam-log-2008-11-25 (18-17-31).txt

Scan type: Full Scan (C:\|)
Objects scanned: 215498
Time elapsed: 36 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 63

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\bho_myjavacore.mjcore (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bho_myjavacore.mjcore.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{17e44256-51e0-4d46-a0c8-44e80ab4ba5b} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e0f01490-dcf3-4357-95aa-169a8c2b2190} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{80ef304a-b1c4-425c-8535-95ab6f1eefb8} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\BHO_MyJavaCore.DLL (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Webtools (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Johnson\Application Data\GetModule (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Johnson\Application Data\Microsoft\Windows\jssicw.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Johnson\Desktop\EvID4226Patch223d-en\EvID4226Patch.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Webtools\webtools.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\Johnson\Application Data\gadcom\gadcom.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\Johnson\Application Data\Twain\Twain.exe.vir (Adware.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\Common Files\zfmf\zfmfa.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\Common Files\zfmf\zfmfl.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\Common Files\zfmf\zfmfm.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\Common Files\zfmf\zfmfp.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\Common Files\zfmf\zfmfd\zfmfc.dll.vir (Adware.TargetServer) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\Mjcore\Mjcore.dll.vir (Adware.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\Network Monitor\netmon.exe.vir (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\webHancer\Programs\webhdll.dll.vir (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\webHancer\Programs\whagent.exe.vir (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\webHancer\Programs\whiehlpr.dll.vir (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\webHancer\Programs\whinstaller.exe.vir (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\QW5kcmV3IEpvaG5zb24\asappsrv.dll.vir (Adware.CommAd) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\QW5kcmV3IEpvaG5zb24\command.exe.vir (Adware.CommAd) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ahpajsuo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\cbXPfgeb.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\efcCvVnK.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ldiuibmc.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ljJASllJ.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\llxeupfu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\opnomkHW.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\snlqmg.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\tsuninst.exe.vir (Spyware.TargetSaver) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\vsafyz.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\vtUnmnki.dll.vir.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\wpv071227228222.cpx.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\wvUMGaBu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{48462576-4CF7-4764-9968-FE95CF228EF6}\RP311\A0021078.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{48462576-4CF7-4764-9968-FE95CF228EF6}\RP313\A0021134.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{48462576-4CF7-4764-9968-FE95CF228EF6}\RP313\A0021147.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{48462576-4CF7-4764-9968-FE95CF228EF6}\RP313\A0021188.dll (Adware.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{48462576-4CF7-4764-9968-FE95CF228EF6}\RP313\A0021189.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{48462576-4CF7-4764-9968-FE95CF228EF6}\RP313\A0021191.dll (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{48462576-4CF7-4764-9968-FE95CF228EF6}\RP313\A0021192.exe (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{48462576-4CF7-4764-9968-FE95CF228EF6}\RP313\A0021193.dll (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{48462576-4CF7-4764-9968-FE95CF228EF6}\RP313\A0021194.exe (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{48462576-4CF7-4764-9968-FE95CF228EF6}\RP313\A0021197.exe (Spyware.TargetSaver) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{48462576-4CF7-4764-9968-FE95CF228EF6}\RP313\A0021198.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{48462576-4CF7-4764-9968-FE95CF228EF6}\RP313\A0021202.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{48462576-4CF7-4764-9968-FE95CF228EF6}\RP313\A0021204.dll (Adware.TargetServer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{48462576-4CF7-4764-9968-FE95CF228EF6}\RP313\A0021205.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{48462576-4CF7-4764-9968-FE95CF228EF6}\RP313\A0021207.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{48462576-4CF7-4764-9968-FE95CF228EF6}\RP313\A0021208.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{48462576-4CF7-4764-9968-FE95CF228EF6}\RP313\A0021209.dll (Adware.CommAd) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{48462576-4CF7-4764-9968-FE95CF228EF6}\RP313\A0021210.exe (Adware.CommAd) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{48462576-4CF7-4764-9968-FE95CF228EF6}\RP313\A0021212.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{48462576-4CF7-4764-9968-FE95CF228EF6}\RP313\A0021213.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{48462576-4CF7-4764-9968-FE95CF228EF6}\RP313\A0021214.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{48462576-4CF7-4764-9968-FE95CF228EF6}\RP313\A0021216.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{48462576-4CF7-4764-9968-FE95CF228EF6}\RP313\A0021217.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{48462576-4CF7-4764-9968-FE95CF228EF6}\RP313\A0021218.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{48462576-4CF7-4764-9968-FE95CF228EF6}\RP313\A0021219.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{48462576-4CF7-4764-9968-FE95CF228EF6}\RP313\A0021222.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{48462576-4CF7-4764-9968-FE95CF228EF6}\RP313\A0021223.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{48462576-4CF7-4764-9968-FE95CF228EF6}\RP313\A0021224.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{48462576-4CF7-4764-9968-FE95CF228EF6}\RP313\A0021307.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Johnson\Application Data\GetModule\dicik.gz (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Johnson\Application Data\GetModule\kwdik.gz (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Johnson\Application Data\GetModule\ofadik.gz (Trojan.Agent) -> Quarantined and deleted successfully.

I will post a follow up letting you know how things appear to be running momentarily.

**pskelley** · 2008-11-26, 01:26

Post a new HijackThis log ...DO NOT post HJT logs in Safe mode or Safe mode with network support

Thanks

**EtaCar** · 2008-11-26, 01:35

Here is a new HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:34:48 PM, on 11/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\nvraidservice.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\EtaCar.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uwec.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10...I.cab55579.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_srl.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/ca..._2.3.6.108.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10...y.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10...t.cab55579.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1201218583078
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn...tDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1201223771718
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/de...e/HPDEXAXO.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games – Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames...e.cab75411.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames...l.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10...y.cab55579.cab
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 6667 bytes

Thread: Virtumonde Removal Assistance

Thread Tools

Display

Virtumonde Removal Assistance

Posting Permissions