Virtumonde Vundo :P

**coilgunner** · 2009-01-14, 21:26

Yeah I've seen a lot of threads about this before and I got it...so here I am.

For quite a while S&D was not deleting all of the vundo it was showing, but then not real long ago I got one of the new updates and it's been fixing the vundo, but since it is vundo, It's proven hard to delete, and even though it shows it's deleting it, it's still coming back. Now my computers performance loss is starting to show.

Any help would be appreciated.

The HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:17:18 PM, on 1/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Documents and Settings\Administrator\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lawrence.ks.schoolwebpages.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://lawrence.ks.schoolwebpages.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O3 - Toolbar: Mininova-Vuze Toolbar - {d51d388b-f5dc-471a-a1ce-5e2d671091c0} - C:\Program Files\Mininova-Vuze\tbMini.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [WavXMgr] C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
O4 - HKLM\..\Run: [SecureUpgrade] C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
O4 - HKLM\..\Run: [KADxMain] c:\WINDOWS\system32\KADxMain.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [ZangoSA] "C:\Program Files\Zango\bin\10.3.75.0\ZangoSA.exe"
O4 - HKLM\..\Run: [boinctray] "C:\Program Files\BOINC\boinctray.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunOnce: [SpybotDeletingA4924] command /c del "C:\WINDOWS\system32\qdrqgqsc.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7958] cmd /c del "C:\WINDOWS\system32\qdrqgqsc.dll_old"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB6519] command /c del "C:\WINDOWS\system32\cnkrnwwt.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5823] cmd /c del "C:\WINDOWS\system32\cnkrnwwt.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9933] command /c del "C:\WINDOWS\system32\qdrqgqsc.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1281] cmd /c del "C:\WINDOWS\system32\qdrqgqsc.dll_old"
O4 - Global Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: yxvlmg.dll oxyovb.dll kegncq.dll pwehuw.dll exgevn.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: BOINC - Space Sciences Laboratory - C:\Program Files\BOINC\boinc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe
O23 - Service: NTRU TSS v1.2.1.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
O23 - Service: TdmService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
O23 - Service: WaveEnrollmentService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Authentication Manager\WaveEnrollmentService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7177 bytes

Oh, I forgot to add that this was a log I did while in safe mode. When I start up normally now there is so much stuff loading sometimes I have to force shutdown my computer. It used to not be that bad. Even though now my scan's are showing less vundo. I used to have some kind of smitfraud-c which appeared to not do anything. I also Had normal virtumonde, vinrtumonde.sci and some other types.

**peku006** · 2009-01-19, 10:42

Hello and welcome to Safer Networking.

My name is peku006and I will be helping you to remove any infection(s) that you may have.
I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

Please observe these rules while we work:

If you don't know, stop and ask! Don't keep going on.
Please reply to this thread. Do not start a new topic.
Please continue to respond until I give you the "All Clear"

If you follow these instructions, everything should go smoothly.

1 - Scan With ComboFix

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

How to Temporarily Disable Anti-virus

Please include the C:\ComboFix.txt in your next reply for further review.

2 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

3 - Status Check
Please reply with

1. the ComboFix log(C:\ComboFix.txt)
2. a fresh HijackThis log

Thanks peku006

**coilgunner** · 2009-01-19, 19:39

Thank's for replying! here's the output of the Combofix log:

ComboFix 09-01-19.01 - Administrator 2009-01-19 12:02:03.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1482 [GMT -6:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\fbk.sts
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\adtbgmwq.dll
c:\windows\system32\BceMonmp.ini
c:\windows\system32\BceMonmp.ini2
c:\windows\system32\boxiuv.dll
c:\windows\system32\ewqombak.dll
c:\windows\system32\exgevn.dll
c:\windows\system32\fcpkoprc.dll
c:\windows\system32\fexlynbd.dll
c:\windows\system32\gltfkfyk.dll
c:\windows\system32\hvpwfj.dll
c:\windows\system32\ilvfhpnt.dll
c:\windows\system32\imenpfek.dll
c:\windows\system32\kegncq.dll
c:\windows\system32\kldqdt.dll
c:\windows\system32\nqgejm.dll
c:\windows\system32\nqkqol.dll
c:\windows\system32\pcswlpks.dll
c:\windows\system32\pfuwecuu.dll
c:\windows\system32\pmnoMecB.dll
c:\windows\system32\pwehuw.dll
c:\windows\system32\vahvidwf.dll
c:\windows\system32\vzgcfw.dll
c:\windows\system32\wccavcgd.dll
c:\windows\system32\wwnscq.dll
c:\windows\system32\wwrrlnbb.dll
c:\windows\system32\x64
c:\windows\system32\xdurtryc.dll
c:\windows\system32\ymgcvwbm.dll
c:\windows\system32\yyrqctma.dll

----- BITS: Possible infected sites -----

hxxp://childhe.com
.
((((((((((((((((((((((((( Files Created from 2008-12-19 to 2009-01-19 )))))))))))))))))))))))))))))))
.

2009-01-18 21:44 . 2009-01-18 21:57 <DIR> d-------- c:\program files\Team Fortress 2
2009-01-18 17:00 . 2009-01-18 17:00 120 --ahs---- c:\windows\system32\skplwscp.ini
2009-01-17 11:56 . 2009-01-17 11:56 120 --ahs---- c:\windows\system32\tnphfvli.ini
2009-01-16 11:53 . 2009-01-16 11:53 120 --ahs---- c:\windows\system32\bywtlrmd.ini
2009-01-16 08:39 . 2009-01-16 08:39 120 --ahs---- c:\windows\system32\kabmoqwe.ini
2009-01-15 08:32 . 2009-01-15 08:32 120 --ahs---- c:\windows\system32\cgvecusu.ini
2009-01-14 00:12 . 2009-01-14 00:12 120 --ahs---- c:\windows\system32\csqgqrdq.ini
2009-01-13 11:17 . 2009-01-13 11:17 120 --ahs---- c:\windows\system32\twwnrknc.ini
2009-01-12 11:38 . 2009-01-18 23:55 664 --a------ c:\windows\system32\d3d9caps.dat
2009-01-12 11:13 . 2009-01-12 11:13 120 --ahs---- c:\windows\system32\aljfmriu.ini
2009-01-12 09:53 . 2009-01-12 09:53 <DIR> d-------- c:\windows\wb
2009-01-12 08:16 . 2009-01-12 08:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Azureus
2009-01-12 08:16 . 2009-01-19 12:05 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Azureus
2009-01-12 08:15 . 2009-01-12 08:16 <DIR> d-------- c:\program files\Mininova-Vuze
2009-01-12 08:13 . 2009-01-15 23:06 <DIR> d-------- c:\program files\Vuze
2009-01-11 11:18 . 2009-01-11 11:18 120 --ahs---- c:\windows\system32\dbnylxef.ini
2009-01-10 11:15 . 2009-01-10 11:15 120 --ahs---- c:\windows\system32\kefpnemi.ini
2009-01-09 09:10 . 2009-01-09 09:10 120 --ahs---- c:\windows\system32\opwptitd.ini
2009-01-08 09:07 . 2009-01-08 09:07 120 --ahs---- c:\windows\system32\vbrtxdcr.ini
2009-01-08 08:59 . 2009-01-08 08:59 120 --ahs---- c:\windows\system32\grqbirrl.ini
2009-01-08 08:07 . 2008-07-27 01:53 <DIR> d-------- c:\documents and settings\boinc_master\Application Data\Wave Systems Corp
2009-01-08 08:07 . 2008-07-27 01:49 <DIR> d-------- c:\documents and settings\boinc_master\Application Data\InstallShield
2009-01-08 08:07 . 2009-01-08 08:07 <DIR> d-------- c:\documents and settings\boinc_master
2009-01-07 08:58 . 2009-01-07 08:58 120 --ahs---- c:\windows\system32\niyktfga.ini
2009-01-06 11:29 . 2009-01-06 11:29 <DIR> d-------- c:\program files\Lavasoft
2009-01-06 11:29 . 2009-01-06 11:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-06 09:01 . 2009-01-06 09:01 120 --ahs---- c:\windows\system32\ykhvkqva.ini
2009-01-05 14:19 . 2008-04-14 04:42 82,432 --ah---t- c:\windows\system32\914498b.dll
2009-01-05 14:19 . 2008-04-14 04:42 82,432 --ah---t- c:\windows\system32\2e4af660.dll
2009-01-05 12:33 . 2008-04-14 04:42 82,432 --ah---t- c:\windows\system32\5cd3cb9.dll
2009-01-05 12:33 . 2008-04-14 04:42 82,432 --ah---t- c:\windows\system32\1f69570.dll
2009-01-05 12:30 . 2009-01-05 12:30 120 --ahs---- c:\windows\system32\trlbahjf.ini
2009-01-04 21:21 . 2009-01-05 10:03 <DIR> d-------- c:\documents and settings\TEMP
2009-01-04 21:15 . 2009-01-16 12:20 1,342 --a------ c:\windows\wininit.ini
2009-01-04 19:50 . 2009-01-04 20:08 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-04 19:50 . 2009-01-04 22:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-04 19:39 . 2008-04-14 04:42 82,432 --ah---t- c:\windows\system32\29123c.dll
2009-01-04 19:39 . 2008-04-14 04:42 82,432 --ah---t- c:\windows\system32\248d6eb2.dll
2009-01-04 19:10 . 2008-04-14 04:42 82,432 --ah---t- c:\windows\system32\4cefe1a.dll
2009-01-04 19:09 . 2008-04-14 04:42 82,432 --ah---t- c:\windows\system32\48d03cf.dll
2009-01-04 19:05 . 2008-04-14 04:42 82,432 --ah---t- c:\windows\system32\4dd8629.dll
2009-01-04 19:05 . 2008-04-14 04:42 82,432 --ah---t- c:\windows\system32\28701c8.dll
2009-01-04 18:59 . 2008-04-14 04:42 82,432 --ah---t- c:\windows\system32\ce0fa2c.dll
2009-01-04 18:59 . 2008-04-14 04:42 82,432 --ah---t- c:\windows\system32\4e28e54.dll
2009-01-04 18:56 . 2008-04-14 04:42 82,432 --ah---t- c:\windows\system32\711c662.dll
2009-01-04 18:56 . 2008-04-14 04:42 82,432 --ah---t- c:\windows\system32\13c34.dll
2009-01-04 18:52 . 2008-04-14 04:42 82,432 --ah---t- c:\windows\system32\b12318f.dll
2009-01-04 18:52 . 2008-04-14 04:42 82,432 --ah---t- c:\windows\system32\4042627.dll
2009-01-04 14:52 . 2008-04-14 04:42 82,432 --ah---t- c:\windows\system32\357c0.dll
2009-01-04 14:52 . 2008-04-14 04:42 82,432 --ah---t- c:\windows\system32\10c0e0db.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-19 18:13 --------- d-----w c:\documents and settings\All Users\Application Data\BOINC
2009-01-19 18:07 --------- d-----w c:\program files\Steam
2009-01-12 19:29 --------- d-----w c:\documents and settings\Administrator\Application Data\U3
2009-01-06 17:25 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-06 16:09 --------- d-----w c:\program files\BOINC
2009-01-04 22:02 31 ----a-w c:\documents and settings\Administrator\jagex_runescape_preferences.dat
2008-12-17 21:31 --------- d-----w c:\program files\FirstClass
2008-12-13 23:58 --------- d-----w c:\documents and settings\Administrator\Application Data\InfraRecorder
2008-12-10 01:40 --------- d-----w c:\documents and settings\Administrator\Application Data\Elluminate
2008-11-26 20:53 --------- d-----w c:\program files\Phun
2008-11-26 02:12 --------- d-----r c:\documents and settings\Administrator\Application Data\Brother
2008-11-25 21:47 --------- d--h--w c:\program files\InstallShield Installation Information
2008-08-16 00:48 10,999,104 ----a-w c:\program files\ymsgr_setup.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{d51d388b-f5dc-471a-a1ce-5e2d671091c0}"= "c:\program files\Mininova-Vuze\tbMini.dll" [2008-09-15 1784856]

[HKEY_CLASSES_ROOT\clsid\{d51d388b-f5dc-471a-a1ce-5e2d671091c0}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-02-29 4670704]
"Steam"="c:\program files\steam\steam.exe" [2008-11-19 1410296]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-10 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-10 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-10 137752]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-09-09 159744]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2008-02-22 1245184]
"WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2007-09-10 92160]
"SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2007-09-14 218424]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-09 2183168]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2007-08-13 111952]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 136768]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200]
"boinctray"="c:\program files\BOINC\boinctray.exe" [2008-09-19 58112]
"SigmatelSysTrayApp"="stsystra.exe" [2007-09-13 c:\windows\stsystra.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gemsafe]
2006-11-16 14:20 73728 c:\program files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Java\\jre1.6.0_06\\bin\\javaw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\nexon\Combat Arms\Engine.exe"= c:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Documents and Settings\\Administrator\\My Documents\\Azureus Downloads\\Unreal Tournament\\UnrealTournament\\System\\UnrealTournament.exe"=

R0 a320raid;a320raid;c:\windows\system32\drivers\a320raid.sys [2006-12-10 218112]
R0 aac;PERC 320/DC SCSI RAID Miniport Driver;c:\windows\system32\drivers\aac.sys [2006-12-10 48140]
R0 aarich;aarich;c:\windows\system32\drivers\aarich.sys [2006-12-10 204800]
R0 megasas;DELL PERC RAID Driver;c:\windows\system32\drivers\megasas.sys [2006-12-10 19200]
R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [2006-11-02 97536]
R4 BOINC;BOINC;c:\program files\BOINC\boinc.exe [2008-09-19 721664]
R4 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [2004-08-11 5120]
S0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys --> c:\windows\system32\drivers\vmscsi.sys [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a2615bcd-6df5-11dd-84a4-001d09ddd1a4}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-01-14 c:\windows\Tasks\cbanoyyp.job
- c:\windows\system32\byXQHyVp.dll []
.
- - - - ORPHANS REMOVED - - - -

BHO-{1E4785B3-6690-4F98-A908-E3B5A0F8DBCC} - (no file)
BHO-{21133BDB-B676-48DF-87CD-550512010CC7} - (no file)
BHO-{9896A6F8-A555-45E3-84E1-8FF680382438} - c:\windows\system32\pmnoMecB.dll
BHO-{A5897692-5F6A-4F52-957E-F69FE2CF55B0} - (no file)
BHO-{a6cfed5c-af71-4143-ad93-01673b5153f4} - c:\windows\system32\boxiuv.dll
BHO-{BE0CB4C9-12B8-45FF-AAEA-5F5B76732965} - (no file)
BHO-{E3A2E102-D56F-42EE-A1C4-EA1B2A0502D4} - (no file)
BHO-{ECC5AA5F-11BB-4F7B-A592-D9C82C65F817} - (no file)
Notify-yayyXrRI - yayyXrRI.dll

.
------- Supplementary Scan -------
.
uStart Page = hxxp://lawrence.ks.schoolwebpages.com
mStart Page = hxxp://lawrence.ks.schoolwebpages.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\fauop6mz.default\
FF - prefs.js: browser.startup.homepage - hxxp://search.bearshare.com/
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-19 12:12:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\Administrator\Software\YourCompanyName\YourProductName\Version*]
"VersionData"=hex:3f,3b,a5,fc,84,69,8c,f1,94,8b,0a,bb,c4,1a,04,36,13,c7,fa,f3,
56,4c,ea,f2,5e,17,8b,86,5d,7c,a3,5e,1f,c5,c1,2f,b4,94,cb,57,e1,b0,71,99,12,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(948)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'lsass.exe'(1012)
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll
c:\windows\System32\BCMLogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\brss01a.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\McAfee\Common Framework\Mctray.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\DellTPad\hidfind.exe
c:\program files\DellTPad\ApntEx.exe
c:\program files\Digital Line Detect\DLG.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\vstskmgr.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\stacsv.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
c:\windows\system32\wscntfy.exe
c:\documents and settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\setiathome_6.03_windows_intelx86.exe
c:\documents and settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\setiathome_6.03_windows_intelx86.exe
c:\windows\system32\msdtc.exe
.
**************************************************************************
.
Completion time: 2009-01-19 12:24:01 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-19 18:23:58

Pre-Run: 41,849,303,040 bytes free
Post-Run: 39,672,627,200 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

264 --- E O F --- 2008-12-19 13:31:34

And the output for the Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:38:37 PM, on 1/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\DellTPad\Apoint.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\BOINC\boinctray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\program files\steam\steam.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\StacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lawrence.ks.schoolwebpages.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://lawrence.ks.schoolwebpages.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: Mininova-Vuze Toolbar - {d51d388b-f5dc-471a-a1ce-5e2d671091c0} - C:\Program Files\Mininova-Vuze\tbMini.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [WavXMgr] C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
O4 - HKLM\..\Run: [SecureUpgrade] C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
O4 - HKLM\..\Run: [KADxMain] c:\WINDOWS\system32\KADxMain.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [boinctray] "C:\Program Files\BOINC\boinctray.exe"
O4 - HKLM\..\Run: [ZangoSA] "C:\Program Files\Zango\bin\10.3.75.0\ZangoSA.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O20 - Winlogon Notify: gemsafe - C:\Program Files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: BOINC - Space Sciences Laboratory - C:\Program Files\BOINC\boinc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe
O23 - Service: NTRU TSS v1.2.1.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
O23 - Service: TdmService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
O23 - Service: WaveEnrollmentService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Authentication Manager\WaveEnrollmentService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 8449 bytes

**peku006** · 2009-01-19, 20:19

Hi coilgunner

IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.
Azureus
Mininova-Vuze
Vuze

I'd like you to read this thread.

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

1 - Run CFScript

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\skplwscp.ini
c:\windows\system32\tnphfvli.ini
c:\windows\system32\bywtlrmd.ini
c:\windows\system32\kabmoqwe.ini
c:\windows\system32\cgvecusu.ini
c:\windows\system32\csqgqrdq.ini
c:\windows\system32\twwnrknc.ini
c:\windows\system32\aljfmriu.ini
c:\windows\system32\dbnylxef.ini
c:\windows\system32\kefpnemi.ini
c:\windows\system32\opwptitd.ini
c:\windows\system32\vbrtxdcr.ini
c:\windows\system32\grqbirrl.ini
c:\windows\system32\niyktfga.ini
c:\windows\system32\ykhvkqva.ini
c:\windows\system32\914498b.dll
c:\windows\system32\2e4af660.dll
c:\windows\system32\5cd3cb9.dll
c:\windows\system32\1f69570.dll
c:\windows\system32\trlbahjf.ini
c:\windows\system32\29123c.dll
c:\windows\system32\248d6eb2.dll
c:\windows\system32\4cefe1a.dll
c:\windows\system32\48d03cf.dll
c:\windows\system32\4dd8629.dll
c:\windows\system32\28701c8.dll
c:\windows\system32\ce0fa2c.dll
c:\windows\system32\4e28e54.dll
c:\windows\system32\711c662.dll
c:\windows\system32\13c34.dll
c:\windows\system32\b12318f.dll
c:\windows\system32\4042627.dll
c:\windows\system32\357c0.dll
c:\windows\system32\10c0e0db.dll
c:\windows\Tasks\cbanoyyp.job

Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

2 - Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

Double-click on Download_mbam-setup.exe to install the application.
When the installation begins, follow the prompts and do not make any changes to default settings.
When installation has finished, make sure you leave both of these checked:
Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware
Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

If an update is found, the program will automatically update itself.
Press the OK button to close that box and continue.
If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.

On the Scanner tab:

Make sure the "Perform full scan" option is selected.
Then click on the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button
The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

Click on the Show Results button to see a list of any malware that was found.
Make sure that everything is checked, and click Remove Selected.
When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
The log can also be found here:

C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

3 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

4 - Status Check
Please reply with

1. the ComboFix log(C:\ComboFix.txt)
2. the Malwarebytes' Anti-Malware Log
3. a fresh HijackThis log

Thanks peku006

**coilgunner** · 2009-01-21, 20:46

I'm working on getting those Logs to you, I should have them ready by today or tomorrow, I'm really sorry about the delay.

**peku006** · 2009-01-21, 20:57

Hi coilgunner
Ok, no problem.

**coilgunner** · 2009-01-23, 03:22

Well, I couldn't get ComboFix to work correctly because it my Sophos Anti virus was interfering and I could not seem to get it to fully turn off even thought it was showing it off.

Howevere I did get the other two logs.

Here is the Malwarebytes log:

Malwarebytes' Anti-Malware 1.33
Database version: 1654
Windows 5.1.2600 Service Pack 3

2009-01-22 20:14:36
mbam-log-2009-01-22 (20-14-36).txt

Scan type: Full Scan (C:\|)
Objects scanned: 113169
Time elapsed: 2 hour(s), 10 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 25

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.Shopping.Report) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP101\A0033382.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP105\A0038553.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP105\A0038554.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP84\A0024575.exe (Adware.Zango) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP89\A0025915.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP95\A0027773.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP95\A0026776.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP95\A0026777.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP95\A0026780.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP95\A0027743.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP95\A0027744.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP95\A0027754.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP95\A0027758.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP97\A0028823.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP97\A0028825.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP97\A0028862.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP97\A0028864.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP97\A0028879.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP97\A0028880.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP97\A0028882.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP97\A0028883.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP97\A0028867.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP97\A0028917.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP97\A0029930.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP98\A0031933.dll (Adware.Shopper) -> Quarantined and deleted successfully.

And the Hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:19, on 2009-01-22
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\DellTPad\Apoint.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\BOINC\boinctray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\StacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Steam\Steam.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Administrator\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lawrence.ks.schoolwebpages.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://lawrence.ks.schoolwebpages.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: Mininova-Vuze Toolbar - {d51d388b-f5dc-471a-a1ce-5e2d671091c0} - C:\Program Files\Mininova-Vuze\tbMini.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [WavXMgr] C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
O4 - HKLM\..\Run: [SecureUpgrade] C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
O4 - HKLM\..\Run: [KADxMain] c:\WINDOWS\system32\KADxMain.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [boinctray] "C:\Program Files\BOINC\boinctray.exe"
O4 - HKLM\..\Run: [ZangoSA] "C:\Program Files\Zango\bin\10.3.75.0\ZangoSA.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O20 - Winlogon Notify: gemsafe - C:\Program Files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: BOINC - Space Sciences Laboratory - C:\Program Files\BOINC\boinc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe
O23 - Service: NTRU TSS v1.2.1.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
O23 - Service: TdmService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
O23 - Service: WaveEnrollmentService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Authentication Manager\WaveEnrollmentService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 8500 bytes

--

It seemed that I uninstalled the Vuse peer to peer but it left some stuff behind I will have to clean up.

-Thanks again for all the help

**peku006** · 2009-01-23, 10:11

Hi coilgunner
OK don't worry about Combofix, we'll try a different tool:

Download anf Run OTMoveIt3

Download OTMoveIt3 by Old Timer and save it to your Desktop.

Double-click OTMoveIt3.exe.
Copy the lines in the codebox below.

Code:

:files
c:\windows\system32\skplwscp.ini
c:\windows\system32\tnphfvli.ini
c:\windows\system32\bywtlrmd.ini
c:\windows\system32\kabmoqwe.ini
c:\windows\system32\cgvecusu.ini
c:\windows\system32\csqgqrdq.ini
c:\windows\system32\twwnrknc.ini
c:\windows\system32\aljfmriu.ini
c:\windows\system32\dbnylxef.ini
c:\windows\system32\kefpnemi.ini
c:\windows\system32\opwptitd.ini
c:\windows\system32\vbrtxdcr.ini
c:\windows\system32\grqbirrl.ini
c:\windows\system32\niyktfga.ini
c:\windows\system32\ykhvkqva.ini
c:\windows\system32\914498b.dll
c:\windows\system32\2e4af660.dll
c:\windows\system32\5cd3cb9.dll
c:\windows\system32\1f69570.dll
c:\windows\system32\trlbahjf.ini
c:\windows\system32\29123c.dll
c:\windows\system32\248d6eb2.dll
c:\windows\system32\4cefe1a.dll
c:\windows\system32\48d03cf.dll
c:\windows\system32\4dd8629.dll
c:\windows\system32\28701c8.dll
c:\windows\system32\ce0fa2c.dll
c:\windows\system32\4e28e54.dll
c:\windows\system32\711c662.dll
c:\windows\system32\13c34.dll
c:\windows\system32\b12318f.dll
c:\windows\system32\4042627.dll
c:\windows\system32\357c0.dll
c:\windows\system32\10c0e0db.dll
c:\windows\Tasks\cbanoyyp.job

Return to OTMoveIt3, right click in the Paste Instructions for Items to be Moved window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar), and paste it in your next reply.
Close OTMoveIt3

Please reply with

the OTMoveIt3.log

Thanks peku006

**coilgunner** · 2009-01-23, 15:25

========== FILES ==========
File/Folder c:\windows\system32\skplwscp.ini not found.
File/Folder c:\windows\system32\tnphfvli.ini not found.
File/Folder c:\windows\system32\bywtlrmd.ini not found.
File/Folder c:\windows\system32\kabmoqwe.ini not found.
File/Folder c:\windows\system32\cgvecusu.ini not found.
File/Folder c:\windows\system32\csqgqrdq.ini not found.
File/Folder c:\windows\system32\twwnrknc.ini not found.
File/Folder c:\windows\system32\aljfmriu.ini not found.
File/Folder c:\windows\system32\dbnylxef.ini not found.
File/Folder c:\windows\system32\kefpnemi.ini not found.
File/Folder c:\windows\system32\opwptitd.ini not found.
File/Folder c:\windows\system32\vbrtxdcr.ini not found.
File/Folder c:\windows\system32\grqbirrl.ini not found.
File/Folder c:\windows\system32\niyktfga.ini not found.
File/Folder c:\windows\system32\ykhvkqva.ini not found.
DllUnregisterServer procedure not found in c:\windows\system32\914498b.dll
c:\windows\system32\914498b.dll NOT unregistered.
c:\windows\system32\914498b.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\2e4af660.dll
c:\windows\system32\2e4af660.dll NOT unregistered.
c:\windows\system32\2e4af660.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\5cd3cb9.dll
c:\windows\system32\5cd3cb9.dll NOT unregistered.
c:\windows\system32\5cd3cb9.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\1f69570.dll
c:\windows\system32\1f69570.dll NOT unregistered.
c:\windows\system32\1f69570.dll moved successfully.
File/Folder c:\windows\system32\trlbahjf.ini not found.
DllUnregisterServer procedure not found in c:\windows\system32\29123c.dll
c:\windows\system32\29123c.dll NOT unregistered.
c:\windows\system32\29123c.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\248d6eb2.dll
c:\windows\system32\248d6eb2.dll NOT unregistered.
c:\windows\system32\248d6eb2.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\4cefe1a.dll
c:\windows\system32\4cefe1a.dll NOT unregistered.
c:\windows\system32\4cefe1a.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\48d03cf.dll
c:\windows\system32\48d03cf.dll NOT unregistered.
c:\windows\system32\48d03cf.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\4dd8629.dll
c:\windows\system32\4dd8629.dll NOT unregistered.
c:\windows\system32\4dd8629.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\28701c8.dll
c:\windows\system32\28701c8.dll NOT unregistered.
c:\windows\system32\28701c8.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\ce0fa2c.dll
c:\windows\system32\ce0fa2c.dll NOT unregistered.
c:\windows\system32\ce0fa2c.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\4e28e54.dll
c:\windows\system32\4e28e54.dll NOT unregistered.
c:\windows\system32\4e28e54.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\711c662.dll
c:\windows\system32\711c662.dll NOT unregistered.
c:\windows\system32\711c662.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\13c34.dll
c:\windows\system32\13c34.dll NOT unregistered.
c:\windows\system32\13c34.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\b12318f.dll
c:\windows\system32\b12318f.dll NOT unregistered.
c:\windows\system32\b12318f.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\4042627.dll
c:\windows\system32\4042627.dll NOT unregistered.
c:\windows\system32\4042627.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\357c0.dll
c:\windows\system32\357c0.dll NOT unregistered.
c:\windows\system32\357c0.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\10c0e0db.dll
c:\windows\system32\10c0e0db.dll NOT unregistered.
c:\windows\system32\10c0e0db.dll moved successfully.
c:\windows\Tasks\cbanoyyp.job moved successfully.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01232009_082432

**peku006** · 2009-01-23, 16:25

Hi coilgunner

1 - Update Java

Please download JavaRa and unzip it to your desktop.

Double-click on JavaRa.exe to start the program.
Click on Remove Older Versions to remove the older versions of Java installed on your computer.
Click Yes when prompted. When JavaRa is done, a notice will appear that a log file has been produced. Click OK.
A log file will pop up. Please save it to a convenient location.

Download the latest version of Java Runtime Environment (JRE) 6 Update 10.

Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
Click on Continue.
Click on the link to download Windows Offline Installation and save it to your desktop. Do NOT use the Sun Download Manager..
Close any programs you may have running - especially your web browser.
Then from your desktop double-click on the download to install the newest version.

2 - Clean temp files

Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.Double-click ATF Cleaner.exe to open it.

Under Main choose:
- Windows Temp
  Current User Temp
  All Users Temp
  Temporary Internet Files
  Prefetch
  Java Cache
  *The other boxes are optional*
  Then click the Empty Selected button.
if you use Firefox:
- Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
if you use Opera:
- Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program

3 - Kaspersky Online Scan

Please go to Kaspersky website and perform an online antivirus scan.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
- Spyware, Adware, Dialers, and other potentially dangerous programs
  Archives
  Mail databases
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply.

4 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

5 - Status Check
Please reply with

1. the JavaRa log
2. the Kaspersky online scanner report
3. a fresh HijackThis log
How's the computer running now? Any problems?

Thanks peku006

Thread: Virtumonde Vundo :P

Thread Tools

Display

Virtumonde Vundo :P

Tags for this Thread

Posting Permissions