i need help to get rid of the VIRTUMONDE trojan....

[Voando]

i just got this trojan about a week ago....and i need help...thanks

 

[Voando]

I have done an initial Kapersky scan, 2 scans with SkyBot, and a HJT scan.....per the instructions.

here is the Kaspersky log:

KASPERSKY ONLINE SCANNER REPORT
Saturday, December 08, 2007 5:53:10 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 8/12/2007
Kaspersky Anti-Virus database records: 477364


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\
F:\

Scan Statistics
Total number of scanned objects 107293
Number of viruses found 9
Number of infected objects 20
Number of suspicious objects 0
Duration of the scan process 02:56:58

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\log.edb Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{95001BAE-67CB-49F7-B2AB-AE6FEF6DAA8B}.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{97A8DFDF-9788-42BB-B723-79FD5EF2A2EF}.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR2.tmp Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Stan Schochler\Cookies\INDEX.DAT Object is locked skipped

C:\Documents and Settings\Stan Schochler\Local Settings\Application Data\Microsoft\Messenger\spmaestro@hotmail.com\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped

C:\Documents and Settings\Stan Schochler\Local Settings\Application Data\Microsoft\Messenger\spmaestro@hotmail.com\SharingMetadata\pending.dat Object is locked skipped

C:\Documents and Settings\Stan Schochler\Local Settings\Application Data\Microsoft\Messenger\spmaestro@hotmail.com\SharingMetadata\Working\database_B6CC_BCD8_CCBC_93D9\dfsr.db Object is locked skipped

C:\Documents and Settings\Stan Schochler\Local Settings\Application Data\Microsoft\Messenger\spmaestro@hotmail.com\SharingMetadata\Working\database_B6CC_BCD8_CCBC_93D9\fsr.log Object is locked skipped

C:\Documents and Settings\Stan Schochler\Local Settings\Application Data\Microsoft\Messenger\spmaestro@hotmail.com\SharingMetadata\Working\database_B6CC_BCD8_CCBC_93D9\fsrtmp.log Object is locked skipped

C:\Documents and Settings\Stan Schochler\Local Settings\Application Data\Microsoft\Messenger\spmaestro@hotmail.com\SharingMetadata\Working\database_B6CC_BCD8_CCBC_93D9\tmp.edb Object is locked skipped

C:\Documents and Settings\Stan Schochler\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Stan Schochler\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Stan Schochler\Local Settings\Application Data\Microsoft\Windows Live Contacts\spmaestro@hotmail.com\real\members.stg Object is locked skipped

C:\Documents and Settings\Stan Schochler\Local Settings\Application Data\Microsoft\Windows Live Contacts\spmaestro@hotmail.com\shadow\members.stg Object is locked skipped

C:\Documents and Settings\Stan Schochler\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped

C:\Documents and Settings\Stan Schochler\Local Settings\History\History.IE5\MSHist012007120820071209\index.dat Object is locked skipped

C:\Documents and Settings\Stan Schochler\Local Settings\Temp\Perflib_Perfdata_dd0.dat Object is locked skipped

C:\Documents and Settings\Stan Schochler\Local Settings\Temp\~DF1F97.tmp Object is locked skipped

C:\Documents and Settings\Stan Schochler\Local Settings\Temp\~DF2005.tmp Object is locked skipped

C:\Documents and Settings\Stan Schochler\Local Settings\Temp\~DF4BE8.tmp Object is locked skipped

C:\Documents and Settings\Stan Schochler\Local Settings\Temp\~DF64A7.tmp Object is locked skipped

C:\Documents and Settings\Stan Schochler\Local Settings\Temp\~DF64B9.tmp Object is locked skipped

C:\Documents and Settings\Stan Schochler\Local Settings\Temp\~DFE3CF.tmp Object is locked skipped

C:\Documents and Settings\Stan Schochler\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Stan Schochler\My Documents\My Chat Logs\December 2007\gpf55@hotmail.com.html Object is locked skipped

C:\Documents and Settings\Stan Schochler\ntuser.dat Object is locked skipped

C:\Documents and Settings\Stan Schochler\ntuser.dat.LOG Object is locked skipped

C:\itouch_crash_info.txt Object is locked skipped

C:\System Volume Information\catalog.wci\00000002.ps1 Object is locked skipped

C:\System Volume Information\catalog.wci\00000002.ps2 Object is locked skipped

C:\System Volume Information\catalog.wci\00010008.ci Object is locked skipped

C:\System Volume Information\catalog.wci\cicat.fid Object is locked skipped

C:\System Volume Information\catalog.wci\cicat.hsh Object is locked skipped

C:\System Volume Information\catalog.wci\CiCL0001.000 Object is locked skipped

C:\System Volume Information\catalog.wci\CiP10000.000 Object is locked skipped

C:\System Volume Information\catalog.wci\CiP20000.000 Object is locked skipped

C:\System Volume Information\catalog.wci\CiPT0000.000 Object is locked skipped

C:\System Volume Information\catalog.wci\CiSL0001.000 Object is locked skipped

C:\System Volume Information\catalog.wci\CiSP0000.000 Object is locked skipped

C:\System Volume Information\catalog.wci\CiST0000.000 Object is locked skipped

C:\System Volume Information\catalog.wci\CiVP0000.000 Object is locked skipped

C:\System Volume Information\catalog.wci\INDEX.000 Object is locked skipped

C:\System Volume Information\catalog.wci\propstor.bk1 Object is locked skipped

C:\System Volume Information\catalog.wci\propstor.bk2 Object is locked skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1326\A0266644.dll Infected: not-a-virus:AdWare.Win32.AdBand.e skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1326\A0266647.exe Infected: not-a-virus:AdWare.Win32.Agent.vv skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1331\A0266993.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1331\A0266994.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ak skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1332\A0267132.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1332\A0267133.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ak skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1333\A0267332.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1333\A0267333.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ak skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1334\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\Downloaded Program Files\ycomp5_0_2_7.dll Infected: not-a-virus:AdWare.Win32.Yahoo skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{A1CE3DDF-AA48-4B22-9418-CA7C2F35D523}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\SYSTEM32\ajqsuief.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped

C:\WINDOWS\SYSTEM32\blrmukxf.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped

C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\SYSTEM32\clumbxim.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped

C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\fxgoptjk.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.af skipped

C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped

C:\WINDOWS\SYSTEM32\kayvmvlg.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ak skipped

C:\WINDOWS\SYSTEM32\kxxrofkx.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped

C:\WINDOWS\SYSTEM32\lqeuynio.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped

C:\WINDOWS\SYSTEM32\ubnqvmms.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ae skipped

C:\WINDOWS\SYSTEM32\uqglrxkf.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped

C:\WINDOWS\SYSTEM32\vtutt.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bkx skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\xfmsfjne.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped

C:\WINDOWS\Temp\mcafee_pDpAqEhR0vndLuI Object is locked skipped

C:\WINDOWS\Temp\mcmsc_72dewFB6LJ2rPjJ Object is locked skipped

C:\WINDOWS\Temp\mcmsc_ChF2XsayxmjmrRv Object is locked skipped

C:\WINDOWS\Temp\mcmsc_Lqdn4dSvRsePDH4 Object is locked skipped

C:\WINDOWS\Temp\mcmsc_OYlDHP7B4xCH3f5 Object is locked skipped

C:\WINDOWS\Temp\mcmsc_sAxcWunz3L5PX34 Object is locked skipped

C:\WINDOWS\WIADEBUG.LOG Object is locked skipped

C:\WINDOWS\WIASERVC.LOG Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

 

[Voando]

and now the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:15:37 PM, on 12/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MouseWare\system\em_exec.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.orkut.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccbc9376] rundll32.exe "C:\WINDOWS\system32\uqglrxkf.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - .DEFAULT User Startup: CamTrack.lnk = C:\Program Files\DigitalPeers\CamTrack\camtrack.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {5F3B3060-09E0-44C6-86F7-BC7B02B57BEE} - http://downloads.shopathomeselect.com/doubleplaymedia/grinstall_dpm1001_sp2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1129067442343
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://spmaestro.spaces.live.com/PhotoUpload/MsnPUpld.cab
O16 - DPF: {89A218B0-4DE9-4CFB-8DFC-583355DA5330} (MemLaunApp Class) - http://www.worldclassvideochat.com/cab/WCLaunch.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {ADB6CCF9-8853-4431-82A0-B7494DED18C3} (WcnfGrpCtl Class) - http://download.paltalk.com/webconftest/WcnfGroupControl.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/ym/yiebio5_0_2_7.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe

--
End of file - 10457 bytes

 

[pskelley]

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

You have a Vundo infection which can be very hard to remove. This will take some time and unless you are patient, understand how to follow directions and are comfortable working on your computer, you may want to seek local professional help. If you wish to proceed, read and follow the directions carefully.

1) The infection is mostly hidden from HJT, return here: C:\Program Files\Trend Micro\HijackThis\HijackThis.exe <<< rename HJT, call it Voando.exe that will work. After a restart we should see the junk.

2) You did not install this junk on purpose did you?
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
See this: http://www.superadblocker.com/definition/palstart/
I suggest you look in Add Remove programs and uninstall that junk if it is there.

3) Thanks to Atribune and any others who helped with this fix.

http://vundofix.atribune.org/ <<< tutorial

"Download VundoFix" to your Desktop

http://www.atribune.org/ccount/click.php?id=4

Double-click VundoFix.exe to run it.
When VundoFix opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will attempt run on reboot, simply follow the above instructions starting from "Click
the Scan for Vundo button." when VundoFix appears at reboot. Vundofix.txt will be on the C:\

(wait until you finish to post reports and logs)

4) Thanks to sUBs and anyone else who helped with this fix.

Download ComboFix from Here or Here to your Desktop

• Double click combofix.exe and follow the prompts.
• When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the Vundofix.txt, combofix log and a new HJT log.

Thanks

 

[Voando]

sorry for the delay...i had a power outage...let me as a question..i was running
ComboFix...is it suppose to take a long time for this scan?...i watched two footbal games..and it still was not through...then came the power outage..so i will have to redo the scan..

i also uninstalled Paltalk...i never have had a problem with it...ive been a paid subscriber to it for 9 yrs...but i uninstalled it anyway, per your suggestion.

 

[pskelley]

i was running ComboFix...is it suppose to take a long time for this scan?...

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Be sure you have follow the directions and it is running from the Desktop, then the above information should apply.

I have never used Paltalk, all I can do is provide you with the information available to the malware community. I suppose a paid membership may keep them from loading it with adware? I am bogged down today, but will see if I can find more information.
Description of PALSTART.EXE

PalTalk is an IM client that is advertising supported. It may not be harmful to have on your computer, but it will serve various types of advertising.

Thanks

 

[Voando]

none of those processes were on the Task Manager

 

[Voando]

i tried rebooting the computer and running it again...still didn't do anything....i rechecked the task manager in the processes....and none of those processes were there..

awaiting further instructions,,,,

 

[pskelley]

Post what you have, this infection is hard to remove with combofix to help, without it I don't know. Might need to consider a reformat. I will do what I can.

I do recall a problem at one of the download sites the other day. I posted two of them for you. Try removing combofix completely and downloading it from the other site to see if it will work.

Thanks

 

[Voando]

new HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:07, on 2007-12-09
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\MouseWare\system\em_exec.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\cidaemon.exe
c:\program files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\Voando.exe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.orkut.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: PaltalkWebLogin - {502C3BA4-2C3E-4317-BC29-C0445E82B1F9} - C:\Program Files\Common Files\Paltalk\PaltalkWebLogin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: {232a5ec3-24f0-f9fb-21e4-993c35cceda6} - {6adecc53-c399-4e12-bf9f-0f423ce5a232} - C:\WINDOWS\system32\xfmsfjne.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8628CD9E-3E82-4C8B-8FE6-97FEEF0DD740} - (no file)
O2 - BHO: (no name) - {862d3a4a-3e02-4854-b73a-fdf20ed04b84} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: (no name) - {9CF1B352-A041-4FFE-8755-A7D9B4C15F2F} - (no file)
O2 - BHO: (no name) - {A6122CB3-736C-4DB0-99CC-1C405393C8F1} - (no file)
O2 - BHO: (no name) - {AE1AD2C9-D961-4F78-9F0F-A8AA94BA88A8} - (no file)
O2 - BHO: (no name) - {b3603b7b-caec-477d-96f8-9203bd525365} - (no file)
O2 - BHO: (no name) - {BB0B56AE-FB8D-4672-984A-A2F0F8E5F575} - (no file)
O2 - BHO: (no name) - {BCAAD310-EB24-48C5-8F8C-40024FE61EBB} - (no file)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: (no name) - {CCD000AC-66F5-4276-A992-B4E8A25DD705} - C:\WINDOWS\system32\vtutt.dll (file missing)
O2 - BHO: (no name) - {DFCE131F-7CA3-4D1E-A4D9-F50B3A99A76F} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccbc9376] rundll32.exe "C:\WINDOWS\system32\uqglrxkf.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - .DEFAULT User Startup: CamTrack.lnk = C:\Program Files\DigitalPeers\CamTrack\camtrack.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {5F3B3060-09E0-44C6-86F7-BC7B02B57BEE} - http://downloads.shopathomeselect.com/doubleplaymedia/grinstall_dpm1001_sp2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1129067442343
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://spmaestro.spaces.live.com/PhotoUpload/MsnPUpld.cab
O16 - DPF: {89A218B0-4DE9-4CFB-8DFC-583355DA5330} (MemLaunApp Class) - http://www.worldclassvideochat.com/cab/WCLaunch.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {ADB6CCF9-8853-4431-82A0-B7494DED18C3} (WcnfGrpCtl Class) - http://download.paltalk.com/webconftest/WcnfGroupControl.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/ym/yiebio5_0_2_7.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe

--
End of file - 12759 bytes

 

[Voando]

i just about forgot....theh VUNDOFIX.txt

VundoFix V6.7.0

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 8:25:11 AM 12/9/2007

Listing files found while scanning....

C:\windows\SYSTEM32\ttutv.ini
C:\windows\SYSTEM32\ttutv.ini2
C:\windows\SYSTEM32\vtutt.dll

Beginning removal...

Attempting to delete C:\windows\SYSTEM32\ttutv.ini
C:\windows\SYSTEM32\ttutv.ini Has been deleted!

Attempting to delete C:\windows\SYSTEM32\ttutv.ini2
C:\windows\SYSTEM32\ttutv.ini2 Has been deleted!

Attempting to delete C:\windows\SYSTEM32\vtutt.dll
C:\windows\SYSTEM32\vtutt.dll Has been deleted!

Performing Repairs to the registry.
Done!

 

[pskelley]

What happens when you try what I suggested in my post #9? Delete combofix and try the download from the other download site, I do not know which one you used first. Here are the two sites:

http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Thanks

 

[Voando]

The first time i downloaded ComboFix was by useing the first link...the one from techsupport....i tried to run it..and it gave an error message saying that ComboFix.exe is not a valid Win32 application. Then i deleted that one...and tried the second one from mybleepingcomputer....and it worked....but it didn't scan...

 

[pskelley]

It is likely you have a corrupt of missing file causing combofix not to work.
http://www.google.com/search?hl=en&...+a+valid+Win32+application&btnG=Google+Search
I would like you to run System File Checker and then give combofix another try:

Click Start > Run, type in sfc /scannow, hit Enter then OK
Note: there is a space between sfc and /scannow
This should replace any corrupted/missing system files and will hopefully fix things. You may need your XP disc in your CD drive for this.
http://dwightblackburn.com/winxp/ <<< good tutorial
If you get combofix to run, post that log as soon as you have it.

See this: http://forums.spybot.info/showpost.php?p=12880&postcount=2
Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.Those old versions of Java are probably why you are infected. Uninstall all the old versions in Add Remove programs.

Instructions start here:

1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

3) TeaTimer will block changes we must make, use these instruction to turn it off until we are done.
http://russelltexas.com/malware/teatimer.htm

4) Open Vundofix by Doubleclicking on it, then point your mouse to the white box above the buttons and right click, then click on Add More Files. When the next window opens, copy and paste the files into the boxes and click on Add File(s), then click on Close Window. Then click Remove Vundo.

(files to add)
C:\WINDOWS\system32\xfmsfjne.dll
C:\WINDOWS\system32\uqglrxkf.dll

5) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: {232a5ec3-24f0-f9fb-21e4-993c35cceda6} - {6adecc53-c399-4e12-bf9f-0f423ce5a232} - C:\WINDOWS\system32\xfmsfjne.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8628CD9E-3E82-4C8B-8FE6-97FEEF0DD740} - (no file)
O2 - BHO: (no name) - {862d3a4a-3e02-4854-b73a-fdf20ed04b84} - (no file)
O2 - BHO: (no name) - {9CF1B352-A041-4FFE-8755-A7D9B4C15F2F} - (no file)
O2 - BHO: (no name) - {A6122CB3-736C-4DB0-99CC-1C405393C8F1} - (no file)
O2 - BHO: (no name) - {AE1AD2C9-D961-4F78-9F0F-A8AA94BA88A8} - (no file)
O2 - BHO: (no name) - {b3603b7b-caec-477d-96f8-9203bd525365} - (no file)
O2 - BHO: (no name) - {BB0B56AE-FB8D-4672-984A-A2F0F8E5F575} - (no file)
O2 - BHO: (no name) - {BCAAD310-EB24-48C5-8F8C-40024FE61EBB} - (no file)
O2 - BHO: (no name) - {CCD000AC-66F5-4276-A992-B4E8A25DD705} - C:\WINDOWS\system32\vtutt.dll (file missing)
O2 - BHO: (no name) - {DFCE131F-7CA3-4D1E-A4D9-F50B3A99A76F} - (no file)
O4 - HKLM\..\Run: [ccbc9376] rundll32.exe "C:\WINDOWS\system32\uqglrxkf.dll",b
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
O16 - DPF: {5F3B3060-09E0-44C6-86F7-BC7B02B57BEE} - http://downloads.shopathomeselect.co...pm1001_sp2.cab
O16 - DPF: {ADB6CCF9-8853-4431-82A0-B7494DED18C3} (WcnfGrpCtl Class) - http://download.paltalk.com/webconft...oupControl.cab

Close all programs but HJT and all browser windows, then click on "Fix Checked"

6) RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\WINDOWS\system32\uqglrxkf.dll <<< make sure that file has been deleted

7) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart and post the Vundofix report, a new HJT log and some feedback.

Thanks

 

[Voando]

ComboFix worked....but where am I to find the log?

and shall I continue with the instructions from your last post?

 

[pskelley]

Looks on the C:\ for combofix.txt

You can continue with the instructions.

 

[Voando]

Finally the ComboFix log.....

ComboFix 07-12-09.1 - Stan Schochler 2007-12-09 19:38:03.2 - NTFSx86
Running from: C:\Documents and Settings\Stan Schochler\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files\ODCTOOLS
C:\WINDOWS\system32\ajqsuief.dll
C:\WINDOWS\system32\blrmukxf.dll
C:\WINDOWS\system32\clumbxim.dll
C:\WINDOWS\system32\cvhsrqyd.dll
C:\WINDOWS\SYSTEM32\feiusqja.ini
C:\WINDOWS\SYSTEM32\fkxrlgqu.ini
C:\WINDOWS\system32\fxgoptjk.dll
C:\WINDOWS\SYSTEM32\fxkumrlb.ini
C:\WINDOWS\system32\kayvmvlg.dll
C:\WINDOWS\system32\kxxrofkx.dll
C:\WINDOWS\system32\lqeuynio.dll
C:\WINDOWS\SYSTEM32\oinyueql.ini
C:\WINDOWS\system32\ubnqvmms.dll
C:\WINDOWS\system32\uqglrxkf.dll
C:\WINDOWS\system32\xfmsfjne.dll
C:\WINDOWS\SYSTEM32\xkforxxk.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE




((((((((((((((((((((((((( Files Created from 2007-11-10 to 2007-12-10 )))))))))))))))))))))))))))))))
.

2007-12-09 18:39 . 2004-08-04 02:56 116,224 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\xrxwiadr.dll
2007-12-09 18:39 . 2001-08-17 22:37 99,865 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\xlog.exe
2007-12-09 18:39 . 2002-08-29 05:00 28,288 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\xjis.nls
2007-12-09 18:39 . 2001-08-17 22:37 27,648 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\xrxftplt.exe
2007-12-09 18:39 . 2001-08-17 22:36 23,040 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\xrxwbtmp.dll
2007-12-09 18:39 . 2001-08-17 22:36 17,408 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\xrxscnui.dll
2007-12-09 18:39 . 2001-08-17 12:11 16,970 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\xem336n5.sys
2007-12-09 18:39 . 2004-08-04 02:56 8,192 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wshirda.dll
2007-12-09 18:39 . 2001-08-17 22:37 4,608 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\xrxflnch.exe
2007-12-09 18:37 . 2001-08-17 13:28 794,654 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\usr1801.sys
2007-12-09 18:36 . 2001-08-17 22:36 525,568 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\tridxp.dll
2007-12-09 18:35 . 2001-08-17 22:36 386,560 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\sgiul50.dll
2007-12-09 18:34 . 2001-08-17 22:36 495,616 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\sblfx.dll
2007-12-09 18:33 . 2001-08-17 13:28 899,146 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\r2mdkxga.sys
2007-12-09 18:32 . 2001-08-17 14:05 351,616 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\ovcodek2.sys
2007-12-09 18:31 . 2001-08-17 12:50 198,144 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\nv3.sys
2007-12-09 18:31 . 2001-08-17 12:20 126,080 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\nm5a2wdm.sys
2007-12-09 18:31 . 2001-08-17 22:36 123,776 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\nv3.dll
2007-12-09 18:31 . 2001-08-17 12:20 87,040 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\nm6wdm.sys
2007-12-09 18:31 . 2001-08-17 12:49 51,552 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\ntgrip.sys
2007-12-09 18:31 . 2001-08-17 22:36 38,912 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\EXCH_ntfsdrv.dll
2007-12-09 18:31 . 2004-08-04 01:00 28,672 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\nscirda.sys
2007-12-09 18:31 . 2001-08-17 13:47 9,344 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\ntapm.sys
2007-12-09 18:31 . 2001-08-17 13:53 7,552 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\nsmmc.sys
2007-12-09 18:29 . 2002-08-29 05:00 111,104 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\mtstocom.exe
2007-12-09 18:29 . 2004-08-04 01:09 49,024 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\mstape.sys
2007-12-09 18:29 . 2001-08-17 13:48 12,416 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\msriffwv.sys
2007-12-09 18:29 . 2001-08-17 14:00 2,944 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\msmpu401.sys
2007-12-09 18:28 . 2002-08-29 05:00 1,875,968 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\msir3jp.lex
2007-12-09 18:28 . 2002-08-29 05:00 98,304 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\msir3jp.dll
2007-12-09 18:28 . 2001-08-17 14:02 35,200 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\msgame.sys
2007-12-09 18:28 . 2004-08-04 01:00 22,016 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\msircomm.sys
2007-12-09 18:28 . 2001-08-17 13:48 6,016 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\msfsio.sys
2007-12-09 18:27 . 2001-08-17 12:50 320,384 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\mgaum.sys
2007-12-09 18:27 . 2001-08-17 14:56 235,648 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\mgaud.dll
2007-12-09 18:27 . 2002-08-29 05:00 92,416 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\mga.sys
2007-12-09 18:27 . 2002-08-29 05:00 92,032 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\mga.dll
2007-12-09 18:27 . 2001-08-17 22:36 47,616 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\memgrp.dll
2007-12-09 18:27 . 2002-08-29 05:00 34,304 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\migisol.exe
2007-12-09 18:27 . 2004-08-04 01:00 26,112 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\memstpci.sys
2007-12-09 18:27 . 2001-08-17 13:58 8,320 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\memcard.sys
2007-12-09 18:27 . 2001-08-17 13:52 6,528 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\miniqic.sys
2007-12-09 18:25 . 2002-08-29 05:00 10,129,408 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\hwxkor.dll
2007-12-09 18:24 . 2002-08-29 05:00 13,463,552 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\hwxjpn.dll
2007-12-09 18:23 . 2001-08-17 12:15 455,680 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\fus2base.sys
2007-12-09 18:22 . 2001-08-17 12:14 952,007 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\diwan.sys
2007-12-09 18:21 . 2001-08-17 22:36 614,429 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\digiview.exe
2007-12-09 18:20 . 2002-08-29 05:00 1,677,824 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\chsbrkr.dll
2007-12-09 18:19 . 2001-08-17 14:05 314,752 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\camdro21.sys
2007-12-09 18:18 . 2001-08-17 14:56 342,336 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\banshee.dll
2007-12-09 18:17 . 2004-08-04 01:10 38,912 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\avc.sys
2007-12-09 18:17 . 2001-08-17 14:01 36,096 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\avcaudio.sys
2007-12-09 18:17 . 2004-08-04 01:09 13,696 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\avcstrm.sys
2007-12-09 18:15 . 2001-08-17 13:28 762,780 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\3cwmcru.sys
2007-12-09 18:14 . 2001-08-17 14:56 66,048 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\s3legacy.dll
2007-12-09 08:25 . 2007-12-09 08:25 <DIR> d-------- C:\VundoFix Backups
2007-12-08 20:14 . 2007-12-08 20:14 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-08 13:03 . 2007-12-08 13:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-08 13:02 . 2007-12-08 13:02 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-12-05 17:37 . 2007-12-06 01:14 <DIR> d-------- C:\Program Files\Digital Locker Assistant
2007-12-03 12:48 . 2007-12-04 12:49 805,441 ---hs---- C:\WINDOWS\SYSTEM32\ihauobdm.ini
2007-12-02 12:45 . 2007-12-03 00:03 793,724 ---hs---- C:\WINDOWS\SYSTEM32\cqenkpbd.ini
2007-11-29 23:16 . 2007-11-29 23:16 <DIR> d-------- C:\Program Files\Windows Installer Clean Up
2007-11-29 23:15 . 2007-11-29 23:15 <DIR> d-------- C:\Program Files\MSECACHE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-10 01:35 --------- d-----w C:\Program Files\Java
2007-12-09 14:17 --------- d-----w C:\Documents and Settings\Stan Schochler\Application Data\Paltalk
2007-12-09 10:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-12-08 17:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-07 13:42 --------- d-----w C:\Program Files\Windows Live Safety Center
2007-12-03 08:36 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\SiteAdvisor
2007-12-01 09:13 --------- d-----w C:\Program Files\SiteAdvisor
2007-12-01 07:53 --------- d-----w C:\Documents and Settings\Stan Schochler\Application Data\SiteAdvisor
2007-11-04 15:07 --------- d-----w C:\Program Files\MouseWare
2007-11-04 13:06 --------- d-----w C:\Program Files\MSN Messenger
2007-11-04 12:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-11-04 12:13 --------- d-----w C:\Documents and Settings\Stan Schochler\Application Data\Yahoo!
2007-11-04 12:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-11-04 05:56 --------- d-----w C:\Program Files\Windows Live Toolbar
2007-11-04 05:56 --------- d-----w C:\Program Files\MSN Apps
2007-11-04 05:54 --------- d-----w C:\Documents and Settings\Stan Schochler\Application Data\InstallShield
2007-11-04 04:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-04 04:08 --------- d-----w C:\Program Files\Windows Live
2007-11-04 02:40 --------- d-----w C:\Program Files\Microsoft SQL Server Compact Edition
2007-01-30 22:29 76,496 -c--a-w C:\Documents and Settings\Stan Schochler\Application Data\GDIPFONTCACHEV1.DAT
2004-02-21 03:49 457 -c--a-w C:\Program Files\INSTALL.LOG
2003-02-07 06:51 227,147 -c--a-w C:\Program Files\WCLaunch[1].cab
2003-02-07 06:42 1,994,838 -c--a-w C:\Program Files\WCVCM.EXE
2003-01-03 00:52 1,803,464 -c--a-w C:\Program Files\winzip81.exe
1999-07-07 02:59 481,128 -c--a-w C:\Program Files\ie5setup.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8628CD9E-3E82-4C8B-8FE6-97FEEF0DD740}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{862d3a4a-3e02-4854-b73a-fdf20ed04b84}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9CF1B352-A041-4FFE-8755-A7D9B4C15F2F}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A6122CB3-736C-4DB0-99CC-1C405393C8F1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AE1AD2C9-D961-4F78-9F0F-A8AA94BA88A8}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b3603b7b-caec-477d-96f8-9203bd525365}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BB0B56AE-FB8D-4672-984A-A2F0F8E5F575}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BCAAD310-EB24-48C5-8F8C-40024FE61EBB}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CCD000AC-66F5-4276-A992-B4E8A25DD705}]
C:\WINDOWS\system32\vtutt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DFCE131F-7CA3-4D1E-A4D9-F50B3A99A76F}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2004-03-01 23:05]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 03:59 C:\WINDOWS\BCMSMMSG.exe]
"DwlClient"="C:\Program Files\Common Files\Dell\EUSW\Support.exe" [2004-05-27 20:05]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 09:50 C:\WINDOWS\LOGI_MWX.EXE]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-16 22:41]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 01:56 C:\WINDOWS\SYSTEM32\rundll32.exe]
"nwiz"="nwiz.exe" [2003-10-06 14:16 C:\WINDOWS\SYSTEM32\nwiz.exe]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2004-03-18 09:33]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-11-06 15:12]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2004-02-25 16:15]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2004-02-25 17:15]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2004-02-25 17:06]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-04-25 20:41]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2003-07-13 01:49]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [2006-08-10 13:38]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-04 01:33]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2002-12-20 10:03:26]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2005-12-02 20:36:15]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-08-07 17:06:54]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updater]

S3 METROP;Hewlett-Packard ScanJet 5300C/5370C;C:\WINDOWS\system32\DRIVERS\hp53pw2k.sys
S3 NMSCFG;NIC Management Service Configuration Driver;\??\C:\WINDOWS\System32\drivers\NMSCFG.SYS

.
Contents of the 'Scheduled Tasks' folder
"2007-12-08 12:24:13 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\SYSTEM32\cleanmgr.exe
"2007-12-08 10:38:38 C:\WINDOWS\Tasks\McDefragTask.job"
- C:\WINDOWS\system32\defrag.exe
"2007-12-08 09:07:07 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-09 19:58:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-12-09 20:03:35
.
--- E O F ---

 

[pskelley]

Post a new HJT log and some feedback about performance.

Thanks

 

[Voando]

Good Morning! The computer is performing much much better. On the last few required reboots of the system, after Windows is back up, i get a little window saying:

Error loading Windows\system32\uqglrxkf.ddl The specific module cannot be found.

And besides, that particular file was not available to delete per the previous instructions

here is the new HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:04:47 AM, on 12/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\MouseWare\system\em_exec.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Trend Micro\HijackThis\Voando.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.orkut.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: PaltalkWebLogin - {502C3BA4-2C3E-4317-BC29-C0445E82B1F9} - C:\Program Files\Common Files\Paltalk\PaltalkWebLogin.dll
O2 - BHO: (no name) - {6adecc53-c399-4e12-bf9f-0f423ce5a232} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - .DEFAULT User Startup: CamTrack.lnk = C:\Program Files\DigitalPeers\CamTrack\camtrack.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1129067442343
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://spmaestro.spaces.live.com/PhotoUpload/MsnPUpld.cab
O16 - DPF: {89A218B0-4DE9-4CFB-8DFC-583355DA5330} (MemLaunApp Class) - http://www.worldclassvideochat.com/cab/WCLaunch.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.5.0_01) -
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.5.0_02) -
O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} (Java Plug-in 1.5.0_04) -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} (Java Plug-in 1.5.0_09) -
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.5.0_10) -
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/ym/yiebio5_0_2_7.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe

--
End of file - 11024 bytes

 

[Voando]

And the VundoFix scan came up clean...no log to report.