vinakamath

I forgot to answer this in my earlier post....i2.com is my company domain. In this case do i still have to run SmitFraudFix?

just realized i didn't attach the latest mbam log: Malwarebytes' Anti-Malware 1.32 Database version: 1646 Windows 5.1.2600 Service Pack 2 1/12/2009 6:07:45 PM mbam-log-2009-01-12 (18-07-45).txt Scan type: Quick Scan Objects scanned: 98740 Time elapsed: 14 minute(s), 42 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)

While awaiting your reply I tried a few things, and I think I may have been successful in removing the trojan. Here are the steps I took: 1) Disabled Teatimer 2) Disabled system restore 3) There were two entries I fixed using Hijackthis BHO - {no name} - {xxxxxxxxxxxxxxxxxxx....} O20 - AppInit <3 DLLs> 4) Restarted the system 5) ran mbam quick Scan - 2 problems showed up as above. fixed these 6) Restarted system. This seems to have fixed the issue since the MS Juan and MS Track System don't show up anymore. Also, there is no popup issue with firefox. And Vundo does not show up in S&D or mbam.After all this, I turned on TeaTimer. I just ran HijackThis and the following entry showed up...I had fixed a similar entry in hijackthis previously: O2 - BHO: (no name) - {E389CDA1-7ED6-4605-B9A6-9E648714D623} - (no file) So has Vundo gone away or just hiding to fight another day? Also, the i need these java versions for my work since I need to work on older java versions for some older products. Thanks for all your help. Just attaching the latest mbam and hjt logs for yr reference: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:30:46 PM, on 1/12/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\Program Files\lotus\notes\nslsvice.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe C:\WINDOWS\system32\nfsclnt.exe C:\WINDOWS\system32\crypserv.exe C:\Program Files\Dell\OpenManage\Client\Iap.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\lotus\notes\ntmulti.exe C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Sonexis\ApplicationSharing\AppDriverService.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe C:\Program Files\RealVNC\VNC4\WinVNC4.exe C:\WINDOWS\system32\PSXRUN.EXE C:\WINDOWS\system32\psxss.exe C:\SFU\usr\sbin\zzInterix C:\SFU\usr\sbin\init C:\SFU\usr\sbin\inetd C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe C:\WINDOWS\TEMP\KEF157.EXE C:\WINDOWS\system32\wbem\wmiapsrv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Apoint\Apoint.exe C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe C:\Program Files\Dell\QuickSet\quickset.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\Program Files\Apoint\HidFind.exe C:\Program Files\Apoint\Apntex.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\stsystra.exe C:\jre1.5.0_14\bin\jusched.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files\Skype\Plugin Manager\SkypePM.exe C:\jre1.5.0_14\bin\jucheck.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\EditPlus 2\editplus.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://*.sharepoint O15 - Trusted Zone: http://*.sharepoint (HKLM) O15 - ESC Trusted Zone: http://mozilla.davz.net O15 - ESC Trusted Zone: http://i2corpinet1.i2.com O15 - ESC Trusted Zone: http://www.mozilla.com O15 - ESC Trusted Zone: http://sea.search.msn.com O15 - ESC Trusted Zone: http://www.netidentity.com O15 - ESC Trusted Zone: http://ftp-mozilla.netscape.com O15 - ESC Trusted Zone: http://login.passport.com O15 - ESC Trusted Zone: http://login.passport.net O15 - ESC Trusted Zone: http://www.sysinternals.com O15 - ESC Trusted Zone: http://mozilla.davz.net (HKLM) O15 - ESC Trusted Zone: http://i2corpinet1.i2.com (HKLM) O15 - ESC Trusted Zone: http://www.mozilla.com (HKLM) O15 - ESC Trusted Zone: http://sea.search.msn.com (HKLM) O15 - ESC Trusted Zone: http://ftp-mozilla.netscape.com (HKLM) O15 - ESC Trusted Zone: http://login.passport.com (HKLM) O15 - ESC Trusted Zone: http://login.passport.net (HKLM) O16 - DPF: fdba39af-b1d4-41ab-b45e-ff4bb5755336 - https://icm.i2.com//Downloads/cmW32client.cab O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab O16 - DPF: {275E2FE0-7486-11D0-89D6-00A0C90C9B67} (MCSiMenuCtl Class) - http://dlwsis02/aspnet_client/Altiris_AppW...ib/mcsimenu.CAB O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1204055187531 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1204055178937 O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab O16 - DPF: {74233DB3-F72F-44EA-94DC-258A624037E6} (ComponentOne FlexGrid 8.0 (UNICODE Light)) - http://dlwsis02/aspnet_client/Altiris_AppW...lib/VSFlex8.CAB O16 - DPF: {7FA319FB-FFB9-4089-87EB-63179244E6E6} (NetDirect) - https://extranet.i2.com/nortel_cacheable/NetDirect.cab O16 - DPF: {A2505C6C-6F17-456F-89D2-4301FBDC6EC7} (Iewiper Control) - https://extranet.i2.com/nortel_cacheable/iewiper.cab O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - https://i2corpmail11.i2.com/dwa7W.cab O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://freetrial.webex.com/client/T25L/webex/ieatgpc.cab O16 - DPF: {FDF527BA-DDDA-11D3-AA82-006094EB09CB} (Altiris Clipboard Helper) - http://dlwsis02/aspnet_client/Altiris_AppW...eXClipboard.CAB O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = i2.com O17 - HKLM\Software\..\Telephony: DomainName = i2.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = i2.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = i2.com O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\i2 VPN Access\Extranet_serv.exe O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: i2 CIS 6.3 Agent 5015 (i2_CIS_6.3_Agent_5015) - Macrovision - C:\i2\CIS\6.3\NTServiceScripts\CISAgent.exe O23 - Service: Iap - Dell Inc. - C:\Program Files\Dell\OpenManage\Client\Iap.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\Program Files\lotus\notes\nslsvice.exe O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: OracleDBConsoleorcl - Unknown owner - D:\oracle\product\11.1.0\db_1\bin\nmesrvc.exe (file missing) O23 - Service: OracleOraDb11g_home1TNSListener - Unknown owner - D:\oracle\product\11.1.0\db_1\BIN\TNSLSNR.exe (file missing) O23 - Service: OracleServiceORCL - Unknown owner - d:\oracle\product\11.1.0\db_1\bin\ORACLE.EXE (file missing) O23 - Service: Sonexis Application Sharing Driver Service - Sonexis, Inc. - C:\Program Files\Sonexis\ApplicationSharing\AppDriverService.exe O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe O23 - Service: Transportation Manager Process Monitor (TmProcMonSrvc) - Unknown owner - C:\WINDOWS\system32\TmProcMonSrvc.exe (file missing) O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe -- End of file - 14521 bytes Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:30:46 PM, on 1/12/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\Program Files\lotus\notes\nslsvice.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe C:\WINDOWS\system32\nfsclnt.exe C:\WINDOWS\system32\crypserv.exe C:\Program Files\Dell\OpenManage\Client\Iap.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\lotus\notes\ntmulti.exe C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Sonexis\ApplicationSharing\AppDriverService.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe C:\Program Files\RealVNC\VNC4\WinVNC4.exe C:\WINDOWS\system32\PSXRUN.EXE C:\WINDOWS\system32\psxss.exe C:\SFU\usr\sbin\zzInterix C:\SFU\usr\sbin\init C:\SFU\usr\sbin\inetd C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe C:\WINDOWS\TEMP\KEF157.EXE C:\WINDOWS\system32\wbem\wmiapsrv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Apoint\Apoint.exe C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe C:\Program Files\Dell\QuickSet\quickset.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\Program Files\Apoint\HidFind.exe C:\Program Files\Apoint\Apntex.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\stsystra.exe C:\jre1.5.0_14\bin\jusched.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files\Skype\Plugin Manager\SkypePM.exe C:\jre1.5.0_14\bin\jucheck.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\EditPlus 2\editplus.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://*.sharepoint O15 - Trusted Zone: http://*.sharepoint (HKLM) O15 - ESC Trusted Zone: http://mozilla.davz.net O15 - ESC Trusted Zone: http://i2corpinet1.i2.com O15 - ESC Trusted Zone: http://www.mozilla.com O15 - ESC Trusted Zone: http://sea.search.msn.com O15 - ESC Trusted Zone: http://www.netidentity.com O15 - ESC Trusted Zone: http://ftp-mozilla.netscape.com O15 - ESC Trusted Zone: http://login.passport.com O15 - ESC Trusted Zone: http://login.passport.net O15 - ESC Trusted Zone: http://www.sysinternals.com O15 - ESC Trusted Zone: http://mozilla.davz.net (HKLM) O15 - ESC Trusted Zone: http://i2corpinet1.i2.com (HKLM) O15 - ESC Trusted Zone: http://www.mozilla.com (HKLM) O15 - ESC Trusted Zone: http://sea.search.msn.com (HKLM) O15 - ESC Trusted Zone: http://ftp-mozilla.netscape.com (HKLM) O15 - ESC Trusted Zone: http://login.passport.com (HKLM) O15 - ESC Trusted Zone: http://login.passport.net (HKLM) O16 - DPF: fdba39af-b1d4-41ab-b45e-ff4bb5755336 - https://icm.i2.com//Downloads/cmW32client.cab O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab O16 - DPF: {275E2FE0-7486-11D0-89D6-00A0C90C9B67} (MCSiMenuCtl Class) - http://dlwsis02/aspnet_client/Altiris_AppW...ib/mcsimenu.CAB O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1204055187531 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1204055178937 O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab O16 - DPF: {74233DB3-F72F-44EA-94DC-258A624037E6} (ComponentOne FlexGrid 8.0 (UNICODE Light)) - http://dlwsis02/aspnet_client/Altiris_AppW...lib/VSFlex8.CAB O16 - DPF: {7FA319FB-FFB9-4089-87EB-63179244E6E6} (NetDirect) - https://extranet.i2.com/nortel_cacheable/NetDirect.cab O16 - DPF: {A2505C6C-6F17-456F-89D2-4301FBDC6EC7} (Iewiper Control) - https://extranet.i2.com/nortel_cacheable/iewiper.cab O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - https://i2corpmail11.i2.com/dwa7W.cab O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://freetrial.webex.com/client/T25L/webex/ieatgpc.cab O16 - DPF: {FDF527BA-DDDA-11D3-AA82-006094EB09CB} (Altiris Clipboard Helper) - http://dlwsis02/aspnet_client/Altiris_AppW...eXClipboard.CAB O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = i2.com O17 - HKLM\Software\..\Telephony: DomainName = i2.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = i2.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = i2.com O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\i2 VPN Access\Extranet_serv.exe O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: i2 CIS 6.3 Agent 5015 (i2_CIS_6.3_Agent_5015) - Macrovision - C:\i2\CIS\6.3\NTServiceScripts\CISAgent.exe O23 - Service: Iap - Dell Inc. - C:\Program Files\Dell\OpenManage\Client\Iap.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\Program Files\lotus\notes\nslsvice.exe O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: OracleDBConsoleorcl - Unknown owner - D:\oracle\product\11.1.0\db_1\bin\nmesrvc.exe (file missing) O23 - Service: OracleOraDb11g_home1TNSListener - Unknown owner - D:\oracle\product\11.1.0\db_1\BIN\TNSLSNR.exe (file missing) O23 - Service: OracleServiceORCL - Unknown owner - d:\oracle\product\11.1.0\db_1\bin\ORACLE.EXE (file missing) O23 - Service: Sonexis Application Sharing Driver Service - Sonexis, Inc. - C:\Program Files\Sonexis\ApplicationSharing\AppDriverService.exe O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe O23 - Service: Transportation Manager Process Monitor (TmProcMonSrvc) - Unknown owner - C:\WINDOWS\system32\TmProcMonSrvc.exe (file missing) O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe -- End of file - 14521 bytes

I have Spybot S&D immunizing my system. Also have OfficeScan as the anti-virus (this is provided by my company, so don't have a choice here). OfficeScan doesn't find anything. S&D found Trojan.Vundo and said it removed that successfully. But Vundo keeps showing up. I then found MalwareBytes and ran that. The steps i have followed are: 1) Turn off system restore. 2) Ran Malwarebytes Quick Scan 3) Fixed problems. I have attached the log which says is removed 2 registry entries for MS Juan and MS Track System. When I restart the sytem the registry entries come back up. I have also tried VundoFix, VundoBeGone and Symatec's FixVundo. None of these work. Also, tried running MalwareBytes in safe mode. Didn't work. In terms of my system, IE 6 works fine. But when I use Firefox, I get popups redirecting to sagipsul.com and these popups are opening IE windows. Don't know if this is a seperate issue. I am attaching the MalawareBytes log and the hijackthis log: Malwarebytes' Anti-Malware 1.32 Database version: 1646 Windows 5.1.2600 Service Pack 2 1/12/2009 2:22:17 PM mbam-log-2009-01-12 (14-22-17).txt Scan type: Quick Scan Objects scanned: 99758 Time elapsed: 14 minute(s), 55 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 2 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Hijack this log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:15:43 PM, on 1/12/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\Program Files\lotus\notes\nslsvice.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe C:\WINDOWS\system32\nfsclnt.exe C:\WINDOWS\system32\crypserv.exe C:\Program Files\Dell\OpenManage\Client\Iap.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\lotus\notes\ntmulti.exe C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Sonexis\ApplicationSharing\AppDriverService.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\userinit.exe C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe C:\Program Files\RealVNC\VNC4\WinVNC4.exe C:\WINDOWS\system32\PSXRUN.EXE C:\WINDOWS\system32\psxss.exe C:\SFU\usr\sbin\zzInterix C:\SFU\usr\sbin\init C:\SFU\usr\sbin\inetd C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe C:\WINDOWS\TEMP\ULDEAF.EXE C:\WINDOWS\system32\wbem\wmiapsrv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Apoint\Apoint.exe C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe C:\Program Files\Dell\QuickSet\quickset.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\Program Files\Apoint\HidFind.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Apoint\Apntex.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\stsystra.exe C:\jre1.5.0_14\bin\jusched.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files\Skype\Plugin Manager\SkypePM.exe C:\jre1.5.0_14\bin\jucheck.exe C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\Program Files\lotus\notes\NLNOTES.EXE C:\Program Files\lotus\notes\ntaskldr.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\regedit.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://*.sharepoint O15 - Trusted Zone: http://*.sharepoint (HKLM) O15 - ESC Trusted Zone: http://mozilla.davz.net O15 - ESC Trusted Zone: http://i2corpinet1.i2.com O15 - ESC Trusted Zone: http://www.mozilla.com O15 - ESC Trusted Zone: http://sea.search.msn.com O15 - ESC Trusted Zone: http://www.netidentity.com O15 - ESC Trusted Zone: http://ftp-mozilla.netscape.com O15 - ESC Trusted Zone: http://login.passport.com O15 - ESC Trusted Zone: http://login.passport.net O15 - ESC Trusted Zone: http://www.sysinternals.com O15 - ESC Trusted Zone: http://mozilla.davz.net (HKLM) O15 - ESC Trusted Zone: http://i2corpinet1.i2.com (HKLM) O15 - ESC Trusted Zone: http://www.mozilla.com (HKLM) O15 - ESC Trusted Zone: http://sea.search.msn.com (HKLM) O15 - ESC Trusted Zone: http://ftp-mozilla.netscape.com (HKLM) O15 - ESC Trusted Zone: http://login.passport.com (HKLM) O15 - ESC Trusted Zone: http://login.passport.net (HKLM) O16 - DPF: fdba39af-b1d4-41ab-b45e-ff4bb5755336 - https://icm.i2.com//Downloads/cmW32client.cab O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab O16 - DPF: {275E2FE0-7486-11D0-89D6-00A0C90C9B67} (MCSiMenuCtl Class) - http://dlwsis02/aspnet_client/Altiris_AppW...ib/mcsimenu.CAB O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1204055187531 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1204055178937 O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab O16 - DPF: {74233DB3-F72F-44EA-94DC-258A624037E6} (ComponentOne FlexGrid 8.0 (UNICODE Light)) - http://dlwsis02/aspnet_client/Altiris_AppW...lib/VSFlex8.CAB O16 - DPF: {7FA319FB-FFB9-4089-87EB-63179244E6E6} (NetDirect) - https://extranet.i2.com/nortel_cacheable/NetDirect.cab O16 - DPF: {A2505C6C-6F17-456F-89D2-4301FBDC6EC7} (Iewiper Control) - https://extranet.i2.com/nortel_cacheable/iewiper.cab O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - https://i2corpmail11.i2.com/dwa7W.cab O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://freetrial.webex.com/client/T25L/webex/ieatgpc.cab O16 - DPF: {FDF527BA-DDDA-11D3-AA82-006094EB09CB} (Altiris Clipboard Helper) - http://dlwsis02/aspnet_client/Altiris_AppW...eXClipboard.CAB O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = i2.com O17 - HKLM\Software\..\Telephony: DomainName = i2.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = i2.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = i2.com O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - AppInit_DLLs: AMINIT.dll C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL xoovts.dll O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\i2 VPN Access\Extranet_serv.exe O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: i2 CIS 6.3 Agent 5015 (i2_CIS_6.3_Agent_5015) - Macrovision - C:\i2\CIS\6.3\NTServiceScripts\CISAgent.exe O23 - Service: Iap - Dell Inc. - C:\Program Files\Dell\OpenManage\Client\Iap.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\Program Files\lotus\notes\nslsvice.exe O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: OracleDBConsoleorcl - Unknown owner - D:\oracle\product\11.1.0\db_1\bin\nmesrvc.exe (file missing) O23 - Service: OracleOraDb11g_home1TNSListener - Unknown owner - D:\oracle\product\11.1.0\db_1\BIN\TNSLSNR.exe (file missing) O23 - Service: OracleServiceORCL - Unknown owner - d:\oracle\product\11.1.0\db_1\bin\ORACLE.EXE (file missing) O23 - Service: Sonexis Application Sharing Driver Service - Sonexis, Inc. - C:\Program Files\Sonexis\ApplicationSharing\AppDriverService.exe O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe O23 - Service: Transportation Manager Process Monitor (TmProcMonSrvc) - Unknown owner - C:\WINDOWS\system32\TmProcMonSrvc.exe (file missing) O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe -- End of file - 14747 bytes