vundo trojan + rootkit

[brookway17]

my wife's business computer picked up any nasty Trojan over the holidays. I have scanned it several times with Malwarebytes but the problems seem to keep coming back. One of the root kit scanners and I used showed up a root kit. I have attached the GMER root kit scanner report and the D.D.S. logs. Any assistance in resolving this problem would be greatly appreciated.

Have a very happy new year

Brookway 17

DDS (Ver_09-12-01.01) - NTFSx86

Run by diane at 16:14:00.98 on Wed 12/30/2009

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_10

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.389 [GMT -5:00]

FW: ZoneAlarm Pro Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

C:\WINDOWS\system32\svchost -k rpcss

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\System32\svchost.exe -k NetworkService

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe

C:\WINDOWS\System32\CTsvcCDA.exe

C:\WINDOWS\system32\crypserv.exe

C:\WINDOWS\ehome\ehSched.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\Program Files\Network Associates\VirusScan\Mcshield.exe

C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

C:\WINDOWS\System32\SnoopFreeSvc.exe

C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\WINDOWS\System32\svchost.exe -k LocalService

C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE

C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\WINDOWS\SnoopFreeUI.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\qttask.exe

C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe

C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe

C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe

F:\Stencils\dsfhost.exe

C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe

C:\Program Files\Craft ROBO Controller\CRSSupervisor.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Documents and Settings\diane\Desktop\Malware\dds.scr

C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com

uDefault_Page_URL = hxxp://www.dell4me.com/myway

uSearch Bar = hxxp://www.google.com/ie

uDefault_Search_URL = hxxp://www.google.com/ie

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

BHO: HelperObject Class: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 7\SnagItBHO.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: PCTools Site Guard: {5c8b2a36-3db1-42a4-a3cb-d426709bbfeb} - c:\progra~1\spywar~2\tools\iesdsg.dll

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll

BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: PCTools Browser Monitor: {b56a7d7d-6927-48c8-a975-17df180c71ac} - c:\progra~1\spywar~2\tools\iesdpb.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File

TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File

TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 7\SnagItIEAddin.dll

TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll

TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File

TB: Microsoft CommBand: {4d5c8c2a-d075-11d0-b416-00c04fb90376} - %SystemRoot%\System32\browseui.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe

mRun: [iAAnotif] c:\program files\intel\intel application accelerator\iaanotif.exe

mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"

mRun: [shStatEXE] "c:\program files\network associates\virusscan\SHSTAT.EXE" /STANDALONE

mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\UpdaterUI.exe"

mRun: [dla] c:\windows\system32\dla\tfswctrl.exe

mRun: [PinnacleDriverCheck] c:\windows\system32\\PSDrvCheck.exe

mRun: [intelliPoint] "c:\program files\microsoft intellipoint\point32.exe"

mRun: [Zone Labs Client] c:\program files\zone labs\zonealarm\zlclient.exe

mRun: [snoopFreeUI] SnoopFreeUI.exe

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [QuickTime Task] "c:\windows\system32\qttask.exe" -atboottime

mRun: [basicsmssmenu] "c:\program files\seagate\basics\basics status\MaxMenuMgrBasics.exe"

mRun: [Dell AIO Printer A920] "c:\program files\dell aio printer a920\dlbkbmgr.exe"

mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe

mRun: [<NO NAME>]

mRun: [DSFHost] f:\stencils\dsfhost.exe

dRun: [spyware Doctor] "c:\program files\spyware doctor\swdoctor.exe" /Q

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\craftr~1.lnk - c:\program files\craft robo controller\CRSSupervisor.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE

mPolicies-explorer: <NO NAME> =

IE: &Search

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html

IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html

IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html

IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\progra~1\yahoo!\messen~1\YPager.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {00000161-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/msaudio.cab

DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cab

DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab

DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} - hxxp://community.webshots.com/html/WSPhotoUploader.CAB

DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab

DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {E065DE4B-6F0E-45FD-B30F-04ED81D5C258} - hxxp://download.microsoft.com/download/0/7/1/0715cb0a-51f5-4d17-b482-e8c457971efa/AppCompR.CAB

Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll

Notify: WRNotifier - WRLogonNTF.dll

Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\diane\applic~1\mozilla\firefox\profiles\default.yn8\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/|http://wwwa.accuweather.com/index-forecast.asp?partner=accuweather&traveler=0&zipcode=18940&u=1|http://www.ebay.com/

FF - plugin: c:\documents and settings\diane\application data\mozilla\firefox\profiles\default.yn8\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll

FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npitunes.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

=============== Created Last 30 ================

2009-12-30 15:03:42 0 d-----w- c:\docume~1\diane\applic~1\Malwarebytes

2009-12-29 02:58:42 0 ----a-w- c:\windows\system32\29358.exe

2009-12-29 02:38:42 0 ----a-w- c:\windows\system32\11478.exe

2009-12-29 00:17:00 0 ----a-w- c:\windows\system32\15724.exe

2009-12-28 23:57:00 0 ----a-w- c:\windows\system32\19169.exe

2009-12-28 23:37:00 0 ----a-w- c:\windows\system32\26500.exe

2009-12-28 23:17:00 0 ----a-w- c:\windows\system32\6334.exe

2009-12-28 22:57:00 0 ----a-w- c:\windows\system32\18467.exe

2009-12-20 19:55:02 54156 ---ha-w- c:\windows\QTFont.qfn

2009-12-20 19:55:02 1409 ----a-w- c:\windows\QTFont.for

2009-12-14 19:15:14 2146304 ----a-w- c:\windows\system32\GPhotos.scr

==================== Find3M ====================

2009-12-05 00:14:11 4212 ---h--w- c:\windows\system32\zllictbl.dat

2009-12-03 21:14:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-12-03 21:13:56 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-11-13 22:57:16 922112 ------w- c:\windows\system32\imapi2fs.dll

2009-11-13 22:57:16 922112 ------w- c:\windows\system32\dllcache\imapi2fs.dll

2009-11-13 22:57:16 62592 ----a-w- c:\windows\system32\drivers\cdrom.sys

2009-11-13 22:57:16 62592 ------w- c:\windows\system32\dllcache\cdrom.sys

2009-11-13 22:57:16 426496 ------w- c:\windows\system32\imapi2.dll

2009-11-13 22:57:16 426496 ------w- c:\windows\system32\dllcache\imapi2.dll

2009-10-28 14:36:11 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe

2009-10-28 14:36:11 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe

2009-10-28 06:54:16 634632 ------w- c:\windows\system32\dllcache\iexplore.exe

2009-10-28 06:52:46 161792 ------w- c:\windows\system32\dllcache\ieakui.dll

2009-10-21 06:00:55 75776 ----a-w- c:\windows\system32\strmfilt.dll

2009-10-21 06:00:55 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll

2009-10-21 06:00:55 25088 ----a-w- c:\windows\system32\httpapi.dll

2009-10-21 06:00:55 25088 ------w- c:\windows\system32\dllcache\httpapi.dll

2009-10-20 14:58:48 263552 ------w- c:\windows\system32\dllcache\http.sys

2009-10-13 10:53:29 266752 ----a-w- c:\windows\system32\oakley.dll

2009-10-13 10:53:29 266752 ------w- c:\windows\system32\dllcache\oakley.dll

2009-10-12 13:54:17 69632 ----a-w- c:\windows\system32\raschap.dll

2009-10-12 13:54:17 69632 ------w- c:\windows\system32\dllcache\raschap.dll

2009-10-12 13:54:17 112128 ----a-w- c:\windows\system32\rastls.dll

2009-10-12 13:54:17 112128 ------w- c:\windows\system32\dllcache\rastls.dll

2004-09-29 03:55:52 251 ----a-w- c:\program files\wt3d.ini

============= FINISH: 16:17:42.64 ===============

Malware.zip

[screen317]

Duplicate thread closed.