Need some help

TheBigSwigg · December 17, 2008

Picked up a bug a few weeks ago, and I thought I had it, but it keeps coming back. I would appreciate any and all help. Here's my logs:

Malwarebytes' Anti-Malware 1.28

Database version: 1251

Windows 5.1.2600 Service Pack 2

12/16/2008 6:27:56 PM

mbam-log-2008-12-16 (18-27-56).txt

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 302062

Time elapsed: 1 hour(s), 37 minute(s), 22 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 3

Registry Values Infected: 2

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 13

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\wibotelo.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{74c37c3a-6a43-4b56-95bf-31e3da795ea5} (Trojan.BHO.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{74c37c3a-6a43-4b56-95bf-31e3da795ea5} (Trojan.BHO.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9439bd5f (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sogimoyeni (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\muzakego.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\ogekazum.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\rewufufu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\ufufuwer.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\viveveno.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\oneveviv.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\wibotelo.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\oletobiw.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\wozilovi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\ivolizow.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\zejitifi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\ifitijez.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\royotago.dll (Trojan.BHO.H) -> Quarantined and deleted successfully.

Active Scan

;*******************************************************************************

********************************************************************************

*

*******************

ANALYSIS: 2008-12-16 23:12:11

PROTECTIONS: 2

MALWARE: 19

SUSPECTS: 1

;*******************************************************************************

********************************************************************************

*

*******************

PROTECTIONS

Description Version Active Updated

;===============================================================================

================================================================================

=

===================

Norton Antivirus 2005 11.5.3 No No

Trend Micro PC-Cillin 2004 11.25 No No

;===============================================================================

================================================================================

=

===================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===============================================================================

================================================================================

=

===================

00029434 spyware/virtumonde Spyware No 1 Yes No hkey_local_machine\software\microsoft\rdfa

00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\HP_Administrator.TELETRAN1\Application Data\Mozilla\Firefox\Profiles\qvlssi81.default\cookies-1.txt[.trafficmp.com/]

00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\HP_Administrator.TELETRAN1\Application Data\Mozilla\Firefox\Profiles\qvlssi81.default\cookies-1.txt[.doubleclick.net/]

00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\HP_Administrator.TELETRAN1\Application Data\Mozilla\Firefox\Profiles\qvlssi81.default\cookies-1.txt[.atdmt.com/]

00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\HP_Administrator.TELETRAN1\Application Data\Mozilla\Firefox\Profiles\qvlssi81.default\cookies-1.txt[.fastclick.net/]

00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\HP_Administrator.TELETRAN1\Application Data\Mozilla\Firefox\Profiles\qvlssi81.default\cookies-1.txt[.tribalfusion.com/]

00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\HP_Administrator.TELETRAN1\Application Data\Mozilla\Firefox\Profiles\qvlssi81.default\cookies-1.txt[.mediaplex.com/]

00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\HP_Administrator.TELETRAN1\Application Data\Mozilla\Firefox\Profiles\qvlssi81.default\cookies-1.txt[ad.yieldmanager.com/]

00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\HP_Administrator.TELETRAN1\Application Data\Mozilla\Firefox\Profiles\qvlssi81.default\cookies-1.txt[.advertising.com/]

00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\HP_Administrator.TELETRAN1\Application Data\Mozilla\Firefox\Profiles\qvlssi81.default\cookies-1.txt[.ads.pointroll.com/]

00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\HP_Administrator.TELETRAN1\Application Data\Mozilla\Firefox\Profiles\qvlssi81.default\cookies-1.txt[.overture.com/]

00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\HP_Administrator.TELETRAN1\Application Data\Mozilla\Firefox\Profiles\qvlssi81.default\cookies-1.txt[.realmedia.com/]

00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\HP_Administrator.TELETRAN1\Application Data\Mozilla\Firefox\Profiles\qvlssi81.default\cookies-1.txt[.questionmarket.com/]

00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\HP_Administrator.TELETRAN1\Application Data\Mozilla\Firefox\Profiles\qvlssi81.default\cookies-1.txt[.zedo.com/]

00173520 Cookie/Bluestreak TrackingCookie No 0 Yes No C:\Documents and Settings\HP_Administrator.TELETRAN1\Application Data\Mozilla\Firefox\Profiles\qvlssi81.default\cookies-1.txt[.bluestreak.com/]

00377802 Spyware/PeoplePC Spyware No 0 Yes No C:\Program Files\Online Services\PeoplePC\ISP5900\Dll\RAS.DLL

00471552 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\vtULFxvu.dll

00471552 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\nnnmlLcd.dll

00471552 Spyware/Virtumonde Spyware No 1 Yes No C:\Documents and Settings\Tara.TELETRAN1\Local Settings\Temporary Internet Files\Content.IE5\UZEFYD4F\apstpldr.dll[1].htm

03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\vwnskbot.dll

03983016 Generic Malware Virus/Trojan No 0 Yes No C:\Program Files\Updates from HP\9972322\Program\Interop.SHDocVw.dll

;===============================================================================

================================================================================

=

===================

SUSPECTS

Sent Location %

;===============================================================================

================================================================================

=

===================

No C:\WINDOWS\Runservice.exe %

;===============================================================================

================================================================================

=

===================

VULNERABILITIES

Id Severity Description %

;===============================================================================

================================================================================

=

===================

184380 MEDIUM MS08-002 %

184379 MEDIUM MS08-001 %

182048 HIGH MS07-069 %

182046 HIGH MS07-067 %

182043 HIGH MS07-064 %

179553 HIGH MS07-061 %

176382 HIGH MS07-057 %

176383 HIGH MS07-058 %

170911 HIGH MS07-050 %

170907 HIGH MS07-046 %

170906 HIGH MS07-045 %

170904 HIGH MS07-043 %

164915 HIGH MS07-035 %

164913 HIGH MS07-033 %

164911 HIGH MS07-031 %

160623 HIGH MS07-027 %

157262 HIGH MS07-022 %

157261 HIGH MS07-021 %

157260 HIGH MS07-020 %

157259 HIGH MS07-019 %

156477 HIGH MS07-017 %

150253 HIGH MS07-016 %

150249 HIGH MS07-013 %

150248 HIGH MS07-012 %

150247 HIGH MS07-011 %

150243 HIGH MS07-008 %

150242 HIGH MS07-007 %

150241 MEDIUM MS07-006 %

145501 HIGH MS07-004 %

141034 HIGH MS06-076 %

141033 MEDIUM MS06-075 %

137571 HIGH MS06-070 %

133387 MEDIUM MS06-065 %

133386 MEDIUM MS06-064 %

133385 MEDIUM MS06-063 %

133379 HIGH MS06-057 %

129977 MEDIUM MS06-053 %

129976 MEDIUM MS06-052 %

126093 HIGH MS06-051 %

126092 MEDIUM MS06-050 %

126087 HIGH MS06-046 %

126086 MEDIUM MS06-045 %

126082 HIGH MS06-041 %

126081 HIGH MS06-040 %

123421 HIGH MS06-036 %

123420 HIGH MS06-035 %

120825 MEDIUM MS06-032 %

120823 MEDIUM MS06-030 %

120818 HIGH MS06-025 %

120815 HIGH MS06-022 %

117384 MEDIUM MS06-018 %

114666 HIGH MS06-015 %

108744 MEDIUM MS06-008 %

108743 MEDIUM MS06-007 %

108742 MEDIUM MS06-006 %

104567 HIGH MS06-002 %

104237 HIGH MS06-001 %

96574 HIGH MS05-053 %

93394 HIGH MS05-050 %

93454 MEDIUM MS05-049 %

;===============================================================================

================================================================================

=

===================

HiJack This!

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:17:46 PM, on 12/16/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0013)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

c:\Program Files\Common Files\Symantec Shared\ccProxy.exe

c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\arservice.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\ARPWRMSG.EXE

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\Trend Micro\Antivirus\PCClient.exe

C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe

C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe

C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\ALCMTR.EXE

C:\WINDOWS\ALCWZRD.EXE

c:\windows\system\hpsysdrv.exe

C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe

C:\Program Files\Java\jre1.5.0_05\bin\jucheck.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: (no name) - {052ACEE1-0BA6-4387-B740-F2CE9F188091} - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {074C1DC5-9320-4A9A-947D-C042949C6216} - (no file)

O2 - BHO: (no name) - {224933BF-1890-44F7-96FA-0A41B1F55F76} - (no file)

O2 - BHO: (no name) - {24D789BD-4505-4854-812E-54A80B6ADBCA} - (no file)

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {711193D0-A234-4208-BBD8-6483AD9154B5} - (no file)

O2 - BHO: (no name) - {74c37c3a-6a43-4b56-95bf-31e3da795ea5} - C:\WINDOWS\system32\royotago.dll (file missing)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll (file missing)

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE

O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe

O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run

O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Antivirus\pccguide.exe"

O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Antivirus\PCClient.exe"

O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe" /run

O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

O4 - HKLM\..\Run: [CPM970a8ec3] Rundll32.exe "c:\windows\system32\fanudugu.dll",a

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKUS\S-1-5-20\..\Run: [sogimoyeni] Rundll32.exe "C:\WINDOWS\system32\kuvimulo.dll",s (User 'NETWORK SERVICE')

O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm

O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O20 - AppInit_DLLs: kcemlg.dll ympkfd.dll nqukgn.dll c:\windows\system32\sekapehu.dll c:\windows\system32\sefosunu.dll c:\windows\system32\homowuko.dll c:\windows\system32\tulomuwa.dll c:\windows\system32\hobolaku.dll c:\windows\system32\fanudugu.dll,C:\WINDOWS\system32\dezifamu.dll

O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\fanudugu.dll

O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\fanudugu.dll

O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: IS Service (ISSVC) - Unknown owner - c:\Program Files\Norton Internet Security\ISSVC.exe (file missing)

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Unknown owner - C:\WINDOWS\system32\mnmsrvc.exe

O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe (file missing)

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: SAVScan - Unknown owner - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe (file missing)

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe

O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\tmproxy.exe

O24 - Desktop Component 0: Privacy Protection - (no file)

O24 - Desktop Component 1: My Current Home Page - About:Home

--

End of file - 12275 bytes

Again, many thanks for any help

TheBigSwigg · December 18, 2008

Scanned with Malwarebytes again (updated the database):

Malwarebytes' Anti-Malware 1.31

Database version: 1512

Windows 5.1.2600 Service Pack 2

12/18/2008 5:17:09 PM

mbam-log-2008-12-18 (17-17-09).txt

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 292399

Time elapsed: 1 hour(s), 31 minute(s), 17 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 2

Registry Keys Infected: 6

Registry Values Infected: 5

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 3

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\nupotuku.dll (Trojan.Vundo.H) -> Delete on reboot.

c:\WINDOWS\system32\vujigami.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{74c37c3a-6a43-4b56-95bf-31e3da795ea5} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{74c37c3a-6a43-4b56-95bf-31e3da795ea5} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9439bd5f (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sogimoyeni (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm970a8ec3 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\vujigami.dll -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\vujigami.dll -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\nupotuku.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\ukutopun.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\vujigami.dll (Trojan.Vundo.H) -> Delete on reboot.

------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:20:32 PM, on 12/18/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0013)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

c:\Program Files\Common Files\Symantec Shared\ccProxy.exe

c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Trend Micro\Antivirus\PCClient.exe

C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe

C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\arservice.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Trend Micro\Antivirus\tmproxy.exe