Please Help can't get rid of BHO and Vundo

[chrisb]

Hi,

Thanking you for any help you can provide. I have run several programs and cannot get rid of these two problems. I'm worried because I need to log on to my work VPN sometimes. I have read your introductory post and here are the logs that are requested. Thanks again for any help.

Malwarebytes' Anti-Malware 1.31

Database version: 1572

Windows 5.1.2600 Service Pack 3

1/1/2009 9:04:16 AM

mbam-log-2009-01-01 (09-04-16).txt

Scan type: Quick Scan

Objects scanned: 52566

Time elapsed: 2 minute(s), 8 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

********************************************************************************

***********

PANDA ANALYSIS: 2009-01-01 10:19:13

PROTECTIONS: 1

MALWARE: 3

SUSPECTS: 0

;*******************************************************************************

********************************************************************************

*

*******************

PROTECTIONS

Description Version Active Updated

;===============================================================================

================================================================================

=

===================

Symantec Antivirus Corporate Edition 10.1 No Yes

;===============================================================================

================================================================================

=

===================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===============================================================================

================================================================================

=

===================

00029434 spyware/virtumonde Spyware No 1 Yes No HKEY_LOCAL_MACHINE\software\classes\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}

00029434 spyware/virtumonde Spyware No 1 Yes No hkey_classes_root\clsid\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c}

00519333 Application/Processor HackTools No 0 Yes No C:\Documents and Settings\Chrisb\Desktop\VirtumundoBeGone.exe

00519333 Application/Processor HackTools No 0 Yes No C:\Documents and Settings\All Users\Documents\VirtumundoBeGone.exe

01895148 Malicious Packer SecRisk No 0 Yes No C:\RECYCLER\S-1-5-21-3280077785-104498234-1438945308-1006\Dc4\patch_and_keygen\keygen.exe

;===============================================================================

================================================================================

=

===================

SUSPECTS

Sent Location O

;===============================================================================

================================================================================

=

===================

;===============================================================================

================================================================================

=

===================

VULNERABILITIES

Id Severity Description O

;===============================================================================

================================================================================

=

===================

;===============================================================================

================================================================================

=

===================

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:54:26 AM, on 1/1/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Dell Support Center\bin\sprtsvc.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe

C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\Dell Support Center\bin\sprtcmd.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=1080515

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=1080515

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"

O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"

O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6662.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1230700004218

O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://vpn.scripps.org/dana-cached/setup/J...perSetupSP1.cab

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: Google Desktop Manager 5.7.801.7324 (GoogleDesktopManager-010708-104812) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--

End of file - 8087 bytes

[Tigger93]

You've been using cracks. Please remove them and then we can help.

[chrisb]

You've been using cracks. Please remove them and then we can help.

Hi Tigger

I'm not really sure what you mean, my husband did give me an anti-spyware program. This is a brand new computer.

Thanks

[Tigger93]

C:\RECYCLER\S-1-5-21-3280077785-104498234-1438945308-1006\Dc4\patch_and_keygen\keygen.exe

Show's you've been using cracks/keygens.

However, I notice now that it's been deleted.

Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1

Link 2

Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

[chrisb]

C:\RECYCLER\S-1-5-21-3280077785-104498234-1438945308-1006\Dc4\patch_and_keygen\keygen.exe

Show's you've been using cracks/keygens.

However, I notice now that it's been deleted.

Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1

Link 2

Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Thanks Tigger

Here are those two logs:

ComboFix 08-12-31.01 - Chrisb 2009-01-01 12:55:03.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2037.1418 [GMT -8:00]

Running from: c:\documents and settings\Chrisb\Desktop\ComboFix.exe

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\IE4 Error Log.txt

c:\windows\system32\x64

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_PACKET

-------\Service_seneka

((((((((((((((((((((((((( Files Created from 2008-12-01 to 2009-01-01 )))))))))))))))))))))))))))))))

.

2009-01-01 10:54 . 2009-01-01 10:54 <DIR> d-------- c:\program files\Trend Micro

2009-01-01 09:23 . 2009-01-01 09:23 <DIR> d-------- c:\program files\Panda Security

2009-01-01 09:23 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys

2008-12-31 19:15 . 2009-01-01 10:51 <DIR> d-------- c:\program files\Enigma Software Group

2008-12-31 16:25 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll

2008-12-31 16:25 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui

2008-12-29 21:20 . 2008-10-16 12:38 6,066,176 --------- c:\windows\system32\dllcache\ieframe.dll

2008-12-29 21:20 . 2007-04-17 01:32 2,455,488 --------- c:\windows\system32\dllcache\ieapfltr.dat

2008-12-29 21:20 . 2007-03-07 21:10 991,232 --------- c:\windows\system32\dllcache\ieframe.dll.mui

2008-12-29 21:20 . 2008-10-16 12:38 459,264 --------- c:\windows\system32\dllcache\msfeeds.dll

2008-12-29 21:20 . 2008-10-16 12:38 383,488 --------- c:\windows\system32\dllcache\ieapfltr.dll

2008-12-29 21:20 . 2008-10-16 12:38 267,776 --------- c:\windows\system32\dllcache\iertutil.dll

2008-12-29 21:20 . 2008-10-16 12:38 63,488 --------- c:\windows\system32\dllcache\icardie.dll

2008-12-29 21:20 . 2008-10-16 12:38 52,224 --------- c:\windows\system32\dllcache\msfeedsbs.dll

2008-12-29 21:20 . 2008-10-16 05:11 13,824 --------- c:\windows\system32\dllcache\ieudinit.exe

2008-12-29 20:42 . 2008-12-29 20:42 <DIR> d-------- c:\windows\system32\scripting

2008-12-29 20:42 . 2008-12-29 20:42 <DIR> d-------- c:\windows\system32\en

2008-12-29 20:42 . 2008-12-29 20:42 <DIR> d-------- c:\windows\system32\bits

2008-12-29 20:42 . 2008-12-29 20:42 <DIR> d-------- c:\windows\l2schemas

2008-12-29 20:41 . 2008-12-29 20:41 <DIR> d-------- c:\windows\ServicePackFiles

2008-12-29 20:38 . 2008-12-29 20:38 <DIR> d-------- c:\windows\EHome

2008-12-29 20:07 . 2008-09-08 02:41 333,824 --------- c:\windows\system32\dllcache\srv.sys

2008-12-29 20:06 . 2008-08-14 02:11 2,189,184 --------- c:\windows\system32\dllcache\ntoskrnl.exe

2008-12-29 20:06 . 2008-08-14 02:09 2,145,280 --------- c:\windows\system32\dllcache\ntkrnlmp.exe

2008-12-29 20:06 . 2008-08-14 01:33 2,066,048 --------- c:\windows\system32\dllcache\ntkrnlpa.exe

2008-12-29 20:06 . 2008-08-14 01:33 2,023,936 --------- c:\windows\system32\dllcache\ntkrpamp.exe

2008-12-29 20:06 . 2008-09-15 04:12 1,846,400 --------- c:\windows\system32\dllcache\win32k.sys

2008-12-29 20:06 . 2008-04-11 11:04 691,712 --------- c:\windows\system32\dllcache\inetcomm.dll

2008-12-29 20:06 . 2008-10-24 03:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys

2008-12-29 20:06 . 2008-05-01 06:33 331,776 --------- c:\windows\system32\dllcache\msadce.dll

2008-12-29 20:05 . 2008-09-04 09:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll

2008-12-29 20:05 . 2008-10-15 08:34 337,408 --------- c:\windows\system32\dllcache\netapi32.dll

2008-12-29 19:26 . 2008-12-29 19:26 <DIR> d-------- C:\VundoFix Backups

2008-12-29 19:19 . 2008-12-29 19:19 410,984 --a------ c:\windows\system32\deploytk.dll

2008-12-29 19:19 . 2008-12-29 19:19 73,728 --a------ c:\windows\system32\javacpl.cpl

2008-12-28 17:32 . 2008-12-28 17:32 0 --a------ c:\windows\VPC32.INI

2008-12-28 16:58 . 2009-01-01 12:57 <DIR> d-------- c:\program files\Symantec AntiVirus

2008-12-28 16:58 . 2008-12-28 16:58 <DIR> d-------- c:\program files\Symantec

2008-12-28 16:58 . 2008-12-28 16:59 <DIR> d-------- c:\program files\Common Files\Symantec Shared

2008-12-28 16:58 . 2008-12-28 16:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\Symantec

2008-12-28 16:58 . 2008-12-28 16:58 123,952 --a------ c:\windows\system32\drivers\SYMEVENT.SYS

2008-12-28 16:58 . 2008-12-28 16:58 60,800 --a------ c:\windows\system32\S32EVNT1.DLL

2008-12-28 16:58 . 2008-12-28 16:58 10,671 --a------ c:\windows\system32\drivers\SYMEVENT.CAT

2008-12-28 16:58 . 2008-12-28 16:58 805 --a------ c:\windows\system32\drivers\SYMEVENT.INF

2008-12-28 16:42 . 2008-12-28 16:42 <DIR> d-------- c:\program files\Lavasoft

2008-12-28 16:42 . 2008-12-28 16:42 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard

2008-12-28 16:42 . 2008-12-28 16:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft

2008-12-28 15:53 . 2008-12-29 19:33 <DIR> d-------- c:\program files\Windows Live Safety Center

2008-12-28 13:52 . 2008-12-31 21:10 <DIR> d-------- c:\program files\Spybot - Search & Destroy

2008-12-28 13:52 . 2008-12-28 13:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2008-12-28 13:41 . 2008-12-28 13:41 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2008-12-28 13:41 . 2008-12-28 13:41 <DIR> d-------- c:\documents and settings\Chrisb\Application Data\Malwarebytes

2008-12-28 13:41 . 2008-12-28 13:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2008-12-28 13:41 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2008-12-28 13:41 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2008-12-27 20:57 . 2008-12-27 20:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2008-12-27 20:56 . 2008-12-28 13:21 <DIR> d-------- c:\program files\SUPERAntiSpyware

2008-12-27 20:56 . 2008-12-28 13:21 <DIR> d-------- c:\documents and settings\Chrisb\Application Data\SUPERAntiSpyware.com

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-12-30 03:19 --------- d-----w c:\program files\Java

2008-12-29 00:41 238 ----a-w c:\program files\pecld.txt

2008-11-09 23:18 --------- d-----w c:\program files\Common Files\Adobe

2008-11-05 02:15 25,280 ----a-w c:\documents and settings\Chrisb\Application Data\GDIPFONTCACHEV1.DAT

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-03-11 202544]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-13 142104]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-13 162584]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-13 138008]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-29 136600]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]

"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]

"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-05-15 29744]

"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]

"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-03-11 202544]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-06-24 53096]

"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2008-09-30 125368]

"RTHDCPL"="RTHDCPL.EXE" [2007-06-13 c:\windows\RTHDCPL.EXE]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-12 83360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=

"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=

"c:\\Program Files\\Juniper Networks\\Secure Application Manager\\dsSamProxy.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-01-01 28544]

R1 NEOFLTR_600_13319;Juniper Networks TDI Filter Driver (NEOFLTR_600_13319);\??\c:\windows\system32\Drivers\NEOFLTR_600_13319.SYS [2008-06-24 64160]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-12-28 99376]

S0 ndfvmc;ndfvmc;c:\windows\system32\drivers\zetz.sys []

S3 SavRoam;SAVRoam;"c:\program files\Symantec AntiVirus\SavRoam.exe" [2008-09-30 116664]

*Newly Created Service* - PAVBOOT

.

Contents of the 'Scheduled Tasks' folder

2009-01-01 c:\windows\Tasks\xflurnwa.job

- c:\windows\system32\rundll32.exe [2008-04-13 16:12]

.

- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)

.

------- Supplementary Scan -------

.

uStart Page = www.google.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

Trusted Zone: *.scripps.net

Trusted Zone: vpn.scripps.org

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-01 12:57:34

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\h*NULL*a*NULL*u*NULL*s*NULL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e*NUL

L*n*NULL*

[Tigger93]

Just a few leftovers to get.

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.
  

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::

c:\windows\Tasks\xflurnwa.job

Folder::

C:\VundoFix Backups

Driver::

ndfvmc

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new HijackThis log.
  

[chrisb]

Thanks for all your help. I really appreciate it

ComboFix 08-12-31.01 - Chrisb 2009-01-01 13:30:04.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2037.1480 [GMT -8:00]

Running from: c:\documents and settings\Chrisb\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Chrisb\Desktop\CFScript.txt

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)

* Created a new restore point

FILE ::

c:\windows\Tasks\xflurnwa.job

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\VundoFix Backups

c:\windows\Tasks\xflurnwa.job

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_ndfvmc

((((((((((((((((((((((((( Files Created from 2008-12-01 to 2009-01-01 )))))))))))))))))))))))))))))))

.

2009-01-01 10:54 . 2009-01-01 10:54 <DIR> d-------- c:\program files\Trend Micro

2009-01-01 09:23 . 2009-01-01 09:23 <DIR> d-------- c:\program files\Panda Security

2009-01-01 09:23 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys

2008-12-31 19:15 . 2009-01-01 10:51 <DIR> d-------- c:\program files\Enigma Software Group

2008-12-31 16:25 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll

2008-12-31 16:25 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui

2008-12-29 21:20 . 2008-10-16 12:38 6,066,176 --------- c:\windows\system32\dllcache\ieframe.dll

2008-12-29 21:20 . 2007-04-17 01:32 2,455,488 --------- c:\windows\system32\dllcache\ieapfltr.dat

2008-12-29 21:20 . 2007-03-07 21:10 991,232 --------- c:\windows\system32\dllcache\ieframe.dll.mui

2008-12-29 21:20 . 2008-10-16 12:38 459,264 --------- c:\windows\system32\dllcache\msfeeds.dll

2008-12-29 21:20 . 2008-10-16 12:38 383,488 --------- c:\windows\system32\dllcache\ieapfltr.dll

2008-12-29 21:20 . 2008-10-16 12:38 267,776 --------- c:\windows\system32\dllcache\iertutil.dll

2008-12-29 21:20 . 2008-10-16 12:38 63,488 --------- c:\windows\system32\dllcache\icardie.dll

2008-12-29 21:20 . 2008-10-16 12:38 52,224 --------- c:\windows\system32\dllcache\msfeedsbs.dll

2008-12-29 21:20 . 2008-10-16 05:11 13,824 --------- c:\windows\system32\dllcache\ieudinit.exe

2008-12-29 20:42 . 2008-12-29 20:42 <DIR> d-------- c:\windows\system32\scripting

2008-12-29 20:42 . 2008-12-29 20:42 <DIR> d-------- c:\windows\system32\en

2008-12-29 20:42 . 2008-12-29 20:42 <DIR> d-------- c:\windows\system32\bits

2008-12-29 20:42 . 2008-12-29 20:42 <DIR> d-------- c:\windows\l2schemas

2008-12-29 20:41 . 2008-12-29 20:41 <DIR> d-------- c:\windows\ServicePackFiles

2008-12-29 20:38 . 2008-12-29 20:38 <DIR> d-------- c:\windows\EHome

2008-12-29 20:07 . 2008-09-08 02:41 333,824 --------- c:\windows\system32\dllcache\srv.sys

2008-12-29 20:06 . 2008-08-14 02:11 2,189,184 --------- c:\windows\system32\dllcache\ntoskrnl.exe

2008-12-29 20:06 . 2008-08-14 02:09 2,145,280 --------- c:\windows\system32\dllcache\ntkrnlmp.exe

2008-12-29 20:06 . 2008-08-14 01:33 2,066,048 --------- c:\windows\system32\dllcache\ntkrnlpa.exe

2008-12-29 20:06 . 2008-08-14 01:33 2,023,936 --------- c:\windows\system32\dllcache\ntkrpamp.exe

2008-12-29 20:06 . 2008-09-15 04:12 1,846,400 --------- c:\windows\system32\dllcache\win32k.sys

2008-12-29 20:06 . 2008-04-11 11:04 691,712 --------- c:\windows\system32\dllcache\inetcomm.dll

2008-12-29 20:06 . 2008-10-24 03:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys

2008-12-29 20:06 . 2008-05-01 06:33 331,776 --------- c:\windows\system32\dllcache\msadce.dll

2008-12-29 20:05 . 2008-09-04 09:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll

2008-12-29 20:05 . 2008-10-15 08:34 337,408 --------- c:\windows\system32\dllcache\netapi32.dll

2008-12-29 19:19 . 2008-12-29 19:19 410,984 --a------ c:\windows\system32\deploytk.dll

2008-12-29 19:19 . 2008-12-29 19:19 73,728 --a------ c:\windows\system32\javacpl.cpl

2008-12-28 17:32 . 2008-12-28 17:32 0 --a------ c:\windows\VPC32.INI

2008-12-28 16:58 . 2009-01-01 13:32 <DIR> d-------- c:\program files\Symantec AntiVirus

2008-12-28 16:58 . 2008-12-28 16:58 <DIR> d-------- c:\program files\Symantec

2008-12-28 16:58 . 2008-12-28 16:59 <DIR> d-------- c:\program files\Common Files\Symantec Shared

2008-12-28 16:58 . 2008-12-28 16:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\Symantec

2008-12-28 16:58 . 2008-12-28 16:58 123,952 --a------ c:\windows\system32\drivers\SYMEVENT.SYS

2008-12-28 16:58 . 2008-12-28 16:58 60,800 --a------ c:\windows\system32\S32EVNT1.DLL

2008-12-28 16:58 . 2008-12-28 16:58 10,671 --a------ c:\windows\system32\drivers\SYMEVENT.CAT

2008-12-28 16:58 . 2008-12-28 16:58 805 --a------ c:\windows\system32\drivers\SYMEVENT.INF

2008-12-28 16:42 . 2008-12-28 16:42 <DIR> d-------- c:\program files\Lavasoft

2008-12-28 16:42 . 2008-12-28 16:42 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard

2008-12-28 16:42 . 2008-12-28 16:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft

2008-12-28 15:53 . 2008-12-29 19:33 <DIR> d-------- c:\program files\Windows Live Safety Center

2008-12-28 13:52 . 2008-12-31 21:10 <DIR> d-------- c:\program files\Spybot - Search & Destroy

2008-12-28 13:52 . 2008-12-28 13:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2008-12-28 13:41 . 2008-12-28 13:41 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2008-12-28 13:41 . 2008-12-28 13:41 <DIR> d-------- c:\documents and settings\Chrisb\Application Data\Malwarebytes

2008-12-28 13:41 . 2008-12-28 13:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2008-12-28 13:41 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2008-12-28 13:41 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2008-12-27 20:57 . 2008-12-27 20:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2008-12-27 20:56 . 2008-12-28 13:21 <DIR> d-------- c:\program files\SUPERAntiSpyware

2008-12-27 20:56 . 2008-12-28 13:21 <DIR> d-------- c:\documents and settings\Chrisb\Application Data\SUPERAntiSpyware.com

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-12-30 03:19 --------- d-----w c:\program files\Java

2008-12-29 00:41 238 ----a-w c:\program files\pecld.txt

2008-11-09 23:18 --------- d-----w c:\program files\Common Files\Adobe

2008-11-05 02:15 25,280 ----a-w c:\documents and settings\Chrisb\Application Data\GDIPFONTCACHEV1.DAT

.

((((((((((((((((((((((((((((( snapshot@2009-01-01_12.58.36.39 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-01-01 21:32:11 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_744.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-03-11 202544]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-13 142104]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-13 162584]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-13 138008]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-29 136600]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]

"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]

"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-05-15 29744]

"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]

"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-03-11 202544]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-06-24 53096]

"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2008-09-30 125368]

"RTHDCPL"="RTHDCPL.EXE" [2007-06-13 c:\windows\RTHDCPL.EXE]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-12 83360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=

"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=

"c:\\Program Files\\Juniper Networks\\Secure Application Manager\\dsSamProxy.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-01-01 28544]

R1 NEOFLTR_600_13319;Juniper Networks TDI Filter Driver (NEOFLTR_600_13319);\??\c:\windows\system32\Drivers\NEOFLTR_600_13319.SYS [2008-06-24 64160]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-12-28 99376]

S3 SavRoam;SAVRoam;"c:\program files\Symantec AntiVirus\SavRoam.exe" [2008-09-30 116664]

.

.

------- Supplementary Scan -------

.

uStart Page = www.google.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

Trusted Zone: *.scripps.net

Trusted Zone: vpn.scripps.org

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-01 13:32:31

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\h*NULL*a*NULL*u*NULL*s*NULL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e*NUL

L*n*NULL*

[Tigger93]

Looks good now.

To clean up the tools we used, go Start -> Run and copy and paste in the following:

Combofix /u

Are you still having any problems?

[chrisb]

I cleaned up, and I then ran Malwarebytes and it is still showing up.

Malwarebytes' Anti-Malware 1.31

Database version: 1589

Windows 5.1.2600 Service Pack 3

1/1/2009 1:58:54 PM

mbam-log-2009-01-01 (13-58-54).txt

Scan type: Quick Scan

Objects scanned: 52508

Time elapsed: 33 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

[Tigger93]

Please download ATF Cleaner by Atribune.

Caution: This program is for Windows 2000, XP and Vista only

• Double-click ATF-Cleaner.exe to run the program.
  Under Main choose: Select All
  Click the Empty Selected button.
  

If you use Firefox browser

• Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  

If you use Opera browser

• Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  

Click Exit on the Main menu to close the program.

For Technical Support, double-click the e-mail address located at the bottom of each menu.

download OTScanIt2.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt2 on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.

• Close ALL OTHER PROGRAMS.
  
• Open the OTScanIt2 folder and double-click on OTScanIt2.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  
• Click the Scan All Users checkbox on the toolbar.
  
• Do not change any other settings.
  
• Now click the Run Scan button on the toolbar.
  
• Let it run unhindered until it finishes.
  
• When the scan is complete Notepad will open with the report file loaded in it.
  
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  
• Close Notepad (saving the change if necessry).
  

Use the Add Reply button and Attach the scan back here (do not copy/paste it as it will be too big to fit into the post). It will be located in the OTScanIt2 folder and named OTScanIt.txt.

I will review it when it comes in.

[chrisb]

Thanks again!

OTScanIt.Txt

OTScanIt.Txt

[Tigger93]

Paste this into the fix box:

[Kill Explorer][Registry - Safe List]< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\YN -> CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] -> [Reg Error: Value  does not exist or could not be read.]< Internet Explorer Extensions [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\YN -> CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] -> [Reg Error: Value  does not exist or could not be read.]< Internet Explorer Extensions [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\YN -> CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] -> [Reg Error: Value  does not exist or could not be read.]< Internet Explorer Extensions [HKEY_USERS\S-1-5-21-3280077785-104498234-1438945308-1006\] > -> HKEY_USERS\S-1-5-21-3280077785-104498234-1438945308-1006\Software\Microsoft\Internet Explorer\Extensions\YN -> CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] -> [Reg Error: Value  does not exist or could not be read.]< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\YN -> {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab[Java Plug-in 1.5.0_06][Files/Folders - Created Within 30 Days]NY -> 1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmpNY -> 1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmpNY -> VirtumundoBeGone.exe -> %UserProfile%\Desktop\VirtumundoBeGone.exe[Files/Folders - Modified Within 30 Days]NY -> 1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmpNY -> 1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmpNY -> Perflib_Perfdata_73c.dat -> %SystemRoot%\Temp\Perflib_Perfdata_73c.datNY -> VirtumundoBeGone.exe -> %UserProfile%\Desktop\VirtumundoBeGone.exeNY -> rolojaho -> %SystemRoot%\System32\rolojaho[Purity][Empty Temp Folders][start Explorer]

Then run the fix. It will produce a log, please post it here.

[chrisb]

Process Explorer.EXE killed successfully!

[Registry - Safe List]

Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ deleted successfully.

Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ not found.

Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ not found.

Registry value HKEY_USERS\S-1-5-21-3280077785-104498234-1438945308-1006\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ not found.

Starting removal of ActiveX control {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\Contains\Files\ not found.

not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ deleted successfully.

[Files/Folders - Created Within 30 Days]

C:\Documents and Settings\Chrisb\Desktop\VirtumundoBeGone.exe moved successfully.

[Files/Folders - Modified Within 30 Days]

File move failed. C:\WINDOWS\Temp\Perflib_Perfdata_73c.dat scheduled to be moved on reboot.

File C:\Documents and Settings\Chrisb\Desktop\VirtumundoBeGone.exe not found!

C:\WINDOWS\System32\rolojaho moved successfully.

[Purity]

Purity scan complete.

[Empty Temp Folders]

File delete failed. C:\Documents and Settings\Chrisb\Local Settings\Temp\~DF92CF.tmp scheduled to be deleted on reboot.

User's Temp folder emptied.

User's Temporary Internet Files folder emptied.

User's Internet Explorer cache folder emptied.

Local Service Temp folder emptied.

File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.

Local Service Temporary Internet Files folder emptied.

File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_73c.dat scheduled to be deleted on reboot.

Windows Temp folder emptied.

Java cache emptied.

RecycleBin -> emptied.

Explorer started successfully

< End of fix log >

OTScanIt2 by OldTimer - Version 1.0.4.2 fix logfile created on 01012009_152310

Files moved on Reboot...

File C:\WINDOWS\Temp\Perflib_Perfdata_73c.dat not found!

File C:\Documents and Settings\Chrisb\Local Settings\Temp\~DF92CF.tmp not found!

File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.

Registry entries deleted on Reboot...

[Tigger93]

Can you see if Malwarebytes can remove those entries now? Please be sure to update before scanning.

[chrisb]

Hi Tigger

I just ran it and they are still there.

[chrisb]

Sorry, I meant to say, that I ran it, tried to remove it, restarted and they are still there.

[Tigger93]

This is likely a permissions issue than a malware issue.

Please download and unzip the file attached. Copy subinacl into C:\windows\system32

Now double-click the fix file and a scan will quickly happen. Once the black box goes away run another MBAM and post the log (make sure to update before scanning).

[chrisb]

Hi Tigger

I just did it and it was quarentined and deleted successfully!

Thank you so much for all of your help, I really appreciate that you spent the time helping me.

Malwarebytes' Anti-Malware 1.31

Database version: 1597

Windows 5.1.2600 Service Pack 3

1/2/2009 10:49:53 AM

mbam-log-2009-01-02 (10-49-53).txt

Scan type: Quick Scan

Objects scanned: 56629

Time elapsed: 2 minute(s), 57 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

[Tigger93]

Your welcome. Are you still having any problems?

[chrisb]

Everything seems to be working back to normal. I was really worried because I use this for work, and was thinking the worst, while hoping for the best.

I am so greatful that you were here yesterday and that I was able to get the help and the fix in no time!

Again, you are a LIFE SAVER!

chris

[Tigger93]

Your welcome. If you use this computer for any type of banking/passwords, be sure to change those passwords just in-case.