You are here:
Computer Security & Viruses/trojan virus
Advertisement
Question
QUESTION: Hi Brian, You helped me a couple of weeks ago get rid of the pos1.tmp, pos10.tmp virus that screwed up my C drive. I now have an issue with the "trojan Vundo" virus. At 1st it popped up once in a while with some other trojans (I added a brief list of some, of the trojans at the end of HJT log). Today when I went online my Symantec Antivirus Notifications kept popping up (over 1000 instances). Please let me know what I need to do this time.
david
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:30:58 AM, on 2/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\PixArt\PAC207\Monitor.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe
C:\DOCUME~1\DIMENS~1\MYDOCU~1\DOBE~1\notepad.exe
C:\Documents and Settings\Dimension 3100\My Documents\A?pPatch\w?nspool.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\MMDiag.exe
C:\Program Files\Netscape\Navigator 9\navigator.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [SSRunScript] "C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" /script "C:\Program Files\Support.com\Charter\vbs\verifyconnection.vbs" /args //b startupdelay
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Monitor] C:\WINDOWS\PixArt\PAC207\Monitor.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [187f0669] rundll32.exe "C:\WINDOWS\system32\xlfwmguy.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [µTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [BMUpdate] C:\WINDOWS\system32\BMUpdate.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"
O4 - HKCU\..\Run: [Uaol] "C:\DOCUME~1\DIMENS~1\MYDOCU~1\DOBE~1\notepad.exe" -vt yazb
O4 - HKCU\..\Run: [Kjdqejga] "C:\Documents and Settings\Dimension 3100\My Documents\A?pPatch\w?nspool.exe"
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {C946EF6D-296D-4907-A6E1-ED0E8E5AF024} (LycosMail Upload Control) - http://mail.lycos.com/hanmail-ax/AttachMail.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
--
End of file - 8440 bytes
Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Trojan.Adclicker
File: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2\A0000065.dll
Location: Quarantine
Computer: DIMENSION3100
User: SYSTEM
Action taken: Clean failed : Quarantine succeeded : Access denied
Date found: Sun Feb 10 01:42:34 2008
Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Trojan.Metajuan
File: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2\A0000154.dll
Location: Quarantine
Computer: DIMENSION3100
User: SYSTEM
Action taken: Clean failed : Quarantine succeeded : Access denied
Date found: Sun Feb 10 10:28:33 2008
Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Infostealer
File: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP5\A0000376.dll
Location: Quarantine
Computer: DIMENSION3100
User: SYSTEM
Action taken: Clean failed : Quarantine succeeded : Access denied
Date found: Sun Feb 10 12:35:57 2008
Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Downloader
File: C:\WINDOWS\system32\nGpxx01\nGpxx011065.exe
Location: Quarantine
Computer: DIMENSION3100
User: Dimension 3100
Action taken: Clean failed : Quarantine succeeded : Access denied
Date found: Mon Feb 18 14:00:49 2008
Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Trojan.Metajuan
File: C:\Documents and Settings\Dimension 3100\Local Settings\Temporary Internet Files\Content.IE5\G1QFK9AN\tr[1]
Location: C:\Documents and Settings\Dimension 3100\Local Settings\Temporary Internet Files\Content.IE5\G1QFK9AN
Computer: DIMENSION3100
User: Dimension 3100
Action taken: Clean failed : Quarantine failed : Access denied
Date found: Mon Feb 18 14:06:56 2008
Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Trojan.Metajuan
File: C:\Documents and Settings\Dimension 3100\Local Settings\Temporary Internet Files\Content.IE5\HSWBXTWD\tr[1]
Location: C:\Documents and Settings\Dimension 3100\Local Settings\Temporary Internet Files\Content.IE5\HSWBXTWD
Computer: DIMENSION3100
User: Dimension 3100
Action taken: Clean failed : Quarantine failed : Access denied
Date found: Tue Feb 19 14:08:32 2008
Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Trojan.Metajuan
File: C:\Documents and Settings\Dimension 3100\Local Settings\Temporary Internet Files\Content.IE5\SPIRCPIJ\tr[1]
Location: C:\Documents and Settings\Dimension 3100\Local Settings\Temporary Internet Files\Content.IE5\SPIRCPIJ
Computer: DIMENSION3100
User: Dimension 3100
Action taken: Clean failed : Quarantine failed : Access denied
Date found: Wed Feb 20 14:09:03 2008
Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Trojan.Metajuan
File: C:\Documents and Settings\Dimension 3100\Local Settings\Temporary Internet Files\Content.IE5\WDQ3KTIF\tr[1]
Location: C:\Documents and Settings\Dimension 3100\Local Settings\Temporary Internet Files\Content.IE5\WDQ3KTIF
Computer: DIMENSION3100
User: Dimension 3100
Action taken: Clean failed : Quarantine failed : Access denied
Date found: Thu Feb 21 14:13:24 2008
Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Trojan.Metajuan
File: C:\Documents and Settings\Dimension 3100\Local Settings\Temporary Internet Files\Content.IE5\8LMFOTYJ\tr[1]
Location: C:\Documents and Settings\Dimension 3100\Local Settings\Temporary Internet Files\Content.IE5\8LMFOTYJ
Computer: DIMENSION3100
User: Dimension 3100
Action taken: Clean failed : Quarantine failed : Access denied
Date found: Fri Feb 22 14:13:41 2008
Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Trojan.Vundo
File: C:\WINDOWS\system32\efcbyya.dll
Location: C:\WINDOWS\system32
Computer: DIMENSION3100
User: SYSTEM
Action taken: Clean failed : Quarantine failed : Access denied
Date found: Sat Feb 23 00:20:36 2008
Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Trojan.Vundo
File: C:\WINDOWS\system32\efcbyya.dll
Location: C:\WINDOWS\system32
Computer: DIMENSION3100
User: SYSTEM
Action taken: Clean failed : Quarantine failed : Access denied
Date found: Sat Feb 23 00:20:39 2008
Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Trojan.Vundo
File: C:\WINDOWS\system32\efcbyya.dll
Location: C:\WINDOWS\system32
Computer: DIMENSION3100
User: SYSTEM
Action taken: Clean failed : Quarantine failed : Access denied
Date found: Sat Feb 23 00:20:41 2008
ANSWER: Hi David
I'll be glad to help you again. Please follow the instructions below:
Click Start, Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these three options are checked and then press Ok to remove:
* Temporary Files
* Temporary Internet Files
* Recycle Bin
Next, turn off System Restore
1. Click Start, right-click My Computer, and then click Properties.
2. In the System Properties dialog box, click the System Restore tab.
3. Click to select the Turn off System Restore check box. Or, click to select the Turn off System Restore on all drives check box.
4. Click OK.
5. When you receive the following message, click Yes to confirm that you want to turn off System Restore:
You have chosen to turn off System Restore. If you continue, all existing restore points will be deleted, and you will not be able to track or undo changes to your computer.
Do you want to turn off System Restore?
After a few moments, the System Properties dialog box closes.
Next, Download Vundo Fix and save it to your desktop:
http://www.atribune.org/ccount/click.php?id=4
When it has completed downloading, double-click VundoFix.exe to run it.
1. Click the Scan for Vundo button.
2. Once it's done scanning, click the Remove Vundo button.
3. You will now receive a prompt asking if you want to remove the files, click the YES button. Once you click yes, your desktop will go blank as it starts removing Vundo.
4. When completed, it will prompt that it will shutdown your computer, click the OK button.
5.When the computer has shutdown, turn your computer back on.
Download Dr.Web CureIt from here:
ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe
Double click to run the utility and press the "Start" button in the opened window. Confirm the launch by pressing the "OK" button and wait for the scanning results of the main memory and startup files. Then, select the Complete scan and press the "Start scanning" button on the scanner right. While being scanned, infected files are cured, incurable files are moved to the quarantine directory. When the scanning is finished, the log file and the quarantine are not deleted.
Finally, post me the results of the Dr.Web scan and a fresh HJT log in a follow-up here.
Brian
---------- FOLLOW-UP ----------
QUESTION: Hi Brian, Not such good luck this time. I did as you instructed but the Vundo virus keeps popping up. When I did the Dr. Web I got a blue screen memory dump (IRQL_NOT_LESS_OR_EQUAL). I tried this twice and had the same error. I had to leave for several hours today and when I got back I had over 13,000 Vundo occuraces. HJT attached below
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:24:32 PM, on 2/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\PixArt\PAC207\Monitor.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Documents and Settings\Dimension 3100\My Documents\A?pPatch\w?nspool.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\DIMENS~1\MYDOCU~1\DOBE~1\notepad.exe
C:\WINDOWS\system32\dumprep.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Netscape\Navigator 9\navigator.exe
C:\WINDOWS\system32\dwwin.exe
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [SSRunScript] "C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" /script "C:\Program Files\Support.com\Charter\vbs\verifyconnection.vbs" /args //b startupdelay
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Monitor] C:\WINDOWS\PixArt\PAC207\Monitor.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [187f0669] rundll32.exe "C:\WINDOWS\system32\exqwxkve.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [µTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [BMUpdate] C:\WINDOWS\system32\BMUpdate.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"
O4 - HKCU\..\Run: [Uaol] "C:\DOCUME~1\DIMENS~1\MYDOCU~1\DOBE~1\notepad.exe" -vt ndrv
O4 - HKCU\..\Run: [Kjdqejga] "C:\Documents and Settings\Dimension 3100\My Documents\A?pPatch\w?nspool.exe"
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {C946EF6D-296D-4907-A6E1-ED0E8E5AF024} (LycosMail Upload Control) - http://mail.lycos.com/hanmail-ax/AttachMail.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
--
End of file - 8532 bytes
ANSWER: Hi David
Download VirtumundoBegone and save it to your desktop:
http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe
Now reboot into Safe Mode:
1. This can be done tapping the F8 key as soon as you start your computer
2. You will be brought to a menu where you can choose to boot into safe mode.
3. Select safe mode with networking using your arrow keys on the keyboard and then press enter.
4. When you computer reaches the desktop make sure you log in as the same user which you had performed the previous steps,
3. Once you are logged into safe mode, double-click VirtumundoBeGone.exe file you just downloaded and follow the instructions.
4. Exit when it has finished, and reboot back to normal mode.
Next, Please download ComboFix and save it to your desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply along with a fresh HJT log.
Note - Do not mouseclick combofix's window while the program is running. That may cause it to stall.
Brian
---------- FOLLOW-UP ----------
QUESTION: Hi Brian, I've done as instructed. I no longer get the vundo quarantine message. Attached is the combo fix log & HJT.
ComboFix 08-02-25.3 - Dimension 3100 2008-02-25 18:41:17.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.680 [GMT -5:00]
Running from: C:\Documents and Settings\Dimension 3100\Desktop\ComboFix.exe
* Created a new restore point
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Dimension 3100\My Documents\APPATC~1
C:\Documents and Settings\Dimension 3100\My Documents\APPATC~1\w?nspool.exe
C:\Documents and Settings\Dimension 3100\My Documents\DOBE~1
C:\Documents and Settings\Dimension 3100\My Documents\DOBE~1\?dobe\
C:\Documents and Settings\Dimension 3100\My Documents\DOBE~1\notepad.exe
C:\Documents and Settings\Dimension 3100\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Dimension 3100\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Dimension 3100\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\Terms.rtf
C:\Temp\isgTi19
C:\WINDOWS\system32\bdeeg.ini
C:\WINDOWS\system32\bdeeg.ini2
C:\WINDOWS\system32\byxbwkai.ini
C:\WINDOWS\system32\evkxwqxe.ini
C:\WINDOWS\system32\geedb.dll
C:\WINDOWS\system32\grouscha.ini
C:\WINDOWS\system32\ifdgqmpt.ini
C:\WINDOWS\system32\jojvgkhq.dll
C:\WINDOWS\system32\mejsxnvn.dll
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\qhkgvjoj.ini
C:\WINDOWS\system32\uxqmmbdd.ini
C:\WINDOWS\system32\wbwmgujn.ini
C:\WINDOWS\system32\xavkgqhv.dll
C:\WINDOWS\system32\yugmwflx.ini
.
((((((((((((((((((((((((( Files Created from 2008-01-25 to 2008-02-25 )))))))))))))))))))))))))))))))
.
2008-02-24 21:35 . 2008-02-24 21:35 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-24 21:35 . 2008-02-24 21:35 5,120 --a------ C:\WINDOWS\s.dll
2008-02-24 21:35 . 2008-02-24 21:35 5,120 --a------ C:\Documents and Settings\Dimension 3100\~.exe
2008-02-24 21:35 . 2008-02-24 21:35 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-23 22:07 . 2008-02-23 22:07 <DIR> d-------- C:\Documents and Settings\Dimension 3100\DoctorWeb
2008-02-23 09:06 . 2008-02-23 23:02 <DIR> d-------- C:\VundoFix Backups
2008-02-22 21:36 . 2008-02-22 21:36 <DIR> d-------- C:\Documents and Settings\Dimension 3100\Application Data\Talkback
2008-02-21 14:10 . 2008-02-21 14:10 70,824 --a------ C:\WINDOWS\BM1b4c35f5.xml
2008-02-21 14:10 . 2008-02-21 14:10 22 --a------ C:\WINDOWS\pskt.ini
2008-02-19 00:23 . 2008-02-19 00:23 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-02-18 14:00 . 2008-02-18 14:00 37,376 --a------ C:\WINDOWS\system32\efcbyya.dll.vir
2008-02-08 20:37 . 2008-02-08 20:37 <DIR> d-------- C:\Program Files\BitZipper
2008-02-08 20:37 . 2008-02-08 20:40 <DIR> d-------- C:\Documents and Settings\Dimension 3100\Application Data\BitZipper
2008-02-08 20:10 . 2008-02-08 20:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Dell
2008-02-08 17:47 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-02-08 17:47 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-02-08 17:47 . 2008-02-08 10:37 85,504 --a------ C:\WINDOWS\system32\VACFix.exe
2008-02-08 17:47 . 2008-02-08 10:37 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-02-08 17:47 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-02-08 17:47 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-02-08 17:47 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-02-08 17:47 . 2008-02-08 17:47 4,302 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-07 21:23 . 2008-02-07 21:23 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-26 21:41 . 2008-01-26 21:41 <DIR> d-------- C:\Temp\cXzz9
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-25 23:50 --------- d-----w C:\Documents and Settings\Dimension 3100\Application Data\uTorrent
2008-02-25 02:35 5,120 ----a-w C:\Documents and Settings\Dimension 3100\~.exe
2008-02-09 01:17 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-06 04:22 --------- d-----w C:\Program Files\uTorrent
2007-12-27 00:37 --------- d-----w C:\Documents and Settings\Dimension 3100\Application Data\AdobeUM
2007-01-25 05:21 8 --sh--r C:\WINDOWS\system32\38FA201BCC.sys
2007-01-25 05:37 104 --sh--r C:\WINDOWS\system32\CC1B20FA38.sys
2007-11-11 03:15 5,852 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{18F660A4-6EDC-4B68-AF02-E20F498C8AC3}]
C:\WINDOWS\system32\mljjh.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{23783E07-727A-491B-905A-F0F85E379FE4}]
C:\WINDOWS\system32\vtstt.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B62CC40B-DDDC-44DB-BB22-B96D35D14F82}]
C:\WINDOWS\system32\ssqpm.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2007-11-09 21:30 267592 --a------ C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88}
{2318C2B1-4965-11D4-9B18-009027A5CD4F}
{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}
[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL [2007-11-09 21:30 267592]
[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [ ]
"µTorrent"="C:\Program Files\uTorrent\uTorrent.exe" [2008-01-30 21:45 219952]
"BMUpdate"="C:\WINDOWS\system32\BMUpdate.exe" [2000-03-16 09:51 180224]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 21:49 4662776]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00 15360]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09 460784]
"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [2007-08-29 11:55 1347584]
"DellTransferAgent"="C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 16:46 135168]
"Uaol"="C:\DOCUME~1\DIMENS~1\MYDOCU~1\DOBE~1\notepad.exe" [ ]
"Kjdqejga"="C:\Documents and Settings\Dimension 3100\My Documents\A?pPatch\w?nspool.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 15:01 67584]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 21:49 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 21:46 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 21:50 114688]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 18:48 32881]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 04:12 94208]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-03-06 11:32 26112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-03-06 11:32 98304]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-09-08 20:20 110592]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 11:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 11:44 81920]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 06:20 122940]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-03-06 11:41 169472]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-08 20:20 8192]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [2003-05-14 05:21 1847296]
"SSRunScript"="C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" [2003-02-19 16:16 40960]
"WatchDog"="C:\Program Files\mobile PhoneTools\WatchDog.exe" [2004-08-14 05:42 36864]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 14:49 1121280]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2002-07-30 11:35 77824]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-02-13 13:29 35328]
"Monitor"="C:\WINDOWS\PixArt\PAC207\Monitor.exe" [2006-11-03 10:01 319488]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-03-06 11:29:47 24576]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\uTorrent\\utorrent.exe"=
S3 PAC207;Basic Webcam;C:\WINDOWS\system32\DRIVERS\PFC027.SYS [2006-11-20 07:48]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-25 18:52:24
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-02-25 18:58:10 - machine was rebooted [Dimension 3100]
ComboFix-quarantined-files.txt 2008-02-25 23:58:06
ComboFix2.txt 2008-02-08 04:48:40
.
2008-02-13 08:03:38 --- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:03:07 PM, on 2/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\PixArt\PAC207\Monitor.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Netscape\Navigator 9\navigator.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {18F660A4-6EDC-4B68-AF02-E20F498C8AC3} - C:\WINDOWS\system32\mljjh.dll (file missing)
O2 - BHO: (no name) - {23783E07-727A-491B-905A-F0F85E379FE4} - C:\WINDOWS\system32\vtstt.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {B62CC40B-DDDC-44DB-BB22-B96D35D14F82} - C:\WINDOWS\system32\ssqpm.dll (file missing)
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [SSRunScript] "C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" /script "C:\Program Files\Support.com\Charter\vbs\verifyconnection.vbs" /args //b startupdelay
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Monitor] C:\WINDOWS\PixArt\PAC207\Monitor.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [µTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [BMUpdate] C:\WINDOWS\system32\BMUpdate.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"
O4 - HKCU\..\Run: [Uaol] "C:\DOCUME~1\DIMENS~1\MYDOCU~1\DOBE~1\notepad.exe" -vt ndrv
O4 - HKCU\..\Run: [Kjdqejga] "C:\Documents and Settings\Dimension 3100\My Documents\A?pPatch\w?nspool.exe"
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {C946EF6D-296D-4907-A6E1-ED0E8E5AF024} (LycosMail Upload Control) - http://mail.lycos.com/hanmail-ax/AttachMail.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
--
End of file - 9530 bytes
Hi David
Yes, your log looks good. You just need to clean up the deleted files, then you're good to go. Close all windows, then run HJT (scan only) and place a check mark in the box next to the following items, then click the Fix Checked button:
O2 - BHO: (no name) - {18F660A4-6EDC-4B68-AF02-E20F498C8AC3} - C:\WINDOWS\system32\mljjh.dll (file missing)
O2 - BHO: (no name) - {23783E07-727A-491B-905A-F0F85E379FE4} - C:\WINDOWS\system32\vtstt.dll (file missing)
O2 - BHO: (no name) - {B62CC40B-DDDC-44DB-BB22-B96D35D14F82} - C:\WINDOWS\system32\ssqpm.dll (file missing)
After fixing, reboot and check to make sure the files are gone. If you have any further questions, please let me know. Good luck!
Brian
- Add to this Answer
- Ask a Question
Questioner's Rating
| Rating(1-10) | Knowledgeability = 10 | Clarity of Response = 10 | Politeness = 10 |
| Comment | This was the 2nd time I needed Brian's help to get rid of another pesky virus. Each time was successful. He replied to me rather quickly and his instructions were easy to follow. A | ||
Related Articles
Computer Security & Viruses
Answers by Expert:
Brian Benosky
Expertise
I will help you in eradicating malware and all forms of virus/trojans/adware. I can answer all PC-related hardware issues. I can also troubleshoot Windows OS errors (all versions) and other software problems. HijackThis logs are a MUST for virus related help. If you do not know how to do this, I have posted easy-to-follow instructions on the Ask a Question page. Every computer infection is different, so I will give you personal instructions on how to remove the malware, not a 'pat' answer. You can be assured of a prompt, polite, and knowledgeable response in all regards.
Experience
I have over 25 years experience in using, building, and repairing computers. I have helped over two thousand people here on AllExperts, with consistent Top Feedback Scores. Please look at my answers here:
http://en.allexperts.com/q/Computer-Security-Viruses-1737/indexExp_84308.htm
I am also a Top Contributor of General Computing answers in Yahoo! Questions.
Education/Credentials
College Educated
Self-taught Computer Skills
©2012 About.com, a part of The New York Times Company. All rights reserved.