[Vundo] cannot get rid of virtumonde/vundo trojan in Security Cleanup

[Vundo] cannot get rid of virtumonde/vundo trojan in Security Cleanup http://www.dslreports.com/forum/r22545478 en Sun, 29 Nov 2009 10:21:53 EDT Sun, 29 Nov 2009 10:21:53 EDT Re: [Vundo] cannot get rid of virtumonde/vundo trojan http://www.dslreports.com/forum/remark,22582729 TheJoker : Thanks for the info and best of luck keeping the system clean. :)
--
Proud ASAP member since 2005]]> http://www.dslreports.com/forum/remark,22582729 Sat, 20 Jun 2009 11:46:24 EDT Re: [Vundo] cannot get rid of virtumonde/vundo trojan http://www.dslreports.com/forum/remark,22564927 azraders : yes, I do not seem to have the trojans I first reported. thank you for all you've done.

I do have spywareblaster.

The math program I use on the internet is Aleks.com. It is the program that the community college requires me to use for school.

azraders]]> http://www.dslreports.com/forum/remark,22564927 Wed, 17 Jun 2009 09:45:45 EDT Re: [Vundo] cannot get rid of virtumonde/vundo trojan http://www.dslreports.com/forum/remark,22562812 TheJoker : You can leave them, as their being there won't cause a problem.
What was the math program that needed them?

There are several free utilities you can use to help keep malware off your system:

A HOSTS file will prevent Internet Explorer from communicating with sites known to be associated with adware or spyware. A good regularly updated HOST file is MVPS HOSTS File, available at »www.mvps.org/winhelp2002/hosts.htm.

A free non-resident utility to prevent the installation of ActiveX-based malware is JavaCool's SpywareBlaster. For real-time protection, there is SpywareGuard. Both are available at »www.javacoolsoftware.com/products.html.

I recommend reading Tony Klein's article So How did I get Infected in the First Place? at »www.spywareinfoforum.com/index.p···ic=60955

Does your problem appear resolved?
--
Proud ASAP member since 2005]]> http://www.dslreports.com/forum/remark,22562812 Tue, 16 Jun 2009 20:52:07 EDT Re: [Vundo] cannot get rid of virtumonde/vundo trojan http://www.dslreports.com/forum/remark,22562433 azraders : O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} (Java Plug-in 1.4.2_03) -
O16 - DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} (Java Plug-in 1.6.0_12) -

I originally deleted these but I had to re install java because after the last hijackthis and reboot, my math program wouldn't work. It told me I needed the plug in for Java. So I downloaded it again. I am not sure but think the bottom two are related to running the program. The top one may be related because I deleted it initially and I saw it back in the hijackthis log.

I'm not sure what to do now. If you are positive they have nothing to do with the java I need for my math program, I'll delete them again.

Let me know.]]> http://www.dslreports.com/forum/remark,22562433 Tue, 16 Jun 2009 19:37:19 EDT Re: [Vundo] cannot get rid of virtumonde/vundo trojan http://www.dslreports.com/forum/remark,22562285 TheJoker : You have more empty entries to remove.

Please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts

When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwords that some changes were made, allow this instead of blocking it.
Please don't forget this step to disable teatimer.

Please disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.

Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.
After all of the fixes are complete it is very important that you enable Real-time Protection again.

Now you need to run HijackThis and click "Do a system scan only." Place a check next to the following entries (if they are still there):

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} (Java Plug-in 1.4.2_03) -
O16 - DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} (Java Plug-in 1.6.0_12) -

Now close all browser and other windows except for HijackThis, and click "Fix Checked" to have HijackThis fix the entries you checked.

quote:
Some times I can browse from page to page in a few seconds and that has improved. what I notice is it takes my browsers about 20-30 seconds to load.

Did you follow the recommendation to use StartupLite to disable the entries that you had previously disabled with MSCONFIG? That may help once you do that.

You are also still running Internet Explorer 6. I would update to at least version 7, and then any adidtional security updates found at Windows Update after you do that. If you find IE7 slower, you can Google "speedup IE7" and you will find sites like »reliancepc.com/menu/tips/IE7tuning/index.php and »www.consumingexperience.com/2007···r-7.html that help with attempting to speed up IE7.

Please post a new HijackThis log and note any errors encountered.
--
Proud ASAP member since 2005]]> http://www.dslreports.com/forum/remark,22562285 Tue, 16 Jun 2009 19:11:51 EDT Re: [Vundo] cannot get rid of virtumonde/vundo trojan http://www.dslreports.com/forum/remark,22559146 azraders : Hi there. I did the clean up. It is a toss up. Some times I can browse from page to page in a few seconds and that has improved. what I notice is it takes my browsers about 20-30 seconds to load. Maybe this will work itself out.

thanks for all the help. It was much appreciated!!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:17:20 AM, on 6/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\dell\bldbubg.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Drader\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.lds.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - (no file)
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QBReminderFlash] "C:\Program Files\Intuit\QuickBooks 2005\Atom\QBReminder.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [BuildBU] c:\dell\bldbubg.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: »*.mcafee.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - »upload.facebook.com/controls/200···der5.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - »housecall65.trendmicro.com/house···Impl.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} (Java Plug-in 1.4.2_03) -
O16 - DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} (Java Plug-in 1.6.0_12) -
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - »wwwimages.adobe.com/www.adobe.co···s/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Update Service (gupdate1c99dc76a3bc708) (gupdate1c99dc76a3bc708) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe

--
End of file - 9405 bytes]]> http://www.dslreports.com/forum/remark,22559146 Tue, 16 Jun 2009 10:26:25 EDT Re: [Vundo] cannot get rid of virtumonde/vundo trojan http://www.dslreports.com/forum/remark,22555930 TheJoker : You have quite a few items that you had previously disabled with MSCONFIG. You can disable them again, but they needed to be viewable to be able to delete the bad items.

There are other ways to get rid of several of them, and one that still isn't gone.

Please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts

When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwords that some changes were made, allow this instead of blocking it.

Please disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.

Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.
After all of the fixes are complete it is very important that you enable Real-time Protection again.

Now you need to run HijackThis and click "Do a system scan only." Place a check next to the following entries:

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -

You can optionally check the following entry. This entry is used in connection with memory dumps - you can disable these by - right clicking on My Computer, selecting Properties and then the Advanced tab. Click on the Settings button in 'Startup and Recovery'. In the bottom pane - under 'Write debugging information' - click on the down arrow and then select 'None' - OK your way out:
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

Now close all browser and other windows except for HijackThis, and click "Fix Checked" to have HijackThis fix the entries you checked.

That takes care of that one.

You were disabling Ad-Watch with MSCONFIG. Instead, just turn it off in the program, and it won't be running as an item that you may want to disable. However, you already have Spybot Search & Destroy, and Windows Defender. I would simply uninstall Ad-Aware as redundant

You are running both Google Toolbar, and Yahoo! Toolbar. I would uninstall one of them. Do you really use either? Uninstall the one you use the least (uninstalling the Yahoo! software will probably give the biggest effect).

For the rest, instead of using MSCONFIG, You might want to take a look at this page created by miekiemoes, one of the Global Moderators here, on slow systems, and some things you can try to do to try to improve it:
»users.telenet.be/bluepatchy/miek···ter.html
I would particularly look at using RubberDucky's StartUpLite (from the same people that brought you MBAM). This will display all unnecessary startup entries - so actually, everything it displays there is not necessary to start up with Windows.

Create a Restore Point
•Go to Start > Programs > Accessories > System Tools > System Restore
•Select Create a Restore Point and then Next.
•In the box for "Restore point description", enter a descriptive name and press Create
•When the "Restore Point Created" window appears, click Close

Run Disk Cleanup
•Go to Start > Run and type the below line:
cleanmgr
•Click OK
•If you have more than one drive, select the drive Windows is installed on
•Click OK
•When Disk Cleanup opens, select the More Options tab
•In the System Restore section (bottom of window), click Cleanup
•In the confirmation window that opens, click Yes[

Now click on the Disk Cleanup tab and select the following items:
•Downloaded Program Files
•Temporary Internet Files
•Recycle Bin
•Temporary Files
Click OK
in the confirmation window, select Yes (Disk Cleanup will close).

Please post a new HijackThis log.
How is the system running now?
--
Proud ASAP member since 2005]]> http://www.dslreports.com/forum/remark,22555930 Mon, 15 Jun 2009 18:45:23 EDT Re: [Vundo] cannot get rid of virtumonde/vundo trojan http://www.dslreports.com/forum/remark,22554470 azraders : Thanks for the help!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:06:02 AM, on 6/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Documents and Settings\Drader\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.lds.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QBReminderFlash] "C:\Program Files\Intuit\QuickBooks 2005\Atom\QBReminder.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [BuildBU] c:\dell\bldbubg.exe
O4 - HKLM\..\Run: [Ad-Watch] "C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: »*.mcafee.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - »upload.facebook.com/controls/200···der5.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - »housecall65.trendmicro.com/house···Impl.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - »wwwimages.adobe.com/www.adobe.co···s/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Update Service (gupdate1c99dc76a3bc708) (gupdate1c99dc76a3bc708) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe

--
End of file - 9799 bytes

I'm glad to see the files finally deleted alltogether.

One last thing if I may? Since I've done these last few steps, the computer is running slower. Is that because we put the msconfig on normal startup? I think everything is running now. OR do I have other problems that need addressing regarding cleaning up of files?

If it the latter, please direct me to a forum where I can learn how to better optimize the drive and speed.
thanks so much for your time. I really appreciate the help you have rendered. My computer thanks you too! :)
After a week and a half dealing with this junk... I'm ready for a vacation! :)

azraders]]> http://www.dslreports.com/forum/remark,22554470 Mon, 15 Jun 2009 14:14:03 EDT Re: [Vundo] cannot get rid of virtumonde/vundo trojan http://www.dslreports.com/forum/remark,22554243 TheJoker : I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts

When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwords that some changes were made, allow this instead of blocking it.

Please disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.

Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.
After all of the fixes are complete it is very important that you enable Real-time Protection again.

Now you need to run HijackThis and click "Do a system scan only." Place a check next to the following entries (if they are still there):

O4 - HKLM\..\Run: [goyapipemu] Rundll32.exe "C:\WINDOWS\system32\viyorawi.dll",s
O4 - HKLM\..\Run: [CPM57421bb4] Rundll32.exe "c:\windows\system32\mimegepa.dll",a
O4 - HKLM\..\Run: [54712828] rundll32.exe "C:\WINDOWS\system32\kuwokilo.dll",b
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} (Java Plug-in 1.4.2_03) -
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} (Java Plug-in 1.6.0_07) -
O16 - DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} (Java Plug-in 1.6.0_12) -

Now close all browser and other windows except for HijackThis, and click "Fix Checked" to have HijackThis fix the entries you checked.

Reconfigure Windows XP to show hidden files:
Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.
Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.

Using Windows Explorer, locate the following files, and delete them if still there (they are probably gone):
C:\WINDOWS\system32\viyorawi.dll
c:\windows\system32\mimegepa.dll
C:\WINDOWS\system32\kuwokilo.dll

Now you need to hide the files you un-hid earlier:
Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.
Under the Hidden files and folders heading unselect "Show hidden files and folders".
Check the "Hide protected operating system files (recommended)" option.
Click Yes to confirm. Click OK.

You appear to possibly have disabled your installation of McAfee rather than uninstalled it. It needs to be uninstalled as you have AVG also installed.

If you have uninstalled it, you should run this uninstaller to remove leftover entries.
Download and run the McAfee Consumer Products Removal tool (MCPR.exe).
Running the McAfee Consumer Product Removal tool (MCPR.exe) removes all 2005, 2006, and 2007 and 2008 versions of McAfee consumer products.
- McAfee Security Center
- McAfee VirusScan
- McAfee Personal Firewall Plus
- McAfee Privacy Service
- McAfee SpamKiller
- McAfee Wireless Network Security
- McAfee SiteAdvisor
- McAfee Data Backup
- McAfee Network Manager
- McAfee Easy Network
- McAfee AntiSpyware[/list]

Download the removal tool from »download.mcafee.com/products/lic···MCPR.exe
- Click Save and save the file to any folder on the computer.
- Navigate to the folder where the file is saved.
- Double-click MCPR.exe.

Note: Windows Vista users must right-click MCPR.exe and select Run as Administrator.

- Click Run. A Command Line window will be displayed, and then close automatically. Wait for a second Command Line window to be displayed.
Note: Do not double-click MCPR.exe again, you may have to wait up to 1 minute for the next window to appear.
After the second window appears, the program will begin the cleanup.
- Observe the installation, which could take several minutes. The following message will be displayed in the Command Line window:
The machine must reboot to complete the un-installation. Reboot now? [y.n]

- Press Y on the keyboard.
- Wait for the computer to restart.
All McAfee products are now removed from your computer.
These McAfee removal instructions can be found at »service.mcafee.com/FAQDocument.a···TS100507

Please post a new HijackThis log and note any errors encountered.
--
Proud ASAP member since 2005]]> http://www.dslreports.com/forum/remark,22554243 Mon, 15 Jun 2009 13:29:41 EDT Re: [Vundo] cannot get rid of virtumonde/vundo trojan http://www.dslreports.com/forum/remark,22553331 azraders : Here is the last hijackthis after running a msconfig in normal start up.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:45:16 AM, on 6/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Drader\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.lds.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QBReminderFlash] "C:\Program Files\Intuit\QuickBooks 2005\Atom\QBReminder.exe"
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [goyapipemu] Rundll32.exe "C:\WINDOWS\system32\viyorawi.dll",s
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [CPM57421bb4] Rundll32.exe "c:\windows\system32\mimegepa.dll",a
O4 - HKLM\..\Run: [BuildBU] c:\dell\bldbubg.exe
O4 - HKLM\..\Run: [Ad-Watch] "C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe"
O4 - HKLM\..\Run: [54712828] rundll32.exe "C:\WINDOWS\system32\kuwokilo.dll",b
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: »*.mcafee.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - »upload.facebook.com/controls/200···der5.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - »housecall65.trendmicro.com/house···Impl.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - »download.mcafee.com/molbin/share···sctl.cab
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} (Java Plug-in 1.4.2_03) -
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} (Java Plug-in 1.6.0_07) -
O16 - DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} (Java Plug-in 1.6.0_12) -
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - »wwwimages.adobe.com/www.adobe.co···s/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Update Service (gupdate1c99dc76a3bc708) (gupdate1c99dc76a3bc708) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe

--
End of file - 10255 bytes]]> http://www.dslreports.com/forum/remark,22553331 Mon, 15 Jun 2009 10:47:30 EDT Re: [Vundo] cannot get rid of virtumonde/vundo trojan http://www.dslreports.com/forum/remark,22552532 TheJoker :

said by azraders

:

I was referring to the System configuration utility in the startup menu. Maybe it won't affect anything though.

Oh, you mean with the MSCONFIG utility. Go to Start > Run, and in the run line type MSCONFIG, and when it starts, click the General tab, click Normal Startup, and click OK. When prompted, do not reboot.

Please post a new HijackThis log.

How did you get to be someone that helps people with stuff like this?

I learned at Spywareinfoforum. You can sign up for Boot Camp there through the link I left above.
--
Proud ASAP member since 2005]]> http://www.dslreports.com/forum/remark,22552532 Mon, 15 Jun 2009 05:36:04 EDT Re: [Vundo] cannot get rid of virtumonde/vundo trojan http://www.dslreports.com/forum/remark,22551386 azraders : Last Hijackthislog:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:48:50 PM, on 6/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Drader\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.lds.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: »*.mcafee.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - »upload.facebook.com/controls/200···der5.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - »housecall65.trendmicro.com/house···Impl.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - »download.mcafee.com/molbin/share···sctl.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - »wwwimages.adobe.com/www.adobe.co···s/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Update Service (gupdate1c99dc76a3bc708) (gupdate1c99dc76a3bc708) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe

--
End of file - 6778 bytes

Quote:
"I rebooted after all of the above. I did not find any pop ups, although i did still see those trojan type files like goyapipmu , Unchecked, in the startup menu. Is there a way to get rid of these or does it even mean anything."

I was referring to the System configuration utility in the startup menu. Maybe it won't affect anything though.

Thanks for everything. Especially the answers to all the questions. That was awesome! How did you get to be someone that helps people with stuff like this? Do you go to school in computers. I have wondered if I need to go learn this stuff and how I would do it.

Thanks again,
AZraders]]> http://www.dslreports.com/forum/remark,22551386 Sun, 14 Jun 2009 21:54:12 EDT Re: [Vundo] cannot get rid of virtumonde/vundo trojan http://www.dslreports.com/forum/remark,22551211 TheJoker :

quote:
I rebooted after all of the above. I did not find any pop ups, although i did still see those trojan type files like goyapipmu , Unchecked, in the startup menu. Is there a way to get rid of these or does it even mean anything.

I'm not sure where you mean you see it. I no longer see the entries in any of your logs.

quote:
I am a little worried about starting up spybot. Im afraid it will ask about those files.

If you mean TeaTimer, when you start it back up, if it says there were changes, tell it to allow the changes.

quote:
Also, you asked me to delete all files related to bigfishgames. I'm okay with getting rid of it. My son downloaded it and was playing it.
Tell me about it if you can and why it is bad.

I've seen it apparently associated with adware.

quote:
My daughter likes the pbs.org games as well as barbie.com. Is there harm in these?

They should be fine.

quote:
I have also heard facebook is bad all the way around.

Facebook isn't bad in itself, it's just that there's a lot of malware that targets it. If there is a graphic or video that tries to load but can't, and tells you that it needs to download a CODEC to view it, don't do that, and I would be very wary of instant messaging there or at any social networking site, and don't open URL's that are sent in an IM. I would also be careful about posting personal information there or at any social networking site. Any site that's popular (not just social networking sites) can end up being targeted to be compromized because it brings more potential victims, and malware is all about the money.

quote:
Let me know if it is safe to start up all my malware/ antivirus when you can. So far this has been helpful.

You can start TeaTimer back up now if you want, and your antivirus should be running as I see it in your last log.

quote:
It would be nice for you to recommend a link that I can visit that will teach me what is safe and what is not.

There are several help forums that also teach people how to remove malware. Two forums that do that are Spywareinfoforum.com and BleepingComputer.

Go to start > run and copy and paste next command in the field:
ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Please post a new HijackThis log.
--
Proud ASAP member since 2005]]> http://www.dslreports.com/forum/remark,22551211 Sun, 14 Jun 2009 21:15:50 EDT Re: [Vundo] cannot get rid of virtumonde/vundo trojan http://www.dslreports.com/forum/remark,22550205 azraders :

Hello there,
I followed the instructions per your last post. Here are the scans:

hijackthissafemode:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:39:18 AM, on 6/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Drader\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = »bfc.myway.com/search/de_srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = »www.dell.com
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - »upload.facebook.com/controls/200···der5.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - »housecall65.trendmicro.com/house···Impl.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - »download.mcafee.com/molbin/share···sctl.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - »wwwimages.adobe.com/www.adobe.co···s/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Update Service (gupdate1c99dc76a3bc708) (gupdate1c99dc76a3bc708) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe

--
End of file - 5752 bytes

*****************************

Combofix

ComboFix 09-06-13.09 - Drader 06/14/2009 11:19.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.193 [GMT -7:00]
Running from: c:\documents and settings\Drader\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2009-05-14 to 2009-06-14 )))))))))))))))))))))))))))))))
.

2009-06-14 17:15 . 2009-06-14 17:15 152576 ----a-w- c:\documents and settings\Drader\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-11 23:25 . 2009-06-11 23:34 -------- d-----w- c:\program files\SpywareBlaster
2009-06-11 23:25 . 2005-08-26 02:18 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2009-06-11 19:59 . 2009-06-11 19:59 -------- d-----w- C:\VundoFix Backups
2009-06-11 19:16 . 2009-05-26 20:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-11 19:16 . 2009-06-11 19:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-11 19:16 . 2009-05-26 20:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-11 04:23 . 2009-06-02 20:37 1004800 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-06-11 01:12 . 2009-06-14 14:59 -------- d--h--w- C:\$AVG8.VAULT$
2009-06-11 00:28 . 2009-06-11 00:28 -------- d-----w- c:\documents and settings\Drader\Local Settings\Application Data\AVG Security Toolbar
2009-06-11 00:20 . 2009-06-11 00:20 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-11 00:20 . 2009-06-11 00:20 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-06-11 00:20 . 2009-06-11 00:20 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-11 00:20 . 2009-06-11 00:20 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-11 00:19 . 2009-06-14 14:23 -------- d-----w- c:\windows\system32\drivers\Avg
2009-06-11 00:19 . 2009-06-11 04:24 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-06-11 00:19 . 2009-06-11 00:19 -------- d-----w- c:\program files\AVG
2009-06-11 00:19 . 2009-06-11 00:19 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-11 00:03 . 2009-06-11 00:03 -------- d-----w- c:\documents and settings\Drader\Application Data\AVG8
2009-06-10 15:17 . 2009-06-10 15:17 310640 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-10 15:02 . 2009-06-10 15:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-06-10 00:58 . 2009-06-10 00:58 -------- d-----w- c:\program files\Windows Defender
2009-06-09 17:08 . 2009-06-09 17:08 -------- d-----w- c:\documents and settings\Drader\Application Data\Malwarebytes
2009-06-09 17:07 . 2009-06-09 17:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-08 23:10 . 2009-06-08 23:10 -------- d-----w- c:\documents and settings\Drader\Local Settings\Application Data\WMTools Downloaded Files
2009-06-04 14:22 . 2009-06-04 04:10 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-06-04 04:05 . 2009-06-14 02:20 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-04 04:05 . 2009-03-12 08:17 2902048 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
2009-05-27 02:28 . 2009-05-27 02:28 -------- d-----w- c:\program files\Musicnotes
2009-05-27 02:25 . 2009-06-08 23:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Musicnotes
2009-05-22 02:49 . 2009-05-22 02:49 -------- d-----w- c:\documents and settings\Drader\Application Data\KodakCredentialStore

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-14 18:06 . 2009-01-29 18:18 1 ----a-w- c:\documents and settings\Drader\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-06-14 17:20 . 2009-02-24 19:30 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-14 17:15 . 2008-12-24 23:23 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-06-14 02:49 . 2009-05-04 21:44 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-14 01:59 . 2008-12-28 17:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-06-11 02:08 . 2008-12-26 17:48 -------- d-----w- c:\documents and settings\Drader\Application Data\AdobeUM
2009-06-08 23:11 . 2008-12-25 00:35 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-06-08 23:10 . 2008-12-28 17:56 -------- d-----w- c:\program files\Google
2009-06-08 23:10 . 2008-12-24 17:44 -------- d-----w- c:\documents and settings\Drader\Application Data\Sonic
2009-06-04 04:05 . 2009-01-27 23:16 -------- d-----w- c:\program files\Lavasoft
2009-06-04 04:05 . 2008-12-26 18:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-05-27 14:36 . 2008-12-24 22:54 310640 ----a-w- c:\documents and settings\Drader\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-22 16:51 . 2009-03-04 04:14 848 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-05-12 01:50 . 2009-05-12 01:50 -------- d-----w- c:\documents and settings\Drader\Application Data\Leadertech
2009-05-07 15:32 . 2004-08-04 10:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-04 17:25 . 2009-05-04 17:25 -------- d-----w- c:\documents and settings\Drader\Application Data\Skinux
2009-05-04 16:57 . 2009-05-04 16:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Kodak
2009-05-04 16:52 . 2009-05-04 16:48 -------- d-----w- c:\program files\Common Files\Kodak
2009-05-04 16:31 . 2009-05-04 16:29 -------- d-----w- c:\program files\Kodak
2009-05-04 16:20 . 2009-05-04 16:20 77824 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\ess\bindbins\bindbins.exe
2009-05-04 16:18 . 2009-05-04 16:13 23510720 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\fwork\dotnetfx.exe
2009-05-04 16:17 . 2009-05-04 16:17 30720 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\fwork\netfw.exe
2009-05-04 16:13 . 2009-05-04 16:13 45056 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\sysfiles\kb945060\kb945060.exe
2009-05-04 16:08 . 2009-05-04 16:08 1187840 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_140001_a031e62\EasyShrx.Dll
2009-05-04 16:07 . 2009-05-04 16:07 114688 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\$Registration\KodakCameraAPI_7.9.20.1.dll
2009-05-04 16:07 . 2009-05-04 16:08 2499984 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_140001_a031e62\Setup.exe
2009-05-04 16:06 . 2009-05-04 16:06 114688 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\$Registration\KodakCameraAPI_7.2.25.1.dll
2009-04-29 04:46 . 2004-08-04 10:00 666624 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:46 . 2004-08-04 10:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-04-26 19:27 . 2009-04-26 06:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-26 15:00 . 2009-04-26 06:41 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-04-17 12:26 . 2004-08-04 10:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-04 10:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-13 21:54 . 2009-04-13 21:54 1878984 ----a-w- c:\documents and settings\Drader\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2009-03-29 15:25 . 2004-08-10 18:13 78199 ----a-w- c:\windows\PCHEALTH\HELPCTR\OfflineCache\index.dat
2009-03-19 16:56 . 2009-03-19 16:56 129 ----a-w- c:\documents and settings\Drader\Local Settings\Application Data\fusioncache.dat
2009-03-19 16:51 . 2009-03-19 16:51 164 ----a-w- c:\windows\install.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-06-14_03.34.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-14 17:43 . 2009-06-14 17:43 16384 c:\windows\Temp\Perflib_Perfdata_1e0.dat
- 2009-03-18 00:42 . 2009-03-18 00:41 148888 c:\windows\SYSTEM32\javaws.exe
+ 2009-06-14 17:20 . 2009-06-14 17:20 148888 c:\windows\SYSTEM32\javaws.exe
+ 2009-06-14 17:20 . 2009-06-14 17:20 144792 c:\windows\SYSTEM32\javaw.exe
- 2009-03-18 00:42 . 2009-03-18 00:41 144792 c:\windows\SYSTEM32\javaw.exe
+ 2009-06-14 17:20 . 2009-06-14 17:20 144792 c:\windows\SYSTEM32\java.exe
- 2009-03-18 00:42 . 2009-03-18 00:41 144792 c:\windows\SYSTEM32\java.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-02 20:37 1004800 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-28 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2008-04-14 169984]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-11 1948440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-14 148888]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-11 00:20 11952 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Drader^Start Menu^Programs^Startup^OpenOffice.org 3.0.lnk]
path=c:\documents and settings\Drader\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk
backup=c:\windows\pss\OpenOffice.org 3.0.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [1/27/2009 4:22 PM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [6/10/2009 5:20 PM 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [6/10/2009 5:20 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [6/10/2009 5:19 PM 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/10/2009 5:19 PM 298776]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S2 gupdate1c99dc76a3bc708;Google Update Service (gupdate1c99dc76a3bc708);c:\program files\Google\Update\GoogleUpdate.exe [3/5/2009 12:20 PM 133104]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [1/4/2009 12:00 PM 33752]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 12:06 PM 1005904]
.
Contents of the 'Scheduled Tasks' folder

2009-06-11 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 04:10]

2009-06-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2009-06-14 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-28 21:58]

2009-06-14 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-05 19:19]

2009-06-14 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.lds.org/
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.dell4me.com/myway
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: internet
Trusted Zone: mcafee.com
FF - ProfilePath - c:\documents and settings\Drader\Application Data\Mozilla\Firefox\Profiles\jrslb912.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\documents and settings\Drader\Application Data\Mozilla\Firefox\Profiles\jrslb912.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\Google\Google Earth Plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
.

**********************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, »www.gmer.net
Rootkit scan 2009-06-14 11:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3812)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-06-14 11:29
ComboFix-quarantined-files.txt 2009-06-14 18:28
ComboFix2.txt 2009-06-14 03:38

Pre-Run: 23,446,327,296 bytes free
Post-Run: 23,438,544,896 bytes free

201 --- E O F --- 2009-06-13 09:19

************************************

MBAM after combo fix

Malwarebytes' Anti-Malware 1.37
Database version: 2277
Windows 5.1.2600 Service Pack 3

6/14/2009 11:46:09 AM
mbam-log-2009-06-14 (11-46-09).txt

Scan type: Quick Scan
Objects scanned: 60954
Time elapsed: 3 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

**************************************

Hijackthis post combo fix

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:48:46 AM, on 6/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Drader\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.lds.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: »*.mcafee.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - »upload.facebook.com/controls/200···der5.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - »housecall65.trendmicro.com/house···Impl.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - »download.mcafee.com/molbin/share···sctl.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - »wwwimages.adobe.com/www.adobe.co···s/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Update Service (gupdate1c99dc76a3bc708) (gupdate1c99dc76a3bc708) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe

--
End of file - 6745 bytes

*****************************************
virustotal

File MSSTDFMT.DLL received on 2009.06.14 19:03:15 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 0/40 (0%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 43 and 62 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
a-squared 4.5.0.18 2009.06.14 -
AhnLab-V3 5.0.0.2 2009.06.14 -
AntiVir 7.9.0.187 2009.06.14 -
Antiy-AVL 2.0.3.1 2009.06.12 -
Authentium 5.1.2.4 2009.06.13 -
Avast 4.8.1335.0 2009.06.14 -
AVG 8.5.0.339 2009.06.14 -
BitDefender 7.2 2009.06.14 -
CAT-QuickHeal 10.00 2009.06.13 -
ClamAV 0.94.1 2009.06.14 -
Comodo 1328 2009.06.14 -
DrWeb 5.0.0.12182 2009.06.14 -
eSafe 7.0.17.0 2009.06.11 -
eTrust-Vet 31.6.6556 2009.06.12 -
F-Prot 4.4.4.56 2009.06.13 -
F-Secure 8.0.14470.0 2009.06.13 -
Fortinet 3.117.0.0 2009.06.14 -
GData 19 2009.06.14 -
Ikarus T3.1.1.59.0 2009.06.14 -
K7AntiVirus 7.10.762 2009.06.12 -
Kaspersky 7.0.0.125 2009.06.14 -
McAfee 5646 2009.06.14 -
McAfee+Artemis 5646 2009.06.14 -
McAfee-GW-Edition 6.7.6 2009.06.14 -
Microsoft 1.4701 2009.06.14 -
NOD32 4153 2009.06.14 -
Norman 6.01.09 2009.06.12 -
nProtect 2009.1.8.0 2009.06.14 -
Panda 10.0.0.14 2009.06.14 -
PCTools 4.4.2.0 2009.06.12 -
Prevx 3.0 2009.06.14 -
Rising 21.33.62.00 2009.06.14 -
Sophos 4.42.0 2009.06.14 -
Sunbelt 3.2.1858.2 2009.06.14 -
Symantec 1.4.4.12 2009.06.14 -
TheHacker 6.3.4.3.345 2009.06.13 -
TrendMicro 8.950.0.1092 2009.06.12 -
VBA32 3.12.10.7 2009.06.14 -
ViRobot 2009.6.13.1785 2009.06.13 -
VirusBuster 4.6.5.0 2009.06.14 -

I rebooted after all of the above. I did not find any pop ups, although i did still see those trojan type files like goyapipmu , Unchecked, in the startup menu. Is there a way to get rid of these or does it even mean anything. I am a little worried about starting up spybot. Im afraid it will ask about those files.

Also, you asked me to delete all files related to bigfishgames. I'm okay with getting rid of it. My son downloaded it and was playing it.
Tell me about it if you can and why it is bad.
How do I know which games my kids can play? I have told him not to play any games at this point.

My daughter likes the pbs.org games as well as barbie.com. Is there harm in these?

I have also heard facebook is bad all the way around. My other daughter likes that. is there a safe way to do that or should I ban her on facebook alltogether as well?

I would appreciate all your help with those questions. It would be nice for you to recommend a link that I can visit that will teach me what is safe and what is not.

Let me know if it is safe to start up all my malware/ antivirus when you can. So far this has been helpful.

azraders

]]> http://www.dslreports.com/forum/remark,22550205 Sun, 14 Jun 2009 16:59:44 EDT Re: [Vundo] cannot get rid of virtumonde/vundo trojan http://www.dslreports.com/forum/remark,22548868 TheJoker : I'm not so sure that the actual infection is still there, or if it's simply that there was a problem removing the related registry keys. It appears that the files related to the vundo infection are gone.

Please follow the below instructions in the order listed.

To clear the Java Runtime Environment (JRE) cache:
- Click Start > Control Panel.
- Double-click the Java icon in the control panel.
-The Java Control Panel appears.
- Click Settings under Temporary Internet Files.
-The Temporary Files Settings dialog box appears.
- Click Delete Files.
-The Delete Temporary Files dialog box appears.
-There are two options on this window to clear the cache.
- Applications and Applets
- Trace and Log Files
- Click OK on Delete Temporary Files window.
-Note: This deletes all the Downloaded Applications and Applets from the cache.
- Click OK on Temporary Files Settings window.
- Close the Java Control Panel

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
- Download the latest version of Java Runtime Environment (JRE) 6.
- Scroll down to where it says "Java SE Runtime Environment (JRE), JRE 6 Update 14".
- Click the "Download" button to the right.
- In the Window that opens, select Windows, and check the "agree" box and click "Continue".
- Click on the link to download Windows Offline Installation and save to your desktop.
- Close any programs you may have running - especially your web browser.
- Go to Start > Control Panel double-click on Add or Remove Programs and remove all older versions of Java.
- Check any item with Java Runtime Environment (JRE or J2SE) in the name.
- Examples of older versions in Add or Remove Programs:
-- Java 2 Runtime Environment, SE v1.4.2
-- J2SE Runtime Environment 5.0
-- J2SE Runtime Environment 5.0 Update 2
- Click the Remove or Change/Remove button.
- Repeat as many times as necessary to remove each Java versions.
- Reboot your computer once all Java components are removed.
- Then from your desktop double-click on jre-6u14-windows-i586-p.exe that you downloaded to install the newest version.

I recommend going to Control Panel's Add or Remove Programs and uninstalling anything connected to Big Fish Games

If you uninstall it as recommended, then delete the following two folders if still there:

Reconfigure Windows XP to show hidden files:
Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.
Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.

Using Windows Explorer, delete the following folders if still there:
c:\documents and settings\All Users\Application Data\BigFishGamesCache
c:\program files\bfgclient

Now you need to hide the files you un-hid earlier:
Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.
Under the Hidden files and folders heading unselect "Show hidden files and folders".
Check the "Hide protected operating system files (recommended)" option.
Click Yes to confirm. Click OK.

Now reboot to Safe Mode - Restart your computer and begin tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.
To return to normal mode just restart your computer as you normally would.

Now you need to run HijackThis and click "Do a system scan only." Place a check next to the following entries (if they are still there):

O4 - HKLM\..\Run: [goyapipemu] Rundll32.exe "C:\WINDOWS\system32\viyorawi.dll",s
O4 - HKLM\..\Run: [54712828] rundll32.exe "C:\WINDOWS\system32\kuwokilo.dll",b

Now close all browser and other windows except for HijackThis, and click "Fix Checked" to have HijackThis fix the entries you checked.

Restart your system.

We need to make sure you have the most recent version of ComboFix.
Delete your current copy of ComboFix.exe.
Download ComboFix© by sUBs from one of these links:

Save the file to your Desktop.
- Close any open browsers.
- Disable your AntiVirus and any AntiSpyware programs you may be running (usually via a right click on the System Tray icon) to prevent them from interfering.

- Double click on ComboFix.exe & follow the prompts.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware. When finished, it will save a log.
Please include the contents of the log at C:\ComboFix.txt in your next reply.

Please Run Malwarebytes' Anti-Malware.
- Click the Update tab.
- Click Check for Updates.
- If an update is found, it will download and install.
- Click the Scanner tab.
- Select "Perform Quick Scan", then click Scan.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy & Paste the entire report in your next reply along with a fresh HijackThis log.

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Please go to VirusTotal and submit the following file for a scan and post the detection results (I don't need the "additional information") in your next reply:
c:\windows\system32\MSSTDFMT.DLL

Please post a new HijackThis log, the log from ComboFix (combofix.txt), the log from MBAM, the results of scanning the file at VirusTotal, and note any errors encountered.

--
Proud ASAP member since 2005]]> http://www.dslreports.com/forum/remark,22548868 Sun, 14 Jun 2009 10:44:25 EDT Re: [Vundo] cannot get rid of virtumonde/vundo trojan http://www.dslreports.com/forum/remark,22548174 azraders : I have done a reboot and the following were found:

Hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:01:22 PM, on 6/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\Drader\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.lds.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [goyapipemu] Rundll32.exe "C:\WINDOWS\system32\viyorawi.dll",s
O4 - HKLM\..\Run: [54712828] rundll32.exe "C:\WINDOWS\system32\kuwokilo.dll",b
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: »*.mcafee.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - »upload.facebook.com/controls/200···der5.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - »housecall65.trendmicro.com/house···Impl.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - »download.mcafee.com/molbin/share···sctl.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - »wwwimages.adobe.com/www.adobe.co···s/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Update Service (gupdate1c99dc76a3bc708) (gupdate1c99dc76a3bc708) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe

--
End of file - 6792 bytes

MBAM

Malwarebytes' Anti-Malware 1.37
Database version: 2273
Windows 5.1.2600 Service Pack 3

6/13/2009 10:00:38 PM
mbam-log-2009-06-13 (21-59-52).txt after reboot

Scan type: Quick Scan
Objects scanned: 85890
Time elapsed: 4 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\goyapipemu (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\54712828 (Trojan.Vundo.H) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

I think it is still there :(]]> http://www.dslreports.com/forum/remark,22548174 Sun, 14 Jun 2009 01:28:56 EDT Re: [Vundo] cannot get rid of virtumonde/vundo trojan http://www.dslreports.com/forum/remark,22548078 azraders : I have done as directed per your post. I have included post scans as well as the pre-scan you requested with MBAM. Let me know what I need to do next.

COMBOFIX:

ComboFix 09-06-13.05 - Drader 06/13/2009 20:26.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.201 [GMT -7:00]
Running from: c:\documents and settings\Drader\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\bszip.dll
c:\windows\system32\drivers\fad.sys

.
((((((((((((((((((((((((( Files Created from 2009-05-14 to 2009-06-14 )))))))))))))))))))))))))))))))
.

2009-06-11 23:25 . 2009-06-11 23:34 -------- d-----w- c:\program files\SpywareBlaster
2009-06-11 23:25 . 2005-08-26 02:18 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2009-06-11 19:59 . 2009-06-11 19:59 -------- d-----w- C:\VundoFix Backups
2009-06-11 19:16 . 2009-05-26 20:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-11 19:16 . 2009-06-11 19:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-11 19:16 . 2009-05-26 20:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-11 04:23 . 2009-06-02 20:37 1004800 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-06-11 01:12 . 2009-06-13 19:39 -------- d--h--w- C:\$AVG8.VAULT$
2009-06-11 00:28 . 2009-06-11 00:28 -------- d-----w- c:\documents and settings\Drader\Local Settings\Application Data\AVG Security Toolbar
2009-06-11 00:20 . 2009-06-11 00:20 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-11 00:20 . 2009-06-11 00:20 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-06-11 00:20 . 2009-06-11 00:20 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-11 00:20 . 2009-06-11 00:20 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-11 00:19 . 2009-06-14 00:31 -------- d-----w- c:\windows\system32\drivers\Avg
2009-06-11 00:19 . 2009-06-11 04:24 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-06-11 00:19 . 2009-06-11 00:19 -------- d-----w- c:\program files\AVG
2009-06-11 00:19 . 2009-06-11 00:19 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-11 00:03 . 2009-06-11 00:03 -------- d-----w- c:\documents and settings\Drader\Application Data\AVG8
2009-06-10 15:17 . 2009-06-10 15:17 310640 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-10 15:02 . 2009-06-10 15:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-06-10 00:58 . 2009-06-10 00:58 -------- d-----w- c:\program files\Windows Defender
2009-06-09 17:08 . 2009-06-09 17:08 -------- d-----w- c:\documents and settings\Drader\Application Data\Malwarebytes
2009-06-09 17:07 . 2009-06-09 17:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-08 23:10 . 2009-06-08 23:10 -------- d-----w- c:\documents and settings\Drader\Local Settings\Application Data\WMTools Downloaded Files
2009-06-04 14:22 . 2009-06-04 04:10 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-06-04 04:05 . 2009-06-14 02:20 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-04 04:05 . 2009-03-12 08:17 2902048 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
2009-05-27 02:28 . 2009-05-27 02:28 -------- d-----w- c:\program files\Musicnotes
2009-05-27 02:25 . 2009-06-08 23:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Musicnotes
2009-05-22 02:49 . 2009-05-22 02:49 -------- d-----w- c:\documents and settings\Drader\Application Data\KodakCredentialStore

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-14 02:49 . 2009-05-04 21:44 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-14 01:59 . 2008-12-28 17:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-06-12 05:57 . 2009-01-29 18:18 1 ----a-w- c:\documents and settings\Drader\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-06-11 02:08 . 2008-12-26 17:48 -------- d-----w- c:\documents and settings\Drader\Application Data\AdobeUM
2009-06-09 02:07 . 2008-12-24 23:23 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-06-08 23:11 . 2008-12-25 00:35 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-06-08 23:10 . 2008-12-28 17:56 -------- d-----w- c:\program files\Google
2009-06-08 23:10 . 2008-12-24 17:44 -------- d-----w- c:\documents and settings\Drader\Application Data\Sonic
2009-06-04 04:05 . 2009-01-27 23:16 -------- d-----w- c:\program files\Lavasoft
2009-06-04 04:05 . 2008-12-26 18:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-05-27 14:36 . 2008-12-24 22:54 310640 ----a-w- c:\documents and settings\Drader\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-22 16:51 . 2009-03-04 04:14 848 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-05-12 01:50 . 2009-05-12 01:50 -------- d-----w- c:\documents and settings\Drader\Application Data\Leadertech
2009-05-07 15:32 . 2004-08-04 10:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-05 02:11 . 2009-05-04 21:36 -------- d-----w- c:\documents and settings\All Users\Application Data\BigFishGamesCache
2009-05-04 21:38 . 2009-05-04 21:38 -------- d-----w- c:\program files\bfgclient
2009-05-04 17:25 . 2009-05-04 17:25 -------- d-----w- c:\documents and settings\Drader\Application Data\Skinux
2009-05-04 16:57 . 2009-05-04 16:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Kodak
2009-05-04 16:52 . 2009-05-04 16:48 -------- d-----w- c:\program files\Common Files\Kodak
2009-05-04 16:31 . 2009-05-04 16:29 -------- d-----w- c:\program files\Kodak
2009-05-04 16:20 . 2009-05-04 16:20 77824 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\ess\bindbins\bindbins.exe
2009-05-04 16:18 . 2009-05-04 16:13 23510720 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\fwork\dotnetfx.exe
2009-05-04 16:17 . 2009-05-04 16:17 30720 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\fwork\netfw.exe
2009-05-04 16:13 . 2009-05-04 16:13 45056 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\sysfiles\kb945060\kb945060.exe
2009-05-04 16:08 . 2009-05-04 16:08 1187840 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_140001_a031e62\EasyShrx.Dll
2009-05-04 16:07 . 2009-05-04 16:07 114688 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\$Registration\KodakCameraAPI_7.9.20.1.dll
2009-05-04 16:07 . 2009-05-04 16:08 2499984 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_140001_a031e62\Setup.exe
2009-05-04 16:06 . 2009-05-04 16:06 114688 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\$Registration\KodakCameraAPI_7.2.25.1.dll
2009-04-29 04:46 . 2004-08-04 10:00 666624 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:46 . 2004-08-04 10:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-04-26 19:27 . 2009-04-26 06:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-26 15:00 . 2009-04-26 06:41 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-04-17 12:26 . 2004-08-04 10:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-04 10:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-13 21:54 . 2009-04-13 21:54 1878984 ----a-w- c:\documents and settings\Drader\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2009-03-29 15:25 . 2004-08-10 18:13 78199 ----a-w- c:\windows\PCHEALTH\HELPCTR\OfflineCache\index.dat
2009-03-19 16:56 . 2009-03-19 16:56 129 ----a-w- c:\documents and settings\Drader\Local Settings\Application Data\fusioncache.dat
2009-03-19 16:51 . 2009-03-19 16:51 164 ----a-w- c:\windows\install.dat
2009-03-18 00:42 . 2009-03-18 00:42 503808 ----a-w- c:\documents and settings\Drader\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-70d9f237-n\msvcp71.dll
2009-03-18 00:42 . 2009-03-18 00:42 499712 ----a-w- c:\documents and settings\Drader\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-70d9f237-n\jmc.dll
2009-03-18 00:42 . 2009-03-18 00:42 348160 ----a-w- c:\documents and settings\Drader\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-70d9f237-n\msvcr71.dll
2009-03-18 00:41 . 2009-02-24 19:30 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-03-18 00:37 . 2009-03-18 00:37 152576 ----a-w- c:\documents and settings\Drader\Application Data\Sun\Java\jre1.6.0_12\lzma.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-02 20:37 1004800 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 169984]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-18 148888]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-11 1948440]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-11 00:20 11952 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Drader^Start Menu^Programs^Startup^OpenOffice.org 3.0.lnk]
path=c:\documents and settings\Drader\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk
backup=c:\windows\pss\OpenOffice.org 3.0.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [1/27/2009 4:22 PM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [6/10/2009 5:20 PM 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [6/10/2009 5:20 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [6/10/2009 5:19 PM 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/10/2009 5:19 PM 298776]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S2 gupdate1c99dc76a3bc708;Google Update Service (gupdate1c99dc76a3bc708);c:\program files\Google\Update\GoogleUpdate.exe [3/5/2009 12:20 PM 133104]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [1/4/2009 12:00 PM 33752]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 12:06 PM 1005904]
.
Contents of the 'Scheduled Tasks' folder

2009-06-11 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 04:10]

2009-06-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2009-06-14 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-28 21:58]

2009-06-14 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-05 19:19]

2009-06-14 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-goyapipemu - c:\windows\system32\viyorawi.dll
HKLM-Run-54712828 - c:\windows\system32\kuwokilo.dll

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.lds.org/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://www.dell4me.com/myway
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: internet
Trusted Zone: mcafee.com
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, »www.gmer.net
Rootkit scan 2009-06-13 20:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1464)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\CF21898.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\SYSTEM32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-06-14 20:38 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-14 03:38

Pre-Run: 23,424,643,072 bytes free
Post-Run: 23,421,034,496 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

210 --- E O F --- 2009-06-13 09:19

MBAM POST SCAN

Malwarebytes' Anti-Malware 1.37
Database version: 2273
Windows 5.1.2600 Service Pack 3

6/13/2009 9:20:25 PM
mbam-log-2009-06-13 (21-20-25).txt

Scan type: Quick Scan
Objects scanned: 85940
Time elapsed: 4 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

HIJACKTHIS POST SCAN

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:51:48 PM, on 6/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Drader\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.lds.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: »*.mcafee.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - »upload.facebook.com/controls/200···der5.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - »housecall65.trendmicro.com/house···Impl.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - »download.mcafee.com/molbin/share···sctl.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - »wwwimages.adobe.com/www.adobe.co···s/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Update Service (gupdate1c99dc76a3bc708) (gupdate1c99dc76a3bc708) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe

--
End of file - 6608 bytes

MBAM PRE-SCAN (BEFORE COMBO FIX)

Malwarebytes' Anti-Malware 1.37
Database version: 2273
Windows 5.1.2600 Service Pack 3

6/13/2009 4:57:41 PM
mbam-log-2009-06-13 (16-57-41).txt

Scan type: Quick Scan
Objects scanned: 88078
Time elapsed: 10 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\goyapipemu (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\54712828 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)]]> http://www.dslreports.com/forum/remark,22548078 Sun, 14 Jun 2009 00:49:05 EDT Re: [Vundo] cannot get rid of virtumonde/vundo trojan http://www.dslreports.com/forum/remark,22548039 azraders : There are some suggestions for cleanup at the top of the thread. I thought they were for those people and not for me. I'm really confused. Can I do those suggestions then to clean up those files I am no longer using?]]> http://www.dslreports.com/forum/remark,22548039 Sun, 14 Jun 2009 00:33:48 EDT Re: [Vundo] cannot get rid of virtumonde/vundo trojan http://www.dslreports.com/forum/remark,22546295 TheJoker : Hi azraders

I suggest printing out each set of instructions and reading the entire post before proceeding. It will make following them easier. Please follow the directions in the order listed.

quote:
With broadbands suggestion, I have tried to use previous threads to solve my problem but the threads all say: This is ONLY for the person that we are helping in the thread. So now I am afraid to do anything. Can you help?

One of the threads did ask to check for viewpoint- »Re: HJT Log: Virtumonde.prx??
it was indeed on my computer. I uninstalled it but could not merge the suggested file to the registery. It said, Cannot import fixreg. the specified file is not a registry script

That's why we say that fixes are only for the person that it was posted for. There were really two errors there, one was an error in the .reg file because the board inserted extra characters in the text when you copied it. That's why we now use quote boxes for copied text (it could have been copied properly using the "view plain" option in the code box), but that registry fix was specific to the user in that topic, and unrelated to the Viewpoint removal and should not be done on your system. You should delete the fix.reg file that you created.

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts

When everything is done and your log is clean again, you can enable it again (but leave it off for now).
If after we are completely through (that won't be after these instructions) you turn it back on, if teatimer gives you a warning afterwords that some changes were made, allow this instead of blocking it.

Please Run Malwarebytes' Anti-Malware.
- Click the Update tab.
- Click Check for Updates.
- If an update is found, it will download and install.
- Click the Scanner tab.
- Select "Perform Quick Scan", then click Scan.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy & Paste the entire report in your next reply along with a fresh HijackThis log.

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Now you need to run HijackThis and click "Do a system scan only." Place a check next to the following entries (if they are still there):

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [goyapipemu] Rundll32.exe "C:\WINDOWS\system32\viyorawi.dll",s
O4 - HKLM\..\Run: [54712828] rundll32.exe "C:\WINDOWS\system32\kuwokilo.dll",b
O20 - AppInit_DLLs: C:\WINDOWS\system32\ C:\WINDOWS\system32\kawokame.dll c:\windows\system32\mimegepa.dll

Now close all browser and other windows except for HijackThis, and click "Fix Checked" to have HijackThis fix the entries you checked.

Reconfigure Windows XP to show hidden files:
Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.
Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.

Using Windows Explorer, locate the following file, and delete them (if still there):
C:\WINDOWS\system32\kuwokilo.dll
C:\WINDOWS\system32\viyorawi.dll
C:\WINDOWS\system32\kawokame.dll
c:\windows\system32\mimegepa.dll

Now you need to hide the files you un-hid earlier:
Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.
Under the Hidden files and folders heading unselect "Show hidden files and folders".
Check the "Hide protected operating system files (recommended)" option.
Click Yes to confirm. Click OK.

Download ComboFix© by sUBs from one of these locations:

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Familiarize yourself with ComboFix before running it:
»www.bleepingcomputer.com/combofi···combofix

- Disable your AntiVirus and any AntiSpyware programs you may be running (usually via a right click on the System Tray icon) to prevent them from interfering.

- Double click on ComboFix.exe & follow the prompts.

- As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. There are some difficult to remove infections that will only be fixed if you have the Recovery Console installed.

- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware. When finished, it will save a log.
Please include the contents of the log at C:\ComboFix.txt in your next reply.

Please post a new HijackThis log, the log from MBAM, the log from ComboFix (combofix.txt), and note any errors encountered.

--
Proud ASAP member since 2005]]> http://www.dslreports.com/forum/remark,22546295 Sat, 13 Jun 2009 16:01:02 EDT [Vundo] cannot get rid of virtumonde/vundo trojan http://www.dslreports.com/forum/remark,22545478 azraders : I have run spybot- it shows 2 trojans- virtumonde.prx. MBam shows Trojan Vundo. I have deleted them but they seem to keep rewriting to my computer. I have downloaded all you have required: Spybot, mbam, hijack this, windows def. adaware. Mbam and spybot are the only ones that show I have the trojans. I have run in safemode and it will get rid of them , but they reappear with future scans. With all of the scans, my computer runs more quickly except for the initial load up of a browser which is unusually slow.

With broadbands suggestion, I have tried to use previous threads to solve my problem but the threads all say: This is ONLY for the person that we are helping in the thread. So now I am afraid to do anything. Can you help?

One of the threads did ask to check for viewpoint- »Re: HJT Log: Virtumonde.prx??
it was indeed on my computer. I uninstalled it but could not merge the suggested file to the registery. It said, Cannot import fixreg. the specified file is not a registry script . You can only import binary reg files from with the reg. editor. Needless to say, i cannot merge this file.

here are the logs:

Spybot:

--- Search result list ---
Virtumonde.prx: [SBI $3F9F40D4] Autorun settings (54712828) (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\54712828

Virtumonde.prx: [SBI $85112C1D] Autorun settings (goyapipemu) (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\goyapipemu

Right Media: Tracking cookie (Internet Explorer: Drader) (Cookie, nothing done)

--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-01-26 TeaTimer.exe (1.6.4.26)
2009-04-25 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-01-26 advcheck.dll (1.6.2.15)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2009-05-19 Includes\Adware.sbi (*)
2009-06-02 Includes\AdwareC.sbi (*)
2009-01-22 Includes\Cookies.sbi (*)
2009-05-19 Includes\Dialer.sbi (*)
2009-06-02 Includes\DialerC.sbi (*)
2009-01-22 Includes\HeavyDuty.sbi (*)
2009-05-26 Includes\Hijackers.sbi (*)
2009-06-02 Includes\HijackersC.sbi (*)
2009-05-06 Includes\Keyloggers.sbi (*)
2009-06-02 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2009-05-12 Includes\Malware.sbi (*)
2009-06-02 Includes\MalwareC.sbi (*)
2009-03-25 Includes\PUPS.sbi (*)
2009-06-02 Includes\PUPSC.sbi (*)
2009-01-22 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2009-06-02 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2009-04-07 Includes\Spyware.sbi (*)
2009-06-02 Includes\SpywareC.sbi (*)
2009-04-07 Includes\Tracks.uti
2009-06-02 Includes\Trojans.sbi (*)
2009-06-02 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

--- System information ---
Windows XP (Build: 2600) Service Pack 3 (5.1.2600)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Hotfix (KB928366)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
/ MSXML4SP2: Security update for MSXML4 SP2 (KB954430)
/ Step By Step Interactive Training / SP2: Security Update for Step By Step Interactive Training (KB923723)
/ Windows / SP1: Microsoft Internationalized Domain Names Mitigation APIs
/ Windows / SP1: Microsoft National Language Support Downlevel APIs
/ Windows Media Format 11 SDK: Hotfix for Windows Media Format 11 SDK (KB929399)
/ Windows Media Player: Security Update for Windows Media Player (KB952069)
/ Windows Media Player 10: Security Update for Windows Media Player 10 (KB936782)
/ Windows Media Player 11: Security Update for Windows Media Player 11 (KB936782)
/ Windows Media Player 11: Hotfix for Windows Media Player 11 (KB939683)
/ Windows Media Player 11: Security Update for Windows Media Player 11 (KB954154)
/ Windows Media Player 11: Critical Update for Windows Media Player 11 (KB959772)
/ Windows XP: Security Update for Windows XP (KB923689)
/ Windows XP: Security Update for Windows XP (KB941569)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB938127-v2)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB958215)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB961260)
/ Windows XP / SP10: Microsoft Compression Client Pack 1.0 for Windows XP
/ Windows XP / SP3: Windows XP Service Pack 3
/ Windows XP / SP4: Security Update for Windows XP (KB923561)
/ Windows XP / SP4: Hotfix for Windows XP (KB932716-v2)
/ Windows XP / SP4: Security Update for Windows XP (KB938464)
/ Windows XP / SP4: Security Update for Windows XP (KB938464-v2)
/ Windows XP / SP4: Hotfix for Windows XP (KB945060-v3)
/ Windows XP / SP4: Security Update for Windows XP (KB946648)
/ Windows XP / SP4: Security Update for Windows XP (KB950762)
/ Windows XP / SP4: Security Update for Windows XP (KB950974)
/ Windows XP / SP4: Security Update for Windows XP (KB951066)
/ Windows XP / SP4: Security Update for Windows XP (KB951376-v2)
/ Windows XP / SP4: Security Update for Windows XP (KB951698)
/ Windows XP / SP4: Security Update for Windows XP (KB951748)
/ Windows XP / SP4: Update for Windows XP (KB951978)
/ Windows XP / SP4: Security Update for Windows XP (KB952004)
/ Windows XP / SP4: Hotfix for Windows XP (KB952287)
/ Windows XP / SP4: Security Update for Windows XP (KB952954)
/ Windows XP / SP4: Security Update for Windows XP (KB954211)
/ Windows XP / SP4: Security Update for Windows XP (KB954459)
/ Windows XP / SP4: Security Update for Windows XP (KB954600)
/ Windows XP / SP4: Security Update for Windows XP (KB955069)
/ Windows XP / SP4: Update for Windows XP (KB955839)
/ Windows XP / SP4: Security Update for Windows XP (KB956391)
/ Windows XP / SP4: Security Update for Windows XP (KB956572)
/ Windows XP / SP4: Security Update for Windows XP (KB956802)
/ Windows XP / SP4: Security Update for Windows XP (KB956803)
/ Windows XP / SP4: Security Update for Windows XP (KB956841)
/ Windows XP / SP4: Security Update for Windows XP (KB957095)
/ Windows XP / SP4: Security Update for Windows XP (KB957097)
/ Windows XP / SP4: Security Update for Windows XP (KB958215)
/ Windows XP / SP4: Security Update for Windows XP (KB958644)
/ Windows XP / SP4: Security Update for Windows XP (KB958687)
/ Windows XP / SP4: Security Update for Windows XP (KB958690)
/ Windows XP / SP4: Security Update for Windows XP (KB959426)
/ Windows XP / SP4: Security Update for Windows XP (KB960225)
/ Windows XP / SP4: Security Update for Windows XP (KB960714)
/ Windows XP / SP4: Security Update for Windows XP (KB960715)
/ Windows XP / SP4: Security Update for Windows XP (KB960803)
/ Windows XP / SP4: Security Update for Windows XP (KB961373)
/ Windows XP / SP4: Security Update for Windows XP (KB961501)
/ Windows XP / SP4: Security Update for Windows XP (KB963027)
/ Windows XP / SP4: Update for Windows XP (KB967715)
/ Windows XP / SP4: Security Update for Windows XP (KB968537)
/ Windows XP / SP4: Security Update for Windows XP (KB969897)
/ Windows XP / SP4: Security Update for Windows XP (KB969898)
/ Windows XP / SP4: Security Update for Windows XP (KB970238)

--- Startup entries list ---
Located: HK_LM:Run, 54712828
command: rundll32.exe "C:\WINDOWS\system32\kuwokilo.dll",b
file: C:\WINDOWS\system32\kuwokilo.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_LM:Run, Ad-Watch
command: "C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe"
file: C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
size: 518488
MD5: 12761AC7AAAFDC75860F9905068056FF

Located: HK_LM:Run, AVG8_TRAY
command: C:\PROGRA~1\AVG\AVG8\avgtray.exe
file: C:\PROGRA~1\AVG\AVG8\avgtray.exe
size: 1948440
MD5: 2588B441E5B22691E0610CF710865441

Located: HK_LM:Run, goyapipemu
command: Rundll32.exe "C:\WINDOWS\system32\viyorawi.dll",s
file: C:\WINDOWS\system32\viyorawi.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_LM:Run, MSConfig
command: C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
file: C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
size: 169984
MD5: A81135541C9D4EBCE43EFA8AD31395B4

Located: HK_LM:Run, SunJavaUpdateSched
command: "C:\Program Files\Java\jre6\bin\jusched.exe"
file: C:\Program Files\Java\jre6\bin\jusched.exe
size: 148888
MD5: 3237A58DC79C051004CD3A67C8FBC781

Located: HK_LM:Run, Windows Defender
command: "C:\Program Files\Windows Defender\MSASCui.exe" -hide
file: C:\Program Files\Windows Defender\MSASCui.exe
size: 866584
MD5: 77C03BF23AE56B0A31AE4D5BB4B3D0AC

Located: HK_LM:RunOnce, Malwarebytes' Anti-Malware
command: "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe\mbamgui.exe" /install /silent
file: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe\mbamgui.exe
size: 414480
MD5: 7C5A2D12400C54E9BD97E90AEFB26C8D

Located: HK_CU:Run, SpybotSD TeaTimer
where: S-1-5-21-479348682-3771094307-2254394609-1006...
command: "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
file: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 2144088
MD5: 896A1DB9A972AD2339C2E8569EC926D1

Located: HK_CU:Run, DellSupport
where: S-1-5-21-479348682-3771094307-2254394609-500...
command: "C:\Program Files\Dell Support\DSAgnt.exe" /startup
file: C:\Program Files\Dell Support\DSAgnt.exe
size: 306688
MD5: CEA4715092CB7984420DBC9F51FB4C35
*****
MBAM
Malwarebytes' Anti-Malware 1.37
Database version: 2263
Windows 5.1.2600 Service Pack 3

6/12/2009 8:08:22 AM
mbam-log-2009-06-12 (08-08-16).txt

Scan type: Quick Scan
Objects scanned: 87517
Time elapsed: 9 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\goyapipemu (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\54712828 (Trojan.Vundo.H) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
*****
Hijackthis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:10:41 AM, on 6/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Drader\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.lds.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [goyapipemu] Rundll32.exe "C:\WINDOWS\system32\viyorawi.dll",s
O4 - HKLM\..\Run: [54712828] rundll32.exe "C:\WINDOWS\system32\kuwokilo.dll",b
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: »*.mcafee.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - »upload.facebook.com/controls/200···der5.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - »housecall65.trendmicro.com/house···Impl.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - »download.mcafee.com/molbin/share···sctl.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - »wwwimages.adobe.com/www.adobe.co···s/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\ C:\WINDOWS\system32\kawokame.dll c:\windows\system32\mimegepa.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Update Service (gupdate1c99dc76a3bc708) (gupdate1c99dc76a3bc708) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe

--
End of file - 7493 bytes

***
Previous Hi Jack this record:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:49:32 PM, on 6/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Drader\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.lds.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [MSConfig] "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" /auto
O4 - HKLM\..\Run: [Ad-Watch] "C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [goyapipemu] "Rundll32.exe" "C:\WINDOWS\system32\viyorawi.dll",s
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [54712828] "rundll32.exe" "C:\WINDOWS\system32\kuwokilo.dll",b
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe" /startintray
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: »*.mcafee.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - »upload.facebook.com/controls/200···der5.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - »housecall65.trendmicro.com/house···Impl.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - »download.mcafee.com/molbin/share···sctl.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - »wwwimages.adobe.com/www.adobe.co···s/gp.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\ C:\WINDOWS\system32\kawokame.dll c:\windows\system32\mimegepa.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Update Service (gupdate1c99dc76a3bc708) (gupdate1c99dc76a3bc708) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe

--
End of file - 6854 bytes

Can you help?]]> http://www.dslreports.com/forum/remark,22545478 Sat, 13 Jun 2009 12:17:31 EDT