Please help me! I can't remove Trojan.Vundo from my PC!

**jada21** · 30-04-2009

Hi,

I really need your help - I've managed to get the Trojan.Vundo virus on my computer. Everytime I think I've deleted it, it keeps reappearing

My computer keeps restarting on its own and strange error messages always appear. I'm really worried.

Please help!

Jxxx

PS Here is my Hijack list

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:33:36, on 30/04/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = myAOL | Compaq
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Yahoo! Search Marketing UK
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = Yahoo! Search Marketing UK
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = myAOL | Compaq
O2 - BHO: (no name) - {0f77c8e5-9230-4631-b63e-a343cb858e06} - C:\WINDOWS\system32\mjpcdiez.dll
O2 - BHO: (no name) - {15aebf3b-abd5-4570-bf88-4e8f30997a10} - c:\windows\system32\fdwbplx.dll
O2 - BHO: (no name) - {b2ba40a2-74f0-42bd-f434-12345a2c8953} - (no file)
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [6362] C:\kggi.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
O4 - .DEFAULT Startup: ChkDisk.lnk = ? (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: Online skills testing, candidate testing and recruitment aptitude tests
O15 - Trusted Zone: Online skills testing, candidate testing and recruitment aptitude tests
O15 - Trusted Zone: Online skills testing, candidate testing and recruitment aptitude tests
O15 - Trusted Zone: Online skills testing, candidate testing and recruitment aptitude tests
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\dojapode.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: jdianbnv - C:\WINDOWS\SYSTEM32\fdwbplx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 4882 bytes

**Neal** · 30-04-2009

The following tool called MBAM follow instructions for that but before running the tool I would like for you to boot into safe mode to run it for maximum effectiveness explained below.

Now reboot into safe mode( without networking support) by tapping your F8 key upon restart and safe mode screen appears, select safe mode and press enter.

* Please download Malwarebytes' Anti-Malware from HERE or HERE

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and zLaunch Malwarebytes Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Full Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

**jada21** · 01-05-2009

Thank you for getting back to me![/COLOR][/COLOR]

MBAM Log 01.05.2009

Malwarebytes' Anti-Malware 1.36
Database version: 2064
Windows 5.1.2600 Service Pack 2

01/05/2009 20:08:10
mbam-log-2009-05-01 (20-08-01).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 142620
Time elapsed: 37 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 2
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\mjpcdiez.dll (Trojan.Vundo.H) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{0f77c8e5-9230-4631-b63e-a343cb858e06} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{0f77c8e5-9230-4631-b63e-a343cb858e06} (Trojan.Vundo.H) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{0f77c8e5-9230-4631-b63e-a343cb858e06} (Trojan.Vundo.H) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{b2ba40a2-74f0-42bd-f434-12345a2c8953} (Trojan.Ertfor) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{b2ba40a2-74f0-42bd-f434-12345a2c8953} (Trojan.Ertfor) -> No action taken.
KHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur rentVersion\Uninstall\prnet (Trojan.Downloader) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> No action taken.

Folders Infected:
C:\Documents and Settings\Compaq_Owner\Application Data\pidle (Trojan.Agent) -> No action taken.
C:\RECYCLER\S-1-5-21-0243636035-3055115376-381863306-1556 (Backdoor.Bot) -> No action taken.

Files Infected:
C:\WINDOWS\system32\mjpcdiez.dll (Trojan.Vundo.H) -> No action taken.
C:\RECYCLER\S-1-5-21-0243636035-3055115376-381863306-1556\Desktop.ini (Backdoor.Bot) -> No action taken.
C:\WINDOWS\system32\win32hlp.cnf (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\nsrbgxod.bak (Trojan.Agent) -> No action taken.
C:\WINDOWS\Temp\nsrbgxod.bak (Trojan.Agent) -> No action taken.

Hijack This Log 01.05.2009

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:11:07, on 01/05/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = myAOL | Compaq
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Yahoo! Search Marketing UK
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = Yahoo! Search Marketing UK
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = myAOL | Compaq
O2 - BHO: (no name) - {15aebf3b-abd5-4570-bf88-4e8f30997a10} - c:\windows\system32\fdwbplx.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [6362] C:\kggi.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
O4 - .DEFAULT Startup: ChkDisk.lnk = ? (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: Online skills testing, candidate testing and recruitment aptitude tests
O15 - Trusted Zone: Online skills testing, candidate testing and recruitment aptitude tests
O15 - Trusted Zone: Online skills testing, candidate testing and recruitment aptitude tests
O15 - Trusted Zone: Online skills testing, candidate testing and recruitment aptitude tests
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\dojapode.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: jdianbnv - C:\WINDOWS\SYSTEM32\fdwbplx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 4311 bytes

Is there anything I missed out?
Thanxs again!

Jx

**Neal** · 02-05-2009

You need to run MBAM again and this time you need to delete all it finds, you did nothing before but run the scan.

Then post the scan results and a new hijackthis log. Thanks.

**jada21** · 03-05-2009

Im slightly confused because when I did the first scan (before) I selected everything found and then clicked ok to delete it. A message came up saying that it could not delete everything that was selected and that I needed to restart (which I did).

I did another scan today and the same thing appeared - not all the viruses that were found could be deleted. It gave me an option to restart (which I did otherwise it stated removal would not be completed).

Here are the results:-

Mbam Log

Malwarebytes' Anti-Malware 1.36
Database version: 2064
Windows 5.1.2600 Service Pack 2

03/05/2009 18:17:22
mbam-log-2009-05-03 (18-17-22).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 143508
Time elapsed: 13 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\mjpcdiez.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{0f77c8e5-9230-4631-b63e-a343cb858e06} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0f77c8e5-9230-4631-b63e-a343cb858e06} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\mjpcdiez.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\lmppcsetup.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

HijackThis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:17:57, on 03/05/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = myAOL | Compaq
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Yahoo! Search Marketing UK
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = Yahoo! Search Marketing UK
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = myAOL | Compaq
O2 - BHO: (no name) - {15aebf3b-abd5-4570-bf88-4e8f30997a10} - c:\windows\system32\fdwbplx.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [6362] C:\kggi.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
O4 - .DEFAULT Startup: ChkDisk.lnk = ? (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: Online skills testing, candidate testing and recruitment aptitude tests
O15 - Trusted Zone: Online skills testing, candidate testing and recruitment aptitude tests
O15 - Trusted Zone: Online skills testing, candidate testing and recruitment aptitude tests
O15 - Trusted Zone: Online skills testing, candidate testing and recruitment aptitude tests
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\dojapode.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: jdianbnv - C:\WINDOWS\SYSTEM32\fdwbplx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 4669 bytes

Thanks again

J
x

**Neal** · 05-05-2009

Some died some escaped so let's break out the big guns:

Visit this page below to familiarize yourself to the tool below and download from one of the links provided.

A guide and tutorial on using ComboFix

If you have previously downloaded ComboFix,please delete that version now.

It is IMPORTANT that it is saved directly to your desktop

Close any open browsers.

Disconnect from the Internet.

Please do not re-connect your machine back to the Internet until Combofix has completely finished.

Disable your antivirus program and any realtime malware scanners and script blockers now

How To Disable

Double click on combofix.exe and follow the prompts.

When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.

Note:
Do not mouseclick combofix's window while it's running.

That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.

Re-enable your anti-virus and re-connect back to the internet and post the combofix log.

*Note*
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

ComboFix SHOULD NOT be used unless requested by a forum helper.

**jada21** · 07-05-2009

Hiya

Here is my Combo Fix log:-

ComboFix 09-05-07.01 - Compaq_Owner 07/05/2009 18:49.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.511.253 [GMT 1:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Compaq_Owner\protect.dll
c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\ChkDisk.dll
c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\ChkDisk.lnk
c:\documents and settings\LocalService\protect.dll
c:\windows\system32\autochk.dll
c:\windows\system32\config\systemprofile\protect.d ll
c:\windows\system32\drivers\eaeb240e.sys
c:\windows\system32\drivers\ovfsthrkuwyjygstseimwi sjapvaisbefmnuib.sys
c:\windows\system32\ovfsthcupwdoaethebkkjceklnryln tnukoeem.dll
c:\windows\system32\ovfstherbqxlonxlvunuexbmfrqjhv ribbgiqe.dat
c:\windows\system32\ovfsthfaotppljcxaljxnouspujiom rxjlcydq.dll
c:\windows\system32\ovfsthqljggaxxjufgvehblyrjijgk xdpyamkd.dat
c:\windows\system32\ovfsthtjqyfjyvblrnspryfxuiylsk qsugfott.dll
c:\windows\system32\p2hhr.bat
c:\windows\system32\uniq.tll
c:\windows\system32\win32hlp.cnf
c:\windows\Tasks\At1.job
D:\Autorun.inf
c:\windows\system32\fdwbplx.dll . . . . failed to delete
c:\windows\system32\mjpcdiez.dll . . . . failed to delete

Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\system32\init32.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ovfsthltohghntycaxjejqrpqvonmiccnkferd
-------\Legacy_mciobqyw
-------\Service_eaeb240e
-------\Service_mciobqyw

((((((((((((((((((((((((( Files Created from 2009-04-07 to 2009-05-07 )))))))))))))))))))))))))))))))
.

2009-05-07 17:29 . 2009-05-07 17:29 -------- d-----w c:\documents and settings\Compaq_Owner\Application Data\zatdzknq
2009-05-07 17:29 . 2009-05-07 17:29 -------- d-----w c:\documents and settings\Compaq_Owner\Local Settings\Application Data\zatdzknq
2009-05-07 17:18 . 2009-05-07 17:18 -------- d-----w c:\documents and settings\NetworkService\Application Data\zatdzknq
2009-05-07 17:18 . 2009-05-07 17:18 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\zatdzknq
2009-05-06 22:22 . 2009-05-07 17:29 27648 ----a-w c:\windows\system32\lmn_setup.exe
2009-05-01 17:43 . 2009-04-06 14:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-01 17:43 . 2009-04-06 14:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-29 22:46 . 2009-04-29 22:46 -------- d-----w c:\documents and settings\Compaq_Owner\Application Data\Malwarebytes
2009-04-29 22:43 . 2009-04-29 22:43 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-29 22:43 . 2009-05-01 17:43 -------- d-----w c:\program files\Malwarebytes' Anti-Malware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-05-07 17:50 . 2004-08-04 12:00 143872 ----a-w c:\windows\system32\mjpcdiez.dll
2009-05-07 17:50 . 2004-08-04 12:00 104960 ----a-w c:\windows\system32\qemmpqy.dll
2009-03-06 14:44 . 2004-08-04 12:00 283648 ----a-w c:\windows\system32\pdh.dll
2009-03-02 22:54 . 2004-08-04 12:00 28624 ----a-w c:\windows\system32\drivers\secdrv.sys
2009-03-02 22:54 . 2009-03-02 22:54 536 ----a-w c:\windows\eReg.dat
2009-02-22 21:18 . 2009-02-22 21:11 256 ----a-w c:\windows\system32\pool.bin
2009-02-20 08:30 . 2004-08-04 12:00 81920 ----a-w c:\windows\system32\ieencode.dll
2009-02-20 08:30 . 2004-08-04 12:00 659456 ----a-w c:\windows\system32\wininet.dll
2009-02-09 15:27 . 2009-02-09 15:27 61480 ----a-w c:\documents and settings\Compaq_Owner\GoToAssistDownloadHelper.exe
2009-02-09 15:27 . 2009-02-09 15:27 664 ----a-w c:\windows\system32\d3d9caps.dat
2009-02-09 10:20 . 2004-08-04 12:00 399360 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:20 . 2004-08-04 11:00 723456 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:20 . 2004-08-04 18:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 10:20 . 2004-08-04 12:00 616960 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:19 . 2004-08-04 12:00 1846272 ----a-w c:\windows\system32\win32k.sys
2009-02-07 02:27 . 2008-12-29 11:28 0 ----a-w c:\documents and settings\Family Computer\Local Settings\Application Data\prvlcl.dat
2008-09-21 20:31 . 2008-09-21 20:31 389203 ----a-w c:\program files\CE.dll
2008-09-21 20:31 . 2008-09-21 20:31 144656 ----a-w c:\program files\WebLink.dll
2008-09-21 20:31 . 2008-09-21 20:31 1103120 ----a-w c:\program files\Synchronize.dll
2008-08-08 21:14 . 2008-08-08 21:14 66371 ----a-w c:\program files\BlackBerry_Desktop_Software_Help.chm
2008-08-08 21:14 . 2008-08-08 21:14 5319 ----a-w c:\program files\readme.txt
2008-05-15 18:05 . 2008-05-15 18:05 59904 ----a-w c:\program files\zlib1.dll
2008-05-15 18:05 . 2008-05-15 18:05 172032 ----a-w c:\program files\mimepp_core.dll
2008-05-15 18:05 . 2008-05-15 18:05 4456 ----a-w c:\program files\configurationupgrade.xml
2008-05-15 18:05 . 2008-05-15 18:05 4300 ----a-w c:\program files\conn_install.cfg
2008-05-15 18:05 . 2008-05-15 18:05 2256896 ----a-w c:\program files\ilsync.dll
2008-05-15 18:05 . 2008-05-15 18:05 1483 ----a-w c:\program files\configurationupgrade.dtd
2008-05-15 18:05 . 2008-05-15 18:05 10424 ----a-w c:\program files\System.dtd
2008-05-15 18:05 . 2008-05-15 18:05 26694 ----a-r c:\program files\blackberry.ico
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0f77c8e5-9230-4631-b63e-a343cb858e06}]
2009-05-07 17:50 143872 ----a-w c:\windows\system32\mjpcdiez.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15aebf3b-abd5-4570-bf88-4e8f30997a10}]
2004-08-04 12:00 104960 ------w c:\windows\system32\fdwbplx.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [2009-01-26 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-02-24 5537792]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-01 17:27 10520 ----a-w c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R0 wywjlmtq;wywjlmtq;c:\windows\system32\drivers\wywj lmtq.sys [04/08/2004 13:00 23424]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [03/10/2008 15:21 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [03/10/2008 15:21 107272]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [03/10/2008 15:21 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [03/10/2008 15:21 298264]
S2 Aniptjoiz;Aniptjoiz;c:\windows\System32\svchost.ex e -k netsvcs [04/08/2004 13:00 14336]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Aniptjoiz
.
Contents of the 'Scheduled Tasks' folder

2009-05-04 c:\windows\Tasks\At2.job
- c:\windows\system32\fdwbplx.dll [2004-08-04 12:00]
.
- - - - ORPHANS REMOVED - - - -

BHO-{c2ba40a1-74f3-42bd-f434-12345a2c8953} - c:\windows\system32\afnoinkdsfe.dll
HKLM-Run-6362 - C:\kggi.exe
HKU-Default-Run-autochk - c:\docume~1\LOCALS~1\protect.dll
SharedTaskScheduler-{C2BA40A1-74F3-42BD-F434-12345A2C8953} - c:\windows\system32\afnoinkdsfe.dll

.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q105&bd=pres ario&pf=desktop
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=Q105&bd=presar io&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q105&bd=pres ario&pf=desktop
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: skills-arena.co.uk\www
Trusted Zone: skills-arena.com\www
Trusted Zone: skillsarena.co.uk\www
Trusted Zone: skillsarena.com\www
FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\c6x4hwuf.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np32asw.dll
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-07 18:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3832)
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
.
************************************************** ************************
.
Completion time: 2009-05-07 18:54 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-07 17:54

Pre-Run: 120,548,450,304 bytes free
Post-Run: 120,483,721,216 bytes free

192 --- E O F --- 2009-04-16 23:19

Thxs!
Jx

**Neal** · 08-05-2009

Go here to learn how to show hidden files/folders:

Help Centre Home : www.telecom.co.nz/help

Re-hide after we are done

Open notepad(Must be NotePad) and copy/paste the text in the quotebox below into it:NOT THE WORD QUOTE

File::
c:\windows\system32\fdwbplx.dll
c:\windows\system32\mjpcdiez.dll
c:\windows\system32\lmn_setup.exe
c:\windows\system32\mjpcdiez.dll
c:\windows\system32\qemmpqy.dll
c:\windows\system32\mjpcdiez.dll
c:\windows\Tasks\At2.job

DirLook::
c:\documents and settings\Compaq_Owner\Local Settings\Application Data\zatdzknq

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0f77c8e5-9230-4631-b63e-a343cb858e06}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15aebf3b-abd5-4570-bf88-4e8f30997a10}]

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Also:

Go to next site:
VirusTotal - Free Online Virus and Malware Scan
On top you'll find 'Browse'
Click the browse button and browse to next file:

c:\windows\system32\pool.bin

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results as well in your next reply.

If that one is to busy here is another option:

Online malware scan

And

Virus File Scanner

Please do the same for these:

c:\windows\system32\wininet.dll
c:\program files\zlib1.dll

**jada21** · 13-05-2009

ComboFix Log

ComboFix 09-05-07.01 - Compaq_Owner 12/05/2009 23:40.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.511.293 [GMT 1:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Compaq_Owner\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)

FILE ::
c:\windows\system32\fdwbplx.dll
c:\windows\system32\lmn_setup.exe
c:\windows\system32\mjpcdiez.dll
c:\windows\system32\qemmpqy.dll
c:\windows\Tasks\At2.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\lmn_setup.exe
c:\windows\Tasks\At2.job
c:\windows\system32\fdwbplx.dll . . . . failed to delete
c:\windows\system32\mjpcdiez.dll . . . . failed to delete
c:\windows\system32\qemmpqy.dll . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2009-04-12 to 2009-05-12 )))))))))))))))))))))))))))))))
.

2009-05-07 17:29 . 2009-05-07 17:29 -------- d-----w c:\documents and settings\Compaq_Owner\Application Data\zatdzknq
2009-05-07 17:29 . 2009-05-07 17:29 -------- d-----w c:\documents and settings\Compaq_Owner\Local Settings\Application Data\zatdzknq
2009-05-07 17:18 . 2009-05-07 17:18 -------- d-----w c:\documents and settings\NetworkService\Application Data\zatdzknq
2009-05-07 17:18 . 2009-05-07 17:18 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\zatdzknq
2009-05-01 17:43 . 2009-04-06 14:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-01 17:43 . 2009-04-06 14:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-29 22:46 . 2009-04-29 22:46 -------- d-----w c:\documents and settings\Compaq_Owner\Application Data\Malwarebytes
2009-04-29 22:43 . 2009-04-29 22:43 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-29 22:43 . 2009-05-01 17:43 -------- d-----w c:\program files\Malwarebytes' Anti-Malware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-05-11 11:26 . 2008-10-03 14:21 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-05-11 11:26 . 2008-10-03 14:21 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-05-11 11:26 . 2008-10-03 14:21 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-05-07 17:50 . 2004-08-04 12:00 143872 ----a-w c:\windows\system32\mjpcdiez.dll
2009-05-07 17:50 . 2004-08-04 12:00 104960 ----a-w c:\windows\system32\qemmpqy.dll
2009-03-06 14:44 . 2004-08-04 12:00 283648 ----a-w c:\windows\system32\pdh.dll
2009-03-02 22:54 . 2004-08-04 12:00 28624 ----a-w c:\windows\system32\drivers\secdrv.sys
2009-03-02 22:54 . 2009-03-02 22:54 536 ----a-w c:\windows\eReg.dat
2009-02-22 21:18 . 2009-02-22 21:11 256 ----a-w c:\windows\system32\pool.bin
2009-02-20 08:30 . 2004-08-04 12:00 81920 ----a-w c:\windows\system32\ieencode.dll
2009-02-20 08:30 . 2004-08-04 12:00 659456 ----a-w c:\windows\system32\wininet.dll
2008-09-21 20:31 . 2008-09-21 20:31 389203 ----a-w c:\program files\CE.dll
2008-09-21 20:31 . 2008-09-21 20:31 144656 ----a-w c:\program files\WebLink.dll
2008-09-21 20:31 . 2008-09-21 20:31 1103120 ----a-w c:\program files\Synchronize.dll
2008-08-08 21:14 . 2008-08-08 21:14 66371 ----a-w c:\program files\BlackBerry_Desktop_Software_Help.chm
2008-08-08 21:14 . 2008-08-08 21:14 5319 ----a-w c:\program files\readme.txt
2008-05-15 18:05 . 2008-05-15 18:05 59904 ----a-w c:\program files\zlib1.dll
2008-05-15 18:05 . 2008-05-15 18:05 172032 ----a-w c:\program files\mimepp_core.dll
2008-05-15 18:05 . 2008-05-15 18:05 4456 ----a-w c:\program files\configurationupgrade.xml
2008-05-15 18:05 . 2008-05-15 18:05 4300 ----a-w c:\program files\conn_install.cfg
2008-05-15 18:05 . 2008-05-15 18:05 2256896 ----a-w c:\program files\ilsync.dll
2008-05-15 18:05 . 2008-05-15 18:05 1483 ----a-w c:\program files\configurationupgrade.dtd
2008-05-15 18:05 . 2008-05-15 18:05 10424 ----a-w c:\program files\System.dtd
2008-05-15 18:05 . 2008-05-15 18:05 26694 ----a-r c:\program files\blackberry.ico
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))) )))))))
.

---- Directory of c:\documents and settings\Compaq_Owner\Local Settings\Application Data\zatdzknq ----

2009-05-07 17:29 . 2009-05-07 17:31 32768 ----a-w c:\documents and settings\Compaq_Owner\Local Settings\Application Data\zatdzknq\Profiles\dq7svbb2.default\urlclassif ier3.sqlite
2009-05-07 17:29 . 2009-05-07 17:30 438116 ----a-w c:\documents and settings\Compaq_Owner\Local Settings\Application Data\zatdzknq\Profiles\dq7svbb2.default\XPC.mfl

((((((((((((((((((((((((((((( SnapShot@2009-05-07_17.53.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-12 22:43 . 2009-05-12 22:43 16384 c:\windows\Temp\Perflib_Perfdata_520.dat
+ 2008-10-03 14:21 . 2009-05-11 11:26 27784 c:\windows\system32\drivers\avgmfx86.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15aebf3b-abd5-4570-bf88-4e8f30997a10}]
2004-08-04 12:00 104960 ------w c:\windows\system32\fdwbplx.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [2009-01-26 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-02-24 5537792]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-11 11:26 11952 ----a-w c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R0 wywjlmtq;wywjlmtq;c:\windows\system32\drivers\wywj lmtq.sys [04/08/2004 13:00 23424]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [03/10/2008 15:21 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [03/10/2008 15:21 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [03/10/2008 15:21 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [03/10/2008 15:21 298776]
S2 Aniptjoiz;Aniptjoiz;c:\windows\System32\svchost.ex e -k netsvcs [04/08/2004 13:00 14336]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Aniptjoiz
.
.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q105&bd=pres ario&pf=desktop
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=Q105&bd=presar io&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q105&bd=pres ario&pf=desktop
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: skills-arena.co.uk\www
Trusted Zone: skills-arena.com\www
Trusted Zone: skillsarena.co.uk\www
Trusted Zone: skillsarena.com\www
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\c6x4hwuf.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np32asw.dll
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-05-12 23:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\docume~1\COMPAQ~1\LOCALS~1\Temp\Perflib_Perfdat a_dcc.dat 16384 bytes

scan completed successfully
hidden files: 1

************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1196)
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
.
************************************************** ************************
.
Completion time: 2009-05-12 23:45 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-12 22:45
ComboFix2.txt 2009-05-07 17:54

Pre-Run: 120,348,966,912 bytes free
Post-Run: 120,343,752,704 bytes free

173 --- E O F --- 2009-04-16 23:19

HijackThis Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:50:07, on 12/05/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Yahoo! Search Marketing UK
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = Yahoo! Search Marketing UK
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = myAOL | Compaq
O2 - BHO: (no name) - {15aebf3b-abd5-4570-bf88-4e8f30997a10} - c:\windows\system32\fdwbplx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: Online skills testing, candidate testing and recruitment aptitude tests
O15 - Trusted Zone: Online skills testing, candidate testing and recruitment aptitude tests
O15 - Trusted Zone: Online skills testing, candidate testing and recruitment aptitude tests
O15 - Trusted Zone: Online skills testing, candidate testing and recruitment aptitude tests
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 4725 bytes

Pool.bin scan:-
File pool.bin received on 05.13.2009 00:54:10 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/40 (0%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.05.12 -
AhnLab-V3 5.0.0.2 2009.05.12 -
AntiVir 7.9.0.166 2009.05.12 -
Antiy-AVL 2.0.3.1 2009.05.12 -
Authentium 5.1.2.4 2009.05.12 -
Avast 4.8.1335.0 2009.05.12 -
AVG 8.5.0.327 2009.05.12 -
BitDefender 7.2 2009.05.13 -
CAT-QuickHeal 10.00 2009.05.12 -
ClamAV 0.94.1 2009.05.12 -
Comodo 1157 2009.05.08 -
DrWeb 5.0.0.12182 2009.05.13 -
eSafe 7.0.17.0 2009.05.12 -
eTrust-Vet 31.6.6502 2009.05.12 -
F-Prot 4.4.4.56 2009.05.12 -
F-Secure 8.0.14470.0 2009.05.13 -
Fortinet 3.117.0.0 2009.05.12 -
GData 19 2009.05.13 -
Ikarus T3.1.1.49.0 2009.05.12 -
K7AntiVirus 7.10.732 2009.05.11 -
Kaspersky 7.0.0.125 2009.05.12 -
McAfee 5613 2009.05.12 -
McAfee+Artemis 5613 2009.05.12 -
McAfee-GW-Edition 6.7.6 2009.05.12 -
Microsoft 1.4602 2009.05.12 -
NOD32 4068 2009.05.12 -
Norman 6.01.05 2009.05.12 -
nProtect 2009.1.8.0 2009.05.12 -
Panda 10.0.0.14 2009.05.12 -
PCTools 4.4.2.0 2009.05.07 -
Prevx 3.0 2009.05.13 -
Rising 21.29.14.00 2009.05.12 -
Sophos 4.41.0 2009.05.12 -
Sunbelt 3.2.1858.2 2009.05.12 -
Symantec 1.4.4.12 2009.05.13 -
TheHacker 6.3.4.1.325 2009.05.12 -
TrendMicro 8.950.0.1092 2009.05.12 -
VBA32 3.12.10.4 2009.05.12 -
ViRobot 2009.5.12.1731 2009.05.12 -
VirusBuster 4.6.5.0 2009.05.12 -
Additional information
File size: 256 bytes
MD5...: 9c4e72f87ba61b82f20947f7d83ecb2a
SHA1..: 8317400d0f7ddd514fc77e68581e6b3d2c93b73e
SHA256: 12cecb0c1833d38db3a4ce7cd72a8a0e4f0c4d122c5f0b5234 8bfb722b5dc088
SHA512: 98b0a27fdaf03b1b5859f7c5873fe172964bdfefa01bc51ff4 370a067bf950a3
cccc369e037d8ae6d1fddd92b068f93df4f2282797f0b359ad cdfa9464db0004
ssdeep: 6:Qf8diWtparweHnKTec4XeC1dUYAC1h47vgop+Tslinpz:Qkg WQweHEecaeCDj+
IoWhnpz
PEiD..: -
TrID..: File type identification
Unknown!
PEInfo: -
PDFiD.: -
RDS...: NSRL Reference Data Set
-

Wininet.dll scan:-

File wininet.dll received on 05.13.2009 00:58:52 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/39 (0%)
Loading server information...
Your file is queued in position: 2.
Estimated start time is between 49 and 70 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.05.12 -
AhnLab-V3 5.0.0.2 2009.05.12 -
AntiVir 7.9.0.166 2009.05.12 -
Antiy-AVL 2.0.3.1 2009.05.12 -
Authentium 5.1.2.4 2009.05.12 -
Avast 4.8.1335.0 2009.05.12 -
AVG 8.5.0.327 2009.05.12 -
BitDefender 7.2 2009.05.13 -
CAT-QuickHeal 10.00 2009.05.12 -
ClamAV 0.94.1 2009.05.12 -
Comodo 1157 2009.05.08 -
DrWeb 5.0.0.12182 2009.05.13 -
eSafe 7.0.17.0 2009.05.12 -
eTrust-Vet 31.6.6502 2009.05.12 -
F-Prot 4.4.4.56 2009.05.12 -
F-Secure 8.0.14470.0 2009.05.13 -
Fortinet 3.117.0.0 2009.05.12 -
GData 19 2009.05.13 -
Ikarus T3.1.1.49.0 2009.05.12 -
K7AntiVirus 7.10.732 2009.05.11 -
Kaspersky 7.0.0.125 2009.05.12 -
McAfee 5613 2009.05.12 -
McAfee+Artemis 5613 2009.05.12 -
McAfee-GW-Edition 6.7.6 2009.05.12 -
Microsoft 1.4602 2009.05.12 -
NOD32 4068 2009.05.12 -
Norman 6.01.05 2009.05.12 -
nProtect 2009.1.8.0 2009.05.12 -
Panda 10.0.0.14 2009.05.12 -
PCTools 4.4.2.0 2009.05.07 -
Prevx 3.0 2009.05.13 -
Rising 21.29.14.00 2009.05.12 -
Sophos 4.41.0 2009.05.12 -
Sunbelt 3.2.1858.2 2009.05.12 -
Symantec 1.4.4.12 2009.05.13 -
TheHacker 6.3.4.1.325 2009.05.12 -
TrendMicro 8.950.0.1092 2009.05.12 -
VBA32 3.12.10.4 2009.05.12 -
ViRobot 2009.5.12.1731 2009.05.12 -
Additional information
File size: 659456 bytes
MD5...: f1dbf177aa0db2150e626595d0eff604
SHA1..: daab026c08844167fe2646e47c7247c5a4607087
SHA256: 9061aeb92f2dd0ec525897734c2ef384037ec704e43135be53 661b6d5daa28fc
SHA512: db2e24b59dee50cb18efb0e4dae45d2846ba28a0c3a20f04a8 aacfd23d8cc5cc
8310197b8e7d9fd372b1e69f0f192ee521fe9b43a0a846794b 97c156e031b261
ssdeep: 12288:M8+xzz32XoFzTtWT5WCictpDFraeQI3fh1QkTgS/mIvP59TMHHUkevTx6b
:M8Ez3GoFzTUT58ctNVaeQI3fh2kTgS/N
PEiD..: -
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1551
timedatestamp.....: 0x499e6a1f (Fri Feb 20 08:30:23 2009)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x87f80 0x88000 6.60 13cbbe0be435e78c04a38a33319aa786
.data 0x89000 0x5fd8 0x2200 2.35 12f4d378cef1956fc4482205e204f1fa
.rsrc 0x8f000 0x11828 0x11a00 4.76 072576a2bad68e7c2255c7949e64761d
.reloc 0xa1000 0x4fb8 0x5000 6.79 fbd851ca835fc049e55e3c62f04b010e

( 7 imports )
> ADVAPI32.dll: RegDeleteValueW, RegSetValueExW, RegQueryValueExW, RegCreateKeyA, RegOpenKeyA, RegEnumKeyA, CryptGetProvParam, CryptSetProvParam, CryptAcquireContextA, CryptReleaseContext, RegDeleteValueA, OpenThreadToken, OpenProcessToken, GetTokenInformation, RegOpenKeyExW, RegDeleteKeyA, RegCreateKeyExA, RegSetValueExA, RegQueryInfoKeyA, RegEnumKeyExA, RegEnumValueA, RegOpenKeyExA, RegQueryValueExA, RegCloseKey, GetUserNameA, OpenSCManagerA, EnumServicesStatusA, CloseServiceHandle, RegCreateKeyExW
> CRYPT32.dll: CertGetNameStringW, CryptDecodeObject, CertFindRDNAttr, CertRDNValueToStrA, CertControlStore, CertNameToStrA, CertCreateCertificateContext, CertGetCertificateContextProperty, CertFindCertificateInStore, CertSetCertificateContextProperty, CertOpenSystemStoreA, CertCloseStore, CertFindExtension, CertGetIntendedKeyUsage, CertDuplicateCertificateContext, CertFreeCertificateContext, CryptUnprotectData
> KERNEL32.dll: ExitThread, ExpandEnvironmentStringsA, SuspendThread, TerminateThread, GetACP, RtlMoveMemory, ResetEvent, CreateThread, Sleep, SetErrorMode, FormatMessageA, lstrcatA, SystemTimeToFileTime, SetUnhandledExceptionFilter, UnhandledExceptionFilter, TerminateProcess, GetSystemTimeAsFileTime, GetCurrentProcessId, GetTickCount, QueryPerformanceCounter, TlsGetValue, TlsAlloc, GetCurrentThreadId, TlsFree, TlsSetValue, WaitForMultipleObjects, GetTimeFormatA, lstrcpyA, InterlockedCompareExchange, GetCurrentThread, GetCurrentProcess, IsDBCSLeadByte, IsBadReadPtr, GlobalAlloc, GlobalFree, IsBadStringPtrW, DeleteFileA, IsBadCodePtr, IsBadWritePtr, SleepEx, GetModuleFileNameA, GetSystemTime, WritePrivateProfileStringA, WriteFile, SetFilePointer, ReadFile, FileTimeToSystemTime, LocalReAlloc, DeleteCriticalSection, InitializeCriticalSection, InterlockedDecrement, InterlockedIncrement, LocalAlloc, GetFileTime, ReleaseSemaphore, CreateSemaphoreA, LocalFileTimeToFileTime, MoveFileA, MoveFileExA, GetVersion, CompareStringA, GetFileAttributesA, GetEnvironmentVariableA, GetWindowsDirectoryA, RemoveDirectoryA, GetShortPathNameA, FileTimeToDosDateTime, SetFileAttributesA, GetPrivateProfileStringA, SetFileTime, CreateDirectoryA, CopyFileA, DeviceIoControl, GetDiskFreeSpaceA, FindClose, FindNextFileA, FindFirstFileA, DosDateTimeToFileTime, FlushViewOfFile, UnmapViewOfFile, MapViewOfFileEx, CreateFileMappingA, OpenFileMappingA, SetEndOfFile, LoadLibraryExA, GetUserDefaultLCID, HeapFree, HeapAlloc, GetProcessHeap, GetComputerNameA, LoadLibraryW, GlobalUnlock, GlobalLock, GlobalSize, lstrcpynW, InitializeCriticalSectionAndSpinCount, GetDateFormatA, WaitForSingleObject, GetProcAddress, LoadLibraryA, lstrcmpiA, GetLastError, FreeLibrary, lstrcpynA, lstrlenA, WideCharToMultiByte, InterlockedExchange, CloseHandle, OpenEventA, LeaveCriticalSection, EnterCriticalSection, SetLastError, LocalFree, GetVersionExA, GetFileSize, CreateFileA, GetSystemDirectoryA, lstrlenW, MultiByteToWideChar, GetModuleHandleA, OpenMutexA, CreateMutexA, ReleaseMutex, RaiseException, lstrcmpA, SetEvent, CreateEventA, IsBadStringPtrA
> msvcrt.dll: isdigit, strpbrk, isspace, isalnum, time, strtoul, _vsnprintf, _ftol, ispunct, iscntrl, isalpha, _purecall, _CxxThrowException, wcsncpy, wcscat, wcsstr, srand, rand, wcslen, _wtoi, wcscpy, _wcsnicmp, wcstok, _wcsicmp, wcscmp, malloc, free, realloc, _initterm, _adjust_fdiv, __dllonexit, _onexit, __1type_info@@UAE@XZ, _terminate@@YAXXZ, sprintf, memchr, isxdigit, _except_handler3
> OLEAUT32.dll: -, -, -, -, -
> SHLWAPI.dll: PathRemoveFileSpecW, PathRemoveBackslashA, PathRemoveFileSpecA, StrNCatA, -, PathRenameExtensionA, -, SHDeleteKeyA, StrCmpNIW, -, wvnsprintfA, -, -, -, -, StrCmpNIA, StrStrA, -, StrChrW, StrChrA, -, -, UrlCombineW, UrlCanonicalizeW, -, UrlCombineA, UrlCanonicalizeA, -, PathCreateFromUrlA, UrlUnescapeA, StrNCatW, StrToIntW, StrCpyW, -, -, -, StrStrIA, StrCmpW, SHRegGetUSValueA, StrCmpNA, StrToIntA, StrCatBuffA, StrRChrA, StrCmpIW, -, -, SHSetValueW, -, -, -, StrStrIW, SHGetValueW, SHSetValueA, SHGetValueA, wnsprintfA, wnsprintfW, StrCpyNW, PathFindFileNameW, -, -, SHRegGetValueW, -, -, -, -, StrCatBuffW, -, -, -, -
> USER32.dll: IsWindow, IntersectRect, EqualRect, wsprintfW, LoadIconA, LoadImageA, DestroyIcon, SetForegroundWindow, EnumChildWindows, SetWindowTextA, GetParent, GetWindowRect, ScreenToClient, SendMessageA, PostMessageA, FindWindowA, LoadStringA, ShowWindow, GetDesktopWindow, wsprintfA, CharLowerA, DestroyWindow, IsDlgButtonChecked, EnableWindow, SetFocus, GetDlgItem, EndDialog, CheckDlgButton, CreateWindowExA, RegisterWindowMessageA, KillTimer, SetTimer, DefWindowProcA, SetWindowLongA, GetWindowLongA, RegisterClassA, CharNextA, CharToOemA, CharUpperA, CharLowerW, IsCharAlphaNumericA, SetWindowPos, CharNextExA, WinHelpA, SendDlgItemMessageA

( 225 exports )
CommitUrlCacheEntryA, CommitUrlCacheEntryW, CreateMD5SSOHash, CreateUrlCacheContainerA, CreateUrlCacheContainerW, CreateUrlCacheEntryA, CreateUrlCacheEntryW, CreateUrlCacheGroup, DeleteIE3Cache, DeleteUrlCacheContainerA, DeleteUrlCacheContainerW, DeleteUrlCacheEntry, DeleteUrlCacheEntryA, DeleteUrlCacheEntryW, DeleteUrlCacheGroup, DetectAutoProxyUrl, DllInstall, FindCloseUrlCache, FindFirstUrlCacheContainerA, FindFirstUrlCacheContainerW, FindFirstUrlCacheEntryA, FindFirstUrlCacheEntryExA, FindFirstUrlCacheEntryExW, FindFirstUrlCacheEntryW, FindFirstUrlCacheGroup, FindNextUrlCacheContainerA, FindNextUrlCacheContainerW, FindNextUrlCacheEntryA, FindNextUrlCacheEntryExA, FindNextUrlCacheEntryExW, FindNextUrlCacheEntryW, FindNextUrlCacheGroup, ForceNexusLookup, ForceNexusLookupExW, FreeUrlCacheSpaceA, FreeUrlCacheSpaceW, FtpCommandA, FtpCommandW, FtpCreateDirectoryA, FtpCreateDirectoryW, FtpDeleteFileA, FtpDeleteFileW, FtpFindFirstFileA, FtpFindFirstFileW, FtpGetCurrentDirectoryA, FtpGetCurrentDirectoryW, FtpGetFileA, FtpGetFileEx, FtpGetFileSize, FtpGetFileW, FtpOpenFileA, FtpOpenFileW, FtpPutFileA, FtpPutFileEx, FtpPutFileW, FtpRemoveDirectoryA, FtpRemoveDirectoryW, FtpRenameFileA, FtpRenameFileW, FtpSetCurrentDirectoryA, FtpSetCurrentDirectoryW, GetUrlCacheConfigInfoA, GetUrlCacheConfigInfoW, GetUrlCacheEntryInfoA, GetUrlCacheEntryInfoExA, GetUrlCacheEntryInfoExW, GetUrlCacheEntryInfoW, GetUrlCacheGroupAttributeA, GetUrlCacheGroupAttributeW, GetUrlCacheHeaderData, GopherCreateLocatorA, GopherCreateLocatorW, GopherFindFirstFileA, GopherFindFirstFileW, GopherGetAttributeA, GopherGetAttributeW, GopherGetLocatorTypeA, GopherGetLocatorTypeW, GopherOpenFileA, GopherOpenFileW, HttpAddRequestHeadersA, HttpAddRequestHeadersW, HttpCheckDavCompliance, HttpEndRequestA, HttpEndRequestW, HttpOpenRequestA, HttpOpenRequestW, HttpQueryInfoA, HttpQueryInfoW, HttpSendRequestA, HttpSendRequestExA, HttpSendRequestExW, HttpSendRequestW, IncrementUrlCacheHeaderData, InternetAlgIdToStringA, InternetAlgIdToStringW, InternetAttemptConnect, InternetAutodial, InternetAutodialCallback, InternetAutodialHangup, InternetCanonicalizeUrlA, InternetCanonicalizeUrlW, InternetCheckConnectionA, InternetCheckConnectionW, InternetClearAllPerSiteCookieDecisions, InternetCloseHandle, InternetCombineUrlA, InternetCombineUrlW, InternetConfirmZoneCrossing, InternetConfirmZoneCrossingA, InternetConfirmZoneCrossingW, InternetConnectA, InternetConnectW, InternetCrackUrlA, InternetCrackUrlW, InternetCreateUrlA, InternetCreateUrlW, InternetDial, InternetDialA, InternetDialW, InternetEnumPerSiteCookieDecisionA, InternetEnumPerSiteCookieDecisionW, InternetErrorDlg, InternetFindNextFileA, InternetFindNextFileW, InternetFortezzaCommand, InternetGetCertByURL, InternetGetCertByURLA, InternetGetConnectedState, InternetGetConnectedStateEx, InternetGetConnectedStateExA, InternetGetConnectedStateExW, InternetGetCookieA, InternetGetCookieExA, InternetGetCookieExW, InternetGetCookieW, InternetGetLastResponseInfoA, InternetGetLastResponseInfoW, InternetGetPerSiteCookieDecisionA, InternetGetPerSiteCookieDecisionW, InternetGoOnline, InternetGoOnlineA, InternetGoOnlineW, InternetHangUp, InternetInitializeAutoProxyDll, InternetLockRequestFile, InternetOpenA, InternetOpenUrlA, InternetOpenUrlW, InternetOpenW, InternetQueryDataAvailable, InternetQueryFortezzaStatus, InternetQueryOptionA, InternetQueryOptionW, InternetReadFile, InternetReadFileExA, InternetReadFileExW, InternetSecurityProtocolToStringA, InternetSecurityProtocolToStringW, InternetSetCookieA, InternetSetCookieExA, InternetSetCookieExW, InternetSetCookieW, InternetSetDialState, InternetSetDialStateA, InternetSetDialStateW, InternetSetFilePointer, InternetSetOptionA, InternetSetOptionExA, InternetSetOptionExW, InternetSetOptionW, InternetSetPerSiteCookieDecisionA, InternetSetPerSiteCookieDecisionW, InternetSetStatusCallback, InternetSetStatusCallbackA, InternetSetStatusCallbackW, InternetShowSecurityInfoByURL, InternetShowSecurityInfoByURLA, InternetShowSecurityInfoByURLW, InternetTimeFromSystemTime, InternetTimeFromSystemTimeA, InternetTimeFromSystemTimeW, InternetTimeToSystemTime, InternetTimeToSystemTimeA, InternetTimeToSystemTimeW, InternetUnlockRequestFile, InternetWriteFile, InternetWriteFileExA, InternetWriteFileExW, IsHostInProxyBypassList, IsUrlCacheEntryExpiredA, IsUrlCacheEntryExpiredW, LoadUrlCacheContent, ParseX509EncodedCertificateForListBoxEntry, PrivacyGetZonePreferenceW, PrivacySetZonePreferenceW, ReadUrlCacheEntryStream, RegisterUrlCacheNotification, ResumeSuspendedDownload, RetrieveUrlCacheEntryFileA, RetrieveUrlCacheEntryFileW, RetrieveUrlCacheEntryStreamA, RetrieveUrlCacheEntryStreamW, RunOnceUrlCache, SetUrlCacheConfigInfoA, SetUrlCacheConfigInfoW, SetUrlCacheEntryGroup, SetUrlCacheEntryGroupA, SetUrlCacheEntryGroupW, SetUrlCacheEntryInfoA, SetUrlCacheEntryInfoW, SetUrlCacheGroupAttributeA, SetUrlCacheGroupAttributeW, SetUrlCacheHeaderData, ShowCertificate, ShowClientAuthCerts, ShowSecurityInfo, ShowX509EncodedCertificate, UnlockUrlCacheEntryFile, UnlockUrlCacheEntryFileA, UnlockUrlCacheEntryFileW, UnlockUrlCacheEntryStream, UpdateUrlCacheContentPath, UrlZonesDetach, _GetFileExtensionFromUrl
PDFiD.: -
RDS...: NSRL Reference Data Set

zlib1.dll scan:-

File zlib1.dll received on 05.13.2009 01:01:11 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/40 (0%)
Loading server information...
Your file is queued in position: 3.
Estimated start time is between 56 and 80 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.05.12 -
AhnLab-V3 5.0.0.2 2009.05.12 -
AntiVir 7.9.0.166 2009.05.12 -
Antiy-AVL 2.0.3.1 2009.05.12 -
Authentium 5.1.2.4 2009.05.12 -
Avast 4.8.1335.0 2009.05.12 -
AVG 8.5.0.327 2009.05.12 -
BitDefender 7.2 2009.05.13 -
CAT-QuickHeal 10.00 2009.05.12 -
ClamAV 0.94.1 2009.05.12 -
Comodo 1157 2009.05.08 -
DrWeb 5.0.0.12182 2009.05.13 -
eSafe 7.0.17.0 2009.05.12 -
eTrust-Vet 31.6.6502 2009.05.12 -
F-Prot 4.4.4.56 2009.05.12 -
F-Secure 8.0.14470.0 2009.05.13 -
Fortinet 3.117.0.0 2009.05.12 -
GData 19 2009.05.13 -
Ikarus T3.1.1.49.0 2009.05.12 -
K7AntiVirus 7.10.732 2009.05.11 -
Kaspersky 7.0.0.125 2009.05.12 -
McAfee 5613 2009.05.12 -
McAfee+Artemis 5613 2009.05.12 -
McAfee-GW-Edition 6.7.6 2009.05.12 -
Microsoft 1.4602 2009.05.12 -
NOD32 4068 2009.05.12 -
Norman 6.01.05 2009.05.12 -
nProtect 2009.1.8.0 2009.05.12 -
Panda 10.0.0.14 2009.05.12 -
PCTools 4.4.2.0 2009.05.07 -
Prevx 3.0 2009.05.13 -
Rising 21.29.14.00 2009.05.12 -
Sophos 4.41.0 2009.05.12 -
Sunbelt 3.2.1858.2 2009.05.12 -
Symantec 1.4.4.12 2009.05.13 -
TheHacker 6.3.4.1.325 2009.05.12 -
TrendMicro 8.950.0.1092 2009.05.12 -
VBA32 3.12.10.4 2009.05.12 -
ViRobot 2009.5.12.1731 2009.05.12 -
VirusBuster 4.6.5.0 2009.05.12 -
Additional information
File size: 59904 bytes
MD5...: 80e41408f6d641dc1c0f5353a0cc8125
SHA1..: 6d957ba632df5b06d49a901f2772df4301610a2a
SHA256: b09537250201236472ccd3caff5c0c12a5fad262e1e951350e 9e5ed2a81d9dde
SHA512: 857d4dc087c73f00d79bf70edfc67ddc0b15a86a4fff366d91 e5ef6684af43ee
d7dcf8579f6b4fb35dedd090973e2bde1a82aae07642136b60 8eeb1d567e5c03
ssdeep: 1536:b/jUwfZ7BURaHUry7nToIfYIOlIO+CM6:1x7BURaHUrgTBfev+CM 6
PEiD..: Armadillo v1.xx - v2.xx
TrID..: File type identification
Win32 Dynamic Link Library (generic) (65.4%)
Generic Win/DOS Executable (17.2%)
DOS Executable Generic (17.2%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0xa146
timedatestamp.....: 0x42de1dda (Wed Jul 20 09:48:10 2005)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x923f 0x9400 6.56 c758d703412b079681936e5c60c5080b
.rdata 0xb000 0x464d 0x4800 6.62 3152b1002f44bfacb6198a3316775909
.data 0x10000 0x74 0x200 0.47 de7a3eab5a56e099b2791c1ecfb9c39b
.rsrc 0x11000 0x398 0x400 3.07 b932cf50c0e8cbb81b132fbe559b343d
.reloc 0x12000 0x368 0x400 4.66 f7c1ccbc1b3eeb94d081424363cc02f4

( 2 imports )
> MSVCRT.dll: free, malloc, strerror, fflush, _errno, fopen, fread, fprintf, _vsnprintf, sprintf, ftell, fseek, fclose, clearerr, _fdopen, _initterm, _adjust_fdiv, fwrite, fputc
> KERNEL32.dll: DisableThreadLibraryCalls

( 51 exports )
adler32, compress, compress2, compressBound, crc32, deflate, deflateBound, deflateCopy, deflateEnd, deflateInit2_, deflateInit_, deflateParams, deflatePrime, deflateReset, deflateSetDictionary, get_crc_table, gzclearerr, gzclose, gzdopen, gzeof, gzerror, gzflush, gzgetc, gzgets, gzopen, gzprintf, gzputc, gzputs, gzread, gzrewind, gzseek, gzsetparams, gztell, gzungetc, gzwrite, inflate, inflateBack, inflateBackEnd, inflateBackInit_, inflateCopy, inflateEnd, inflateInit2_, inflateInit_, inflateReset, inflateSetDictionary, inflateSync, inflateSyncPoint, uncompress, zError, zlibCompileFlags, zlibVersion
PDFiD.: -
RDS...: NSRL Reference Data Set

Thxs!
Jx

**Neal** · 15-05-2009

Some tough ones there, let's give this scanner a try to finish off the bad guys.

Please download and install SUPERAntiSpyware Trial Edition SUPERAntiSpyware.com - AntiAdware. AntiSpyware. AntiMalware.

* Load SUPERAntiSpyware and click the Check for Updates button.
* Once the update has finished, exit SUPERAntiSpyware. Please do NOT run a scan yet!

IMPORTANT: Do NOT open any other windows or programs while SUPERAntiSpyware is scanning, it may interfere with the scanning process.

* Open SUPERAntiSpyware and click the Scan your Computer button.
* Check Perform Complete Scan and then click Next.
* SUPERAntiSpyware will now scan your computer and when it’s finished it will list all the infections it has found.
* Make sure that they all have a check next to them, and then click Next.
* Click Finish and you will be taken back to the main interface.
* It could be possible that it will ask you to reboot your computer in order to delete some files after reboot.
* I'll need a log afterwards of what has been found.
* To get the log, click Preferences and then click the Statistics/Logs tab. Click the dated log and press View Log and a text file will appear.
* Please post the results of the SUPERAntiSpyware log in your next reply.

Please help me! I can't remove Trojan.Vundo from my PC!

Please help me! I can't remove Trojan.Vundo from my PC!

Similar Threads

Have a Vundo Trojan, can't seem to get rid of it, help...

Trojan:Win32/Vundo.gen!M

Vundo Trojan(RESOLVED)

Vundo Trojan

Vundo trojan cannot remove - Please help