5 replies to this topic

[Kaushik]

[font="Arial Black"]Dear Experts,

My machine is infected by Trojan Vundo. I cleaned it up but it appears there are still some traces left as it comes up after 10 mins or whenever i reboot it comes up again.

Could you please help me to clean this mess?

Thanks,
EMAIL REMOVED

Following are the logs:
------------------------------------------------------------
Log from MBAM (12/29)
------------------------------------------------------------
Malwarebytes' Anti-Malware 1.31
Database version: 1475
Windows 5.1.2600 Service Pack 2

12/29/2008 1:53:41 AM
mbam-log-2008-12-29 (01-53-41).txt

Scan type: Quick Scan
Objects scanned: 60619
Time elapsed: 6 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 9
Registry Values Infected: 11
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 15

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\foponiga.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\nivedusa.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5f1b7689-8f6d-4d72-8bde-8a7c9ff81ac4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{5f1b7689-8f6d-4d72-8bde-8a7c9ff81ac4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{5f1b7689-8f6d-4d72-8bde-8a7c9ff81ac4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{037c7b8a-151a-49e6-baed-cc05fcb50328} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm636ddce9 (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jalumeteka (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingb6369 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingd5273 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletinga1918 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingc4453 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gadcom (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prunnet (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prunnet (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\foponiga.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\foponiga.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\foponiga.dll -> Delete on reboot.

Folders Infected:
D:\Documents and Settings\Kaushik Patra\Application Data\gadcom (Trojan.Agent) -> Delete on reboot.

Files Infected:
C:\WINDOWS\system32\kuvusabu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ubasuvuk.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pofusido.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\odisufop.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vativise.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\esivitav.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nivedusa.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\foponiga.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\loguteyu.dll_old (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\nukizota.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
D:\Documents and Settings\Kaushik Patra\Application Data\gadcom\gadcom.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\prunnet.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\ieupdates.exe (Trojan.Agent) -> Quarantined and deleted successfully.
D:\Documents and Settings\Kaushik Patra\Local Settings\Temp\xpre.tmp (Trojan.Downloader) -> Delete on reboot.
D:\Documents and Settings\Kaushik Patra\Local Settings\Temp\winvsnet.tmp (Rogue.Installer) -> Quarantined and deleted successfully.
------------------------------------------------------------------------------------------------------------
Log from Panda securities
-------------------------------------------------------------------------------------------------------------
<will update it later..scanning going on>
--------------------------------------------------------------------------------------------------------------
Log from HijackThis(12/29)
--------------------------------------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:16:47 AM, on 12/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nslsvice.exe
C:\WINDOWS\system32\nsl.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Lenovo\TrackPoint\TP4SERVINST.EXE
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
D:\Connected\AgentService.exe
C:\Program Files\ThinkPad\Tablet Shortcut\ASR\ASRSVC.exe
C:\Program Files\ISS\Proventia Desktop\blackd.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\GtFlashSwitch\GtFlashSwitch.exe
C:\Program Files\ISS\Proventia Desktop\RapApp.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ThinkPad\Tablet Shortcut\TSMRESIDENT.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\SavRoam.exe
D:\Documents and Settings\Kaushik Patra\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\ThinkPad\Tablet Shortcut\TSMService.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\ISS\Proventia Desktop\vpatch.exe
C:\PROGRA~1\ThinkPad\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Webroot\Enterprise\Spy Sweeper\CommAgent.exe
C:\Program Files\Lenovo\TrackPoint\tp4serv.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeper.exe
D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
D:\DOCUME~1\KAUSHI~1\LOCALS~1\Temp\stf97.tmp
C:\WINDOWS\system32\NOTEPAD.EXE
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer 03.18.04
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://iedownload.in...sp1/install.ins
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = amc-proxy01:8080
O1 - Hosts: # Copyright © 1993-1999 Microsoft Corp.
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5f1b7689-8f6d-4d72-8bde-8a7c9ff81ac4} - C:\WINDOWS\system32\nivedusa.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O4 - HKLM\..\Run: [AppInstaller] C:\WINDOWS\I386\fi\tivoli\AppInst\AppInst.EXE
O4 - HKLM\..\Run: [DSKMGR] C:\Program Files\Desktop Manager\DskMgr.exe
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe
O4 - HKLM\..\Run: [TrackPointSrv] C:\Program Files\Lenovo\TrackPoint\tp4serv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [IBMTBCTL] "C:\Program Files\ThinkPad\Tablet Shortcut\IBMTBCTL.EXE" /r
O4 - HKLM\..\Run: [TSMResident] "C:\Program Files\ThinkPad\Tablet Shortcut\TSMRESIDENT.EXE" /r
O4 - HKLM\..\Run: [SpySweeperEnterprise] "C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeperUI.exe" /StartInTray
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe
O4 - HKLM\..\Run: [AeXAgentLogon] C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [CPM636ddce9] Rundll32.exe "c:\windows\system32\behabiji.dll",a
O4 - HKLM\..\Run: [jalumeteka] Rundll32.exe "C:\WINDOWS\system32\loguteyu.dll",s
O4 - HKLM\..\RunOnce: [SpybotDeletingA5611] command /c del "c:\windows\system32\behabiji.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7346] cmd /c del "c:\windows\system32\behabiji.dll_old"
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "D:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Google Update] "D:\Documents and Settings\Kaushik Patra\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [gadcom] "D:\Documents and Settings\Kaushik Patra\Application Data\gadcom\gadcom.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - HKCU\..\RunOnce: [SpybotDeletingB4745] command /c del "c:\windows\system32\behabiji.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7162] cmd /c del "c:\windows\system32\behabiji.dll_old"
O4 - HKUS\S-1-5-19\..\Run: [jalumeteka] Rundll32.exe "C:\WINDOWS\system32\loguteyu.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [jalumeteka] Rundll32.exe "C:\WINDOWS\system32\loguteyu.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: VPN Client.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O15 - Trusted Zone: *.209.172.180.115
O15 - Trusted Zone: http://*.209.172.180.115
O15 - Trusted Zone: *.adobe.com
O15 - Trusted Zone: *.antimalwareguard.com
O15 - Trusted Zone: *.apple.com
O15 - Trusted Zone: *.ariba.com
O15 - Trusted Zone: http://*.ariba.com
O15 - Trusted Zone: *.bcop.com
O15 - Trusted Zone: http://*.bcop.com
O15 - Trusted Zone: *.bmitools.net
O15 - Trusted Zone: *.bymckinsey.com
O15 - Trusted Zone: *.cdw.com
O15 - Trusted Zone: http://*.cdw.com
O15 - Trusted Zone: *.compaq.com
O15 - Trusted Zone: http://*.compaq.com
O15 - Trusted Zone: http://*.gib.dealogic.com
O15 - Trusted Zone: http://*.dealogic.com
O15 - Trusted Zone: *.easybank.at
O15 - Trusted Zone: *.mckinsey.edtlearning.com
O15 - Trusted Zone: http://*.mckinsey.edtlearning.com
O15 - Trusted Zone: *.edtlearning.com
O15 - Trusted Zone: http://*.edtlearning.com
O15 - Trusted Zone: *.elementk.com
O15 - Trusted Zone: http://*.elementk.com
O15 - Trusted Zone: *.factiva.com
O15 - Trusted Zone: *.four51.com
O15 - Trusted Zone: http://*.four51.com
O15 - Trusted Zone: *.globalprofitpools.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.grandandtoy.com
O15 - Trusted Zone: http://*.grandandtoy.com
O15 - Trusted Zone: *.hallmark.com
O15 - Trusted Zone: *.hbsinteractive.hbs.edu
O15 - Trusted Zone: http://*.hbsinteractive.hbs.edu
O15 - Trusted Zone: *.hbs.edu
O15 - Trusted Zone: http://*.hbs.edu
O15 - Trusted Zone: *.hbsinteractive.hbs.edu
O15 - Trusted Zone: http://*.hbsinteractive.hbs.edu
O15 - Trusted Zone: *.hoovers.com
O15 - Trusted Zone: *.hp.com
O15 - Trusted Zone: http://*.hp.com
O15 - Trusted Zone: *.icp
O15 - Trusted Zone: *.infotriever.com
O15 - Trusted Zone: *.interride.com
O15 - Trusted Zone: http://*.interride.com
O15 - Trusted Zone: http://www.juliemorgenstern.com
O15 - Trusted Zone: *.knowledgenet.com
O15 - Trusted Zone: http://*.knowledgenet.com
O15 - Trusted Zone: *.gps.mckinsey.com
O15 - Trusted Zone: http://*.gps.mckinsey.com
O15 - Trusted Zone: icp.intranet.mckinsey.com
O15 - Trusted Zone: mb2.mckinsey.com
O15 - Trusted Zone: http://mb2.mckinsey.com
O15 - Trusted Zone: mb2dev.mckinsey.com
O15 - Trusted Zone: http://mb2dev.mckinsey.com
O15 - Trusted Zone: mb2qa.mckinsey.com
O15 - Trusted Zone: http://mb2qa.mckinsey.com
O15 - Trusted Zone: setup.intranet.mckinsey.com
O15 - Trusted Zone: *.mckinsey.com
O15 - Trusted Zone: http://*.mckinsey.com
O15 - Trusted Zone: *.mckinsey.de
O15 - Trusted Zone: http://*.mckinsey.de
O15 - Trusted Zone: *.mckinseygiftofhope.com
O15 - Trusted Zone: *.mckinseygiftofhope.org
O15 - Trusted Zone: www.mckinseyquarterly.com
O15 - Trusted Zone: *.mckinseyquarterly.com
O15 - Trusted Zone: *.onex.com
O15 - Trusted Zone: http://*.onex.com
O15 - Trusted Zone: *.setup
O15 - Trusted Zone: *.shi.com
O15 - Trusted Zone: http://*.shi.com
O15 - Trusted Zone: *.webex.com
O15 - Trusted Zone: http://*.webex.com
O15 - Trusted Zone: *.workplace.com
O15 - Trusted Zone: http://*.workplace.com
O15 - Trusted Zone: *.wwworkplace.com
O15 - Trusted Zone: http://*.wwworkplace.com
O15 - Trusted Zone: *.209.172.180.115 (HKLM)
O15 - Trusted Zone: http://*.209.172.180.115 (HKLM)
O15 - Trusted Zone: *.adobe.com (HKLM)
O15 - Trusted Zone: *.antimalwareguard.com (HKLM)
O15 - Trusted Zone: *.apple.com (HKLM)
O15 - Trusted Zone: *.ariba.com (HKLM)
O15 - Trusted Zone: *.bcop.com (HKLM)
O15 - Trusted Zone: *.bmitools.net (HKLM)
O15 - Trusted Zone: *.bymckinsey.com (HKLM)
O15 - Trusted Zone: *.compaq.com (HKLM)
O15 - Trusted Zone: *.mckinsey.edtlearning.com (HKLM)
O15 - Trusted Zone: *.edtlearning.com (HKLM)
O15 - Trusted Zone: *.elementk.com (HKLM)
O15 - Trusted Zone: *.factiva.com (HKLM)
O15 - Trusted Zone: *.four51.com (HKLM)
O15 - Trusted Zone: *.globalprofitpools.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.hallmark.com (HKLM)
O15 - Trusted Zone: *.hbs.edu (HKLM)
O15 - Trusted Zone: *.hbsinteractive.hbs.edu (HKLM)
O15 - Trusted Zone: http://*.hbsinteractive.hbs.edu (HKLM)
O15 - Trusted Zone: *.hoovers.com (HKLM)
O15 - Trusted Zone: *.hp.com (HKLM)
O15 - Trusted Zone: *.icp (HKLM)
O15 - Trusted Zone: *.infotriever.com (HKLM)
O15 - Trusted Zone: *.interride.com (HKLM)
O15 - Trusted Zone: *.knowledgenet.com (HKLM)
O15 - Trusted Zone: *.mckinsey.com (HKLM)
O15 - Trusted Zone: *.mckinsey.de (HKLM)
O15 - Trusted Zone: *.mckinseygiftofhope.com (HKLM)
O15 - Trusted Zone: *.mckinseygiftofhope.org (HKLM)
O15 - Trusted Zone: *.mckinseyquarterly.com (HKLM)
O15 - Trusted Zone: *.setup (HKLM)
O15 - Trusted Zone: *.shi.com (HKLM)
O15 - Trusted Zone: *.webex.com (HKLM)
O15 - Trusted Zone: *.workplace.com (HKLM)
O15 - Trusted Zone: *.wwworkplace.com (HKLM)
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ads.mckinsey.com
O17 - HKLM\Software\..\Telephony: DomainName = ads.mckinsey.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ads.mckinsey.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ads.mckinsey.com,firny.mckinsey.com,notes.mckinsey.com,intranet.mckinsey.com,tiv
oli.mckinsey.com,mckinsey.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ads.mckinsey.com,firny.mckinsey.com,notes.mckinsey.com,intranet.mckinsey.com,tiv
oli.mckinsey.com,mckinsey.com
O20 - AppInit_DLLs: AMINIT.dll amzvbn.dll dyprvc.dll zjxmli.dll pqhvxx.dll yjzlau.dll shhkde.dll c:\windows\system32\ c:\windows\system32\fiyifine.dll c:\windows\system32\ c:\windows\system32\behabiji.dll,C:\WINDOWS\system32\foponiga.dll
O20 - Winlogon Notify: awtusstr - awtusstr.dll (file missing)
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\behabiji.dll (file missing)
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\behabiji.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
O23 - Service: AgentService - Iron Mountain Incorporated - D:\Connected\AgentService.exe
O23 - Service: ASR Service (ASRSVC) - Lenovo Group Limited - C:\Program Files\ThinkPad\Tablet Shortcut\ASR\ASRSVC.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\blackd.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GtFlashSwitch - OptionNV - C:\Program Files\Common Files\GtFlashSwitch\GtFlashSwitch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\WINDOWS\system32\nslsvice.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\RapApp.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TABLET Service (TabletSVC) - Lenovo Group Limited - C:\Program Files\ThinkPad\Tablet Shortcut\TSMService.exe
O23 - Service: tp4serv - Lenovo Group Limited - C:\Program Files\Lenovo\TrackPoint\TP4SERVINST.EXE
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
O23 - Service: ISS Buffer Overflow Exploit Prevention (VPatch) - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\vpatch.exe
O23 - Service: Webroot CommAgent Service (WebrootCommAgentService) - Webroot Software, Inc. - C:\Program Files\Webroot\Enterprise\Spy Sweeper\CommAgent.exe
O23 - Service: WebrootSpySweeperService - Webroot Software, Inc. - C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeper.exe

--
End of file - 20204 bytes
---------------------------------------------------------------------------------------------

[Kaushik]

Kaushik, on Dec 29 2008, 02:55 AM, said:

[font="Arial Black"]Dear Experts,

My machine is infected by Trojan Vundo. I cleaned it up but it appears there are still some traces left as it comes up after 10 mins or whenever i reboot it comes up again.

Could you please help me to clean this mess?

Thanks,
EMAIL REMOVED

Following are the logs:
------------------------------------------------------------
Log from MBAM (12/29)
------------------------------------------------------------
Malwarebytes' Anti-Malware 1.31
Database version: 1475
Windows 5.1.2600 Service Pack 2

12/29/2008 1:53:41 AM
mbam-log-2008-12-29 (01-53-41).txt

Scan type: Quick Scan
Objects scanned: 60619
Time elapsed: 6 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 9
Registry Values Infected: 11
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 15

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\foponiga.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\nivedusa.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5f1b7689-8f6d-4d72-8bde-8a7c9ff81ac4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{5f1b7689-8f6d-4d72-8bde-8a7c9ff81ac4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{5f1b7689-8f6d-4d72-8bde-8a7c9ff81ac4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{037c7b8a-151a-49e6-baed-cc05fcb50328} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm636ddce9 (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jalumeteka (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingb6369 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingd5273 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletinga1918 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingc4453 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gadcom (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prunnet (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prunnet (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\foponiga.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\foponiga.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\foponiga.dll -> Delete on reboot.

Folders Infected:
D:\Documents and Settings\Kaushik Patra\Application Data\gadcom (Trojan.Agent) -> Delete on reboot.

Files Infected:
C:\WINDOWS\system32\kuvusabu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ubasuvuk.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pofusido.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\odisufop.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vativise.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\esivitav.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nivedusa.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\foponiga.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\loguteyu.dll_old (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\nukizota.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
D:\Documents and Settings\Kaushik Patra\Application Data\gadcom\gadcom.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\prunnet.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\ieupdates.exe (Trojan.Agent) -> Quarantined and deleted successfully.
D:\Documents and Settings\Kaushik Patra\Local Settings\Temp\xpre.tmp (Trojan.Downloader) -> Delete on reboot.
D:\Documents and Settings\Kaushik Patra\Local Settings\Temp\winvsnet.tmp (Rogue.Installer) -> Quarantined and deleted successfully.
------------------------------------------------------------------------------------------------------------
Log from Panda securities
-------------------------------------------------------------------------------------------------------------
;*******************************************************************************
********************************************************************************
*
*******************
ANALYSIS: 2008-12-29 10:01:15
PROTECTIONS: 1
MALWARE: 12
SUSPECTS: 5
;*******************************************************************************
********************************************************************************
*
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
================================================================================
=
===================
Symantec Antivirus Corporate Edition 10.1 No Yes
;===============================================================================
================================================================================
=
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
================================================================================
=
===================
00029434 spyware/virtumonde Spyware No 1 Yes No hkey_local_machine\software\microsoft\ms juan
00029434 spyware/virtumonde Spyware No 1 Yes No hkey_local_machine\software\microsoft\ms track system
00147824 Cookie/Clickbank TrackingCookie No 0 Yes No D:\Documents and Settings\Kaushik Patra\Cookies\kaushik patra@clickbank[1].txt
00366244 Application/NirCmd.A HackTools No 0 Yes No C:\Program Files\Altiris\Altiris Agent\Software Delivery\{B2364212-315F-46B6-BA1E-44F16976E535}\cache\Connected V8 Uninstall 1.0\nircmd.exe
00366244 Application/NirCmd.A HackTools No 0 Yes No C:\Program Files\Altiris\Altiris Agent\Software Delivery\{B2364212-315F-46B6-BA1E-44F16976E535}\cache\Connected V8 Restore Account 1.0\nircmd.exe
00456116 Adware/Antivirus2009 Adware No 0 Yes No D:\Documents and Settings\Kaushik Patra\Local Settings\Temp\Temporary Internet Files\Content.IE5\9IJD21RC\freescan[1].htm
00530899 Application/NirCmd.A HackTools No 0 Yes No C:\Program Files\Altiris\Altiris Agent\Software Delivery\{B2D160D2-1505-4B9C-BC8D-73CBEF1010B6}\cache\nircmd.exe
00530899 Application/NirCmd.A HackTools No 0 Yes No C:\Compaq\tools\screen\nircmd.exe
01174115 Trj/Downloader.OXI Virus/Trojan No 0 Yes No C:\Program Files\Altiris\Altiris Agent\Software Delivery\{B2364212-315F-46B6-BA1E-44F16976E535}\cache\Connected V8 Restore Account 1.0\check_win.exe
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\Compaq\tools\nircmd.exe
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\WINDOWS\system32\tuvTJYOG.dll
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\WINDOWS\System32\shhkde.dll
03074964 Trj/CI.A Virus/Trojan No 0 Yes No D:\Documents and Settings\All Users\Application Data\SecTaskMan\shhkde.dll.q_8041202_q.old
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\WINDOWS\system32\shhkde.dll
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\WINDOWS\system32\tuvTJYOG.dll
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\WINDOWS\system32\jgpfmwgx.dll
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\WINDOWS\system32\shhkde.dll
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\WINDOWS\system32\wvUMEWpP.dll
03074964 Trj/CI.A Virus/Trojan No 0 Yes No D:\Documents and Settings\All Users\Application Data\SecTaskMan\shhkde.dll.q_8041202_q
04098656 Adware/SaveNow Adware No 0 Yes No D:\Documents and Settings\Kaushik Patra\Local Settings\TempImages\si1setup-142-SI1PRT1-silent.exe
04098656 Adware/SaveNow Adware No 0 No No D:\Documents and Settings\Kaushik Patra\Desktop\software\OneClickBlackBerryVideoConverterSetup.exe[si1setup-142-SI1PRT1-silent.exe]
04454968 Generic Trojan Virus/Trojan No 0 Yes No d:\documents and settings\kaushik patra\application data\gadcom\gadcom.exe
04454968 Generic Trojan Virus/Trojan No 0 Yes No D:\Avenger\gadcom-ren-144\gadcom.exea
04476628 Generic Trojan Virus/Trojan No 0 Yes No D:\Documents and Settings\Kaushik Patra\Local Settings\Temp\winvsnet.tmp
04477037 Generic Trojan Virus/Trojan No 0 Yes No C:\WINDOWS\system32\urqRKaAq.dll
04477037 Generic Trojan Virus/Trojan No 0 Yes No C:\WINDOWS\system32\urqRKaAq.dll
;===============================================================================
================================================================================
=
===================
SUSPECTS
Sent Location y
;===============================================================================
================================================================================
=
===================
No C:\Compaq\tools\CPAU.exe y
No C:\WINDOWS\I386\fi\Altiris\SW Portal\Cpau.exe y
No C:\WINDOWS\system32\CPAU.exe y
No D:\Documents and Settings\All Users\Application Data\SecTaskMan\prunnet.exe.q_8048A00_q y
No D:\Documents and Settings\Kaushik Patra\Local Settings\Temp\prun.tmp y
;===============================================================================
================================================================================
=
===================
VULNERABILITIES
Id Severity Description y
;===============================================================================
================================================================================
=
===================
;===============================================================================
================================================================================
=
===================

--------------------------------------------------------------------------------------------------------------
Log from HijackThis(12/29)
--------------------------------------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:16:47 AM, on 12/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nslsvice.exe
C:\WINDOWS\system32\nsl.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Lenovo\TrackPoint\TP4SERVINST.EXE
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
D:\Connected\AgentService.exe
C:\Program Files\ThinkPad\Tablet Shortcut\ASR\ASRSVC.exe
C:\Program Files\ISS\Proventia Desktop\blackd.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\GtFlashSwitch\GtFlashSwitch.exe
C:\Program Files\ISS\Proventia Desktop\RapApp.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ThinkPad\Tablet Shortcut\TSMRESIDENT.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\SavRoam.exe
D:\Documents and Settings\Kaushik Patra\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\ThinkPad\Tablet Shortcut\TSMService.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\ISS\Proventia Desktop\vpatch.exe
C:\PROGRA~1\ThinkPad\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Webroot\Enterprise\Spy Sweeper\CommAgent.exe
C:\Program Files\Lenovo\TrackPoint\tp4serv.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeper.exe
D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
D:\DOCUME~1\KAUSHI~1\LOCALS~1\Temp\stf97.tmp
C:\WINDOWS\system32\NOTEPAD.EXE
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer 03.18.04
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://iedownload.in...sp1/install.ins
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = amc-proxy01:8080
O1 - Hosts: # Copyright © 1993-1999 Microsoft Corp.
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5f1b7689-8f6d-4d72-8bde-8a7c9ff81ac4} - C:\WINDOWS\system32\nivedusa.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O4 - HKLM\..\Run: [AppInstaller] C:\WINDOWS\I386\fi\tivoli\AppInst\AppInst.EXE
O4 - HKLM\..\Run: [DSKMGR] C:\Program Files\Desktop Manager\DskMgr.exe
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe
O4 - HKLM\..\Run: [TrackPointSrv] C:\Program Files\Lenovo\TrackPoint\tp4serv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [IBMTBCTL] "C:\Program Files\ThinkPad\Tablet Shortcut\IBMTBCTL.EXE" /r
O4 - HKLM\..\Run: [TSMResident] "C:\Program Files\ThinkPad\Tablet Shortcut\TSMRESIDENT.EXE" /r
O4 - HKLM\..\Run: [SpySweeperEnterprise] "C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeperUI.exe" /StartInTray
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe
O4 - HKLM\..\Run: [AeXAgentLogon] C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [CPM636ddce9] Rundll32.exe "c:\windows\system32\behabiji.dll",a
O4 - HKLM\..\Run: [jalumeteka] Rundll32.exe "C:\WINDOWS\system32\loguteyu.dll",s
O4 - HKLM\..\RunOnce: [SpybotDeletingA5611] command /c del "c:\windows\system32\behabiji.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7346] cmd /c del "c:\windows\system32\behabiji.dll_old"
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "D:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Google Update] "D:\Documents and Settings\Kaushik Patra\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [gadcom] "D:\Documents and Settings\Kaushik Patra\Application Data\gadcom\gadcom.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - HKCU\..\RunOnce: [SpybotDeletingB4745] command /c del "c:\windows\system32\behabiji.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7162] cmd /c del "c:\windows\system32\behabiji.dll_old"
O4 - HKUS\S-1-5-19\..\Run: [jalumeteka] Rundll32.exe "C:\WINDOWS\system32\loguteyu.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [jalumeteka] Rundll32.exe "C:\WINDOWS\system32\loguteyu.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: VPN Client.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O15 - Trusted Zone: *.209.172.180.115
O15 - Trusted Zone: http://*.209.172.180.115
O15 - Trusted Zone: *.adobe.com
O15 - Trusted Zone: *.antimalwareguard.com
O15 - Trusted Zone: *.apple.com
O15 - Trusted Zone: *.ariba.com
O15 - Trusted Zone: http://*.ariba.com
O15 - Trusted Zone: *.bcop.com
O15 - Trusted Zone: http://*.bcop.com
O15 - Trusted Zone: *.bmitools.net
O15 - Trusted Zone: *.bymckinsey.com
O15 - Trusted Zone: *.cdw.com
O15 - Trusted Zone: http://*.cdw.com
O15 - Trusted Zone: *.compaq.com
O15 - Trusted Zone: http://*.compaq.com
O15 - Trusted Zone: http://*.gib.dealogic.com
O15 - Trusted Zone: http://*.dealogic.com
O15 - Trusted Zone: *.easybank.at
O15 - Trusted Zone: *.mckinsey.edtlearning.com
O15 - Trusted Zone: http://*.mckinsey.edtlearning.com
O15 - Trusted Zone: *.edtlearning.com
O15 - Trusted Zone: http://*.edtlearning.com
O15 - Trusted Zone: *.elementk.com
O15 - Trusted Zone: http://*.elementk.com
O15 - Trusted Zone: *.factiva.com
O15 - Trusted Zone: *.four51.com
O15 - Trusted Zone: http://*.four51.com
O15 - Trusted Zone: *.globalprofitpools.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.grandandtoy.com
O15 - Trusted Zone: http://*.grandandtoy.com
O15 - Trusted Zone: *.hallmark.com
O15 - Trusted Zone: *.hbsinteractive.hbs.edu
O15 - Trusted Zone: http://*.hbsinteractive.hbs.edu
O15 - Trusted Zone: *.hbs.edu
O15 - Trusted Zone: http://*.hbs.edu
O15 - Trusted Zone: *.hbsinteractive.hbs.edu
O15 - Trusted Zone: http://*.hbsinteractive.hbs.edu
O15 - Trusted Zone: *.hoovers.com
O15 - Trusted Zone: *.hp.com
O15 - Trusted Zone: http://*.hp.com
O15 - Trusted Zone: *.icp
O15 - Trusted Zone: *.infotriever.com
O15 - Trusted Zone: *.interride.com
O15 - Trusted Zone: http://*.interride.com
O15 - Trusted Zone: http://www.juliemorgenstern.com
O15 - Trusted Zone: *.knowledgenet.com
O15 - Trusted Zone: http://*.knowledgenet.com
O15 - Trusted Zone: *.gps.mckinsey.com
O15 - Trusted Zone: http://*.gps.mckinsey.com
O15 - Trusted Zone: icp.intranet.mckinsey.com
O15 - Trusted Zone: mb2.mckinsey.com
O15 - Trusted Zone: http://mb2.mckinsey.com
O15 - Trusted Zone: mb2dev.mckinsey.com
O15 - Trusted Zone: http://mb2dev.mckinsey.com
O15 - Trusted Zone: mb2qa.mckinsey.com
O15 - Trusted Zone: http://mb2qa.mckinsey.com
O15 - Trusted Zone: setup.intranet.mckinsey.com
O15 - Trusted Zone: *.mckinsey.com
O15 - Trusted Zone: http://*.mckinsey.com
O15 - Trusted Zone: *.mckinsey.de
O15 - Trusted Zone: http://*.mckinsey.de
O15 - Trusted Zone: *.mckinseygiftofhope.com
O15 - Trusted Zone: *.mckinseygiftofhope.org
O15 - Trusted Zone: www.mckinseyquarterly.com
O15 - Trusted Zone: *.mckinseyquarterly.com
O15 - Trusted Zone: *.onex.com
O15 - Trusted Zone: http://*.onex.com
O15 - Trusted Zone: *.setup
O15 - Trusted Zone: *.shi.com
O15 - Trusted Zone: http://*.shi.com
O15 - Trusted Zone: *.webex.com
O15 - Trusted Zone: http://*.webex.com
O15 - Trusted Zone: *.workplace.com
O15 - Trusted Zone: http://*.workplace.com
O15 - Trusted Zone: *.wwworkplace.com
O15 - Trusted Zone: http://*.wwworkplace.com
O15 - Trusted Zone: *.209.172.180.115 (HKLM)
O15 - Trusted Zone: http://*.209.172.180.115 (HKLM)
O15 - Trusted Zone: *.adobe.com (HKLM)
O15 - Trusted Zone: *.antimalwareguard.com (HKLM)
O15 - Trusted Zone: *.apple.com (HKLM)
O15 - Trusted Zone: *.ariba.com (HKLM)
O15 - Trusted Zone: *.bcop.com (HKLM)
O15 - Trusted Zone: *.bmitools.net (HKLM)
O15 - Trusted Zone: *.bymckinsey.com (HKLM)
O15 - Trusted Zone: *.compaq.com (HKLM)
O15 - Trusted Zone: *.mckinsey.edtlearning.com (HKLM)
O15 - Trusted Zone: *.edtlearning.com (HKLM)
O15 - Trusted Zone: *.elementk.com (HKLM)
O15 - Trusted Zone: *.factiva.com (HKLM)
O15 - Trusted Zone: *.four51.com (HKLM)
O15 - Trusted Zone: *.globalprofitpools.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.hallmark.com (HKLM)
O15 - Trusted Zone: *.hbs.edu (HKLM)
O15 - Trusted Zone: *.hbsinteractive.hbs.edu (HKLM)
O15 - Trusted Zone: http://*.hbsinteractive.hbs.edu (HKLM)
O15 - Trusted Zone: *.hoovers.com (HKLM)
O15 - Trusted Zone: *.hp.com (HKLM)
O15 - Trusted Zone: *.icp (HKLM)
O15 - Trusted Zone: *.infotriever.com (HKLM)
O15 - Trusted Zone: *.interride.com (HKLM)
O15 - Trusted Zone: *.knowledgenet.com (HKLM)
O15 - Trusted Zone: *.mckinsey.com (HKLM)
O15 - Trusted Zone: *.mckinsey.de (HKLM)
O15 - Trusted Zone: *.mckinseygiftofhope.com (HKLM)
O15 - Trusted Zone: *.mckinseygiftofhope.org (HKLM)
O15 - Trusted Zone: *.mckinseyquarterly.com (HKLM)
O15 - Trusted Zone: *.setup (HKLM)
O15 - Trusted Zone: *.shi.com (HKLM)
O15 - Trusted Zone: *.webex.com (HKLM)
O15 - Trusted Zone: *.workplace.com (HKLM)
O15 - Trusted Zone: *.wwworkplace.com (HKLM)
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ads.mckinsey.com
O17 - HKLM\Software\..\Telephony: DomainName = ads.mckinsey.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ads.mckinsey.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ads.mckinsey.com,firny.mckinsey.com,notes.mckinsey.com,intranet.mckinsey.com,tiv
oli.mckinsey.com,mckinsey.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ads.mckinsey.com,firny.mckinsey.com,notes.mckinsey.com,intranet.mckinsey.com,tiv
oli.mckinsey.com,mckinsey.com
O20 - AppInit_DLLs: AMINIT.dll amzvbn.dll dyprvc.dll zjxmli.dll pqhvxx.dll yjzlau.dll shhkde.dll c:\windows\system32\ c:\windows\system32\fiyifine.dll c:\windows\system32\ c:\windows\system32\behabiji.dll,C:\WINDOWS\system32\foponiga.dll
O20 - Winlogon Notify: awtusstr - awtusstr.dll (file missing)
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\behabiji.dll (file missing)
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\behabiji.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
O23 - Service: AgentService - Iron Mountain Incorporated - D:\Connected\AgentService.exe
O23 - Service: ASR Service (ASRSVC) - Lenovo Group Limited - C:\Program Files\ThinkPad\Tablet Shortcut\ASR\ASRSVC.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\blackd.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GtFlashSwitch - OptionNV - C:\Program Files\Common Files\GtFlashSwitch\GtFlashSwitch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\WINDOWS\system32\nslsvice.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\RapApp.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TABLET Service (TabletSVC) - Lenovo Group Limited - C:\Program Files\ThinkPad\Tablet Shortcut\TSMService.exe
O23 - Service: tp4serv - Lenovo Group Limited - C:\Program Files\Lenovo\TrackPoint\TP4SERVINST.EXE
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
O23 - Service: ISS Buffer Overflow Exploit Prevention (VPatch) - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\vpatch.exe
O23 - Service: Webroot CommAgent Service (WebrootCommAgentService) - Webroot Software, Inc. - C:\Program Files\Webroot\Enterprise\Spy Sweeper\CommAgent.exe
O23 - Service: WebrootSpySweeperService - Webroot Software, Inc. - C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeper.exe

--
End of file - 20204 bytes
---------------------------------------------------------------------------------------------

Attached Files

•  ActiveScan.txt   10.37K   56 downloads
•  mbam_Hijackthislogs.txt   51.19K   29 downloads

[nosirrah]

Your defs are nearly 100 versions out of date , while you wait for help please update MBAM , scan again and post fresh MBAM and HJT logs .

[Kaushik]

nosirrah, on Dec 29 2008, 10:50 AM, said:

Your defs are nearly 100 versions out of date , while you wait for help please update MBAM , scan again and post fresh MBAM and HJT logs .

Thanks.
Attaching te files and screen shot after running them.
1.Spybot screenshot (before cleaned)
2.Malware logs before and after clean up
3.Panda scan logs
4.Hijack this


Hijack this log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:47:35 PM, on 12/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nslsvice.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Lenovo\TrackPoint\TP4SERVINST.EXE
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
D:\Connected\AgentService.exe
C:\Program Files\ThinkPad\Tablet Shortcut\ASR\ASRSVC.exe
C:\Program Files\ISS\Proventia Desktop\blackd.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\GtFlashSwitch\GtFlashSwitch.exe
C:\Program Files\ISS\Proventia Desktop\RapApp.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ThinkPad\Tablet Shortcut\TSMService.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\ISS\Proventia Desktop\vpatch.exe
C:\Program Files\Webroot\Enterprise\Spy Sweeper\CommAgent.exe
C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\Program Files\Lenovo\TrackPoint\tp4serv.exe
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
D:\Documents and Settings\Kaushik Patra\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ThinkPad\Tablet Shortcut\TSMRESIDENT.EXE
C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\PROGRA~1\ThinkPad\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Logitech\Video\FxSvr2.exe
D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
D:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\regedit.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer 03.18.04
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://iedownload.in...sp1/install.ins
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = amc-proxy01:8080
O1 - Hosts: # Copyright © 1993-1999 Microsoft Corp.
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O4 - HKLM\..\Run: [AppInstaller] C:\WINDOWS\I386\fi\tivoli\AppInst\AppInst.EXE
O4 - HKLM\..\Run: [DSKMGR] C:\Program Files\Desktop Manager\DskMgr.exe
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe
O4 - HKLM\..\Run: [TrackPointSrv] C:\Program Files\Lenovo\TrackPoint\tp4serv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [IBMTBCTL] "C:\Program Files\ThinkPad\Tablet Shortcut\IBMTBCTL.EXE" /r
O4 - HKLM\..\Run: [TSMResident] "C:\Program Files\ThinkPad\Tablet Shortcut\TSMRESIDENT.EXE" /r
O4 - HKLM\..\Run: [SpySweeperEnterprise] "C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeperUI.exe" /StartInTray
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe
O4 - HKLM\..\Run: [AeXAgentLogon] C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Google Update] "D:\Documents and Settings\Kaushik Patra\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-18\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: VPN Client.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O15 - Trusted Zone: *.209.172.180.115
O15 - Trusted Zone: http://*.209.172.180.115
O15 - Trusted Zone: *.adobe.com
O15 - Trusted Zone: *.antimalwareguard.com
O15 - Trusted Zone: *.apple.com
O15 - Trusted Zone: *.ariba.com
O15 - Trusted Zone: http://*.ariba.com
O15 - Trusted Zone: *.bcop.com
O15 - Trusted Zone: http://*.bcop.com
O15 - Trusted Zone: *.bmitools.net
O15 - Trusted Zone: *.bymckinsey.com
O15 - Trusted Zone: *.cdw.com
O15 - Trusted Zone: http://*.cdw.com
O15 - Trusted Zone: *.compaq.com
O15 - Trusted Zone: http://*.compaq.com
O15 - Trusted Zone: http://*.gib.dealogic.com
O15 - Trusted Zone: http://*.dealogic.com
O15 - Trusted Zone: *.easybank.at
O15 - Trusted Zone: *.mckinsey.edtlearning.com
O15 - Trusted Zone: http://*.mckinsey.edtlearning.com
O15 - Trusted Zone: *.edtlearning.com
O15 - Trusted Zone: http://*.edtlearning.com
O15 - Trusted Zone: *.elementk.com
O15 - Trusted Zone: http://*.elementk.com
O15 - Trusted Zone: *.factiva.com
O15 - Trusted Zone: *.four51.com
O15 - Trusted Zone: http://*.four51.com
O15 - Trusted Zone: *.globalprofitpools.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.grandandtoy.com
O15 - Trusted Zone: http://*.grandandtoy.com
O15 - Trusted Zone: *.hallmark.com
O15 - Trusted Zone: *.hbsinteractive.hbs.edu
O15 - Trusted Zone: http://*.hbsinteractive.hbs.edu
O15 - Trusted Zone: *.hbs.edu
O15 - Trusted Zone: http://*.hbs.edu
O15 - Trusted Zone: *.hbsinteractive.hbs.edu
O15 - Trusted Zone: http://*.hbsinteractive.hbs.edu
O15 - Trusted Zone: *.hoovers.com
O15 - Trusted Zone: *.hp.com
O15 - Trusted Zone: http://*.hp.com
O15 - Trusted Zone: *.icp
O15 - Trusted Zone: *.infotriever.com
O15 - Trusted Zone: *.interride.com
O15 - Trusted Zone: http://*.interride.com
O15 - Trusted Zone: http://www.juliemorgenstern.com
O15 - Trusted Zone: *.knowledgenet.com
O15 - Trusted Zone: http://*.knowledgenet.com
O15 - Trusted Zone: *.gps.mckinsey.com
O15 - Trusted Zone: http://*.gps.mckinsey.com
O15 - Trusted Zone: icp.intranet.mckinsey.com
O15 - Trusted Zone: mb2.mckinsey.com
O15 - Trusted Zone: http://mb2.mckinsey.com
O15 - Trusted Zone: mb2dev.mckinsey.com
O15 - Trusted Zone: http://mb2dev.mckinsey.com
O15 - Trusted Zone: mb2qa.mckinsey.com
O15 - Trusted Zone: http://mb2qa.mckinsey.com
O15 - Trusted Zone: setup.intranet.mckinsey.com
O15 - Trusted Zone: *.mckinsey.com
O15 - Trusted Zone: http://*.mckinsey.com
O15 - Trusted Zone: *.mckinsey.de
O15 - Trusted Zone: http://*.mckinsey.de
O15 - Trusted Zone: *.mckinseygiftofhope.com
O15 - Trusted Zone: *.mckinseygiftofhope.org
O15 - Trusted Zone: www.mckinseyquarterly.com
O15 - Trusted Zone: *.mckinseyquarterly.com
O15 - Trusted Zone: *.onex.com
O15 - Trusted Zone: http://*.onex.com
O15 - Trusted Zone: *.setup
O15 - Trusted Zone: *.shi.com
O15 - Trusted Zone: http://*.shi.com
O15 - Trusted Zone: *.webex.com
O15 - Trusted Zone: http://*.webex.com
O15 - Trusted Zone: *.workplace.com
O15 - Trusted Zone: http://*.workplace.com
O15 - Trusted Zone: *.wwworkplace.com
O15 - Trusted Zone: http://*.wwworkplace.com
O15 - Trusted Zone: *.209.172.180.115 (HKLM)
O15 - Trusted Zone: http://*.209.172.180.115 (HKLM)
O15 - Trusted Zone: *.adobe.com (HKLM)
O15 - Trusted Zone: *.antimalwareguard.com (HKLM)
O15 - Trusted Zone: *.apple.com (HKLM)
O15 - Trusted Zone: *.ariba.com (HKLM)
O15 - Trusted Zone: *.bcop.com (HKLM)
O15 - Trusted Zone: *.bmitools.net (HKLM)
O15 - Trusted Zone: *.bymckinsey.com (HKLM)
O15 - Trusted Zone: *.compaq.com (HKLM)
O15 - Trusted Zone: *.mckinsey.edtlearning.com (HKLM)
O15 - Trusted Zone: *.edtlearning.com (HKLM)
O15 - Trusted Zone: *.elementk.com (HKLM)
O15 - Trusted Zone: *.factiva.com (HKLM)
O15 - Trusted Zone: *.four51.com (HKLM)
O15 - Trusted Zone: *.globalprofitpools.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.hallmark.com (HKLM)
O15 - Trusted Zone: *.hbs.edu (HKLM)
O15 - Trusted Zone: *.hbsinteractive.hbs.edu (HKLM)
O15 - Trusted Zone: http://*.hbsinteractive.hbs.edu (HKLM)
O15 - Trusted Zone: *.hoovers.com (HKLM)
O15 - Trusted Zone: *.hp.com (HKLM)
O15 - Trusted Zone: *.icp (HKLM)
O15 - Trusted Zone: *.infotriever.com (HKLM)
O15 - Trusted Zone: *.interride.com (HKLM)
O15 - Trusted Zone: *.knowledgenet.com (HKLM)
O15 - Trusted Zone: *.mckinsey.com (HKLM)
O15 - Trusted Zone: *.mckinsey.de (HKLM)
O15 - Trusted Zone: *.mckinseygiftofhope.com (HKLM)
O15 - Trusted Zone: *.mckinseygiftofhope.org (HKLM)
O15 - Trusted Zone: *.mckinseyquarterly.com (HKLM)
O15 - Trusted Zone: *.setup (HKLM)
O15 - Trusted Zone: *.shi.com (HKLM)
O15 - Trusted Zone: *.webex.com (HKLM)
O15 - Trusted Zone: *.workplace.com (HKLM)
O15 - Trusted Zone: *.wwworkplace.com (HKLM)
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ads.mckinsey.com
O17 - HKLM\Software\..\Telephony: DomainName = ads.mckinsey.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ads.mckinsey.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ads.mckinsey.com,firny.mckinsey.com,notes.mckinsey.com,intranet.mckinsey.com,tiv
oli.mckinsey.com,mckinsey.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ads.mckinsey.com,firny.mckinsey.com,notes.mckinsey.com,intranet.mckinsey.com,tiv
oli.mckinsey.com,mckinsey.com
O20 - AppInit_DLLs: AMINIT.dll amzvbn.dll dyprvc.dll zjxmli.dll pqhvxx.dll yjzlau.dll shhkde.dll c:\windows\system32\ c:\windows\system32\fiyifine.dll c:\windows\system32\ c:\windows\system32\ c:\windows\system32\ c:\windows\system32\heyayoli.dll
O20 - Winlogon Notify: awtusstr - awtusstr.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
O23 - Service: AgentService - Iron Mountain Incorporated - D:\Connected\AgentService.exe
O23 - Service: ASR Service (ASRSVC) - Lenovo Group Limited - C:\Program Files\ThinkPad\Tablet Shortcut\ASR\ASRSVC.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\blackd.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GtFlashSwitch - OptionNV - C:\Program Files\Common Files\GtFlashSwitch\GtFlashSwitch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\WINDOWS\system32\nslsvice.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\RapApp.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TABLET Service (TabletSVC) - Lenovo Group Limited - C:\Program Files\ThinkPad\Tablet Shortcut\TSMService.exe
O23 - Service: tp4serv - Lenovo Group Limited - C:\Program Files\Lenovo\TrackPoint\TP4SERVINST.EXE
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
O23 - Service: ISS Buffer Overflow Exploit Prevention (VPatch) - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\vpatch.exe
O23 - Service: Webroot CommAgent Service (WebrootCommAgentService) - Webroot Software, Inc. - C:\Program Files\Webroot\Enterprise\Spy Sweeper\CommAgent.exe
O23 - Service: WebrootSpySweeperService - Webroot Software, Inc. - C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeper.exe

--
End of file - 18792 bytes

Attached Files

•  spybot.search_destroy.JPG   135.17K   6 downloads
•  mbam_log_2008_12_29__13_47_23__beforeclean.txt   5.5K   23 downloads
•  mbam_log_2008_12_29__13_47_44_afterclean.txt   6.19K   74 downloads
•  ActiveScan_panda.txt   3.71K   33 downloads

[AdvancedSetup]

Please run the following.

Reconfigure Windows XP to show hidden files:
To enable the viewing of Hidden files follow these steps:

* Close all programs so that you are at your desktop.
* Double-click on the My Computer icon.
* Select the Tools menu and click Folder Options.
* After the new window appears select the View tab.
* Put a checkmark in the checkbox labeled Display the contents of system folders.
* Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
* Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
* Remove the checkmark from the checkbox labeled Hide protected operating system files.
* Press the Apply button and then the OK button and exit My Computer.
* Now your computer is configured to show all hidden files.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please download JavaRa and unzip it to your desktop.
***Please close any instances of Internet Explorer (or other web browser) before continuing!***

• Double-click on JavaRa.exe to start the program.
  
• From the drop-down menu, choose English and click on Select.
  
• JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  
• Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  
• A logfile will pop up. Please save it to a convenient location.

Then run HJT and do a Scan Only and place a check mark on the following entries.
O20 - AppInit_DLLs: AMINIT.dll amzvbn.dll dyprvc.dll zjxmli.dll pqhvxx.dll yjzlau.dll shhkde.dll c:\windows\system32\ c:\windows\system32\fiyifine.dll c:\windows\system32\ c:\windows\system32\ c:\windows\system32\ c:\windows\system32\heyayoli.dll
O20 - Winlogon Notify: awtusstr - awtusstr.dll (file missing)
Then click on "Fix checked"

Please upload the following files for review uploads.malwarebytes.org
c:\windows\system32\AMINIT.dll
c:\windows\system32\amzvbn.dll
c:\windows\system32\dyprvc.dll
C:\WINDOWS\system32\zjxmli.dll
C:\WINDOWS\system32\pqhvxx.dll
C:\WINDOWS\system32\yjzlau.dll
C:\WINDOWS\system32\shhkde.dll
C:\WINDOWS\system32\fiyifine.dll
C:\WINDOWS\system32\heyayoli.dll
C:\WINDOWS\system32\awtusstr.dll

Malwarebytes' Anti-Malware

• Start MalwareBytes AntiMalware
  
  • Update Malwarebytes' Anti-Malware
    
  • Select the Update tab
    
  • Click Update
• When the update is complete, select the Scanner tab
  
• Select Perform quick scan, then click Scan.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Be sure that everything is checked, and click Remove Selected.
  
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  
  • If you accidently close it, the log file is saved here and will be named like this:
    
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then RESTART the computer and AFTER the restart run HJT scan and save log.

Post back fresh MBAM and HJT logs.

[AdvancedSetup]

No reply, closing post