I posted this in BleepingComputers.com. I see that they have been swamped and provide very useful information, however; the lead time right now seems to be at least a week or two. I have a production server that picked up some stuff and generally I run MalwareBytes every 2 weeks to 30 days, however; with this infection, I am not having success. So, trying to figure out next steps. Any help you can provide, I am totally grateful for.

Thoughts on next steps:

Reset all user sessions
Disconnect from the Network
Boot into SafeMode and Run MalwareBytes

If this is not successful, considering removing my Symantec Endpoint Anti-Virus and installing AVG Free to run a scan on the box. Not ideal, but getting frustrated.

Here's the post from Bleepingcomputers.com if it sheds more light.

THanks.


My server is a Dell Poweredge running Windows 2000 SP4, Citrix Metaframe XP and Symantec Endpoint Virus protection, with limited space and though it isn't the ideal situation and have some issues which have been posted in other questions, it's been hobbling along ok until today.

To try and fix have tried MalwareBytes Anti-Malware, but it freezes about 12 seconds into the scan, the timer keeps going but it sits in this state for hours. Process utilization stopped, just hung, let it sit and sit. I rebooted the system and tried the same in Safe Mode, wouldn't work here. Tried again later after I noticed that IEXPLORE.EXE was spawning on it's own. I terminated the IE windows and seemed it was running better but still hung up.

Started Super Anti-Spyware since Malwarebytes was hanging.

Super Anti-Spyware ran but got hung on c:\pogra~1\common~1\symant~1\RCEMLPXY.DLL. It did find Adware.Vundo Variant/ACE. This is where it's been for 3 hours now as it won't let me move forward in the scan, cancel the scan or kill the scan.

I termintated the IE sessions again as there was no browser activity and it failed on the same file again.

I originally posted in the wrong forum, so have run the script as recommended. Posted are the results from the DDS.txt file. The Attach file is attached.

I apologize if I am still doing something wrong here. Just desperate to get my users working again.

Thanks in advance for your help.


Below are the DDS Logs....



DDS (Ver_09-02-01.01) - NTFSx86
Run by jnordeng at 9:56:42.19 on Thu 03/12/2009
Internet Explorer: 6.0.2800.1106

============== Pseudo HJT Report ===============

uWindow Title = Microsoft Internet Explorer provided by Company
uInternet Settings,ProxyOverride = <local>
mSearchURL = hxxp://www.google.com
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {db0a92a0-ad82-42b4-88cc-35c6b0738694} - c:\winnt\system32\jizejaho.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {f090d11c-0ae6-4ce3-9daf-d9d3238363c2} - c:\winnt\system32\jizejaho.dll
BHO: {f734bb3d-f44d-4c76-beeb-a569cf3b0956} - c:\winnt\system32\jizejaho.dll
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\system32\browseui.dll
uRun: [<NO NAME>]
mRun: [IcaBar] icabar.exe /adminonly
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [CstlFaxTray] c:\program files\castelle\faxpress\FaxTray.Exe /s
mRun: [FPEXCNVT] c:\program files\castelle\faxpress\ExCnvt.exe
mRun: [CstlDaemon] c:\program files\castelle\faxpress\Daemon.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [WinVNC] "e:\program files\ultravnc\winvnc.exe" -servicehelper
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [jemidumewi] Rundll32.exe "c:\winnt\system32\hebayule.dll",s
mRun: [mukozorapa] Rundll32.exe "c:\winnt\system32\hebayule.dll",s
mRun: [gazedakufu] Rundll32.exe "c:\winnt\system32\hebayule.dll",s
mRun: [c4832176] rundll32.exe "c:\winnt\system32\bivirabo.dll",b
mPolicies-explorer: NoFileAssociate = 1 (0x1)
mPolicies-explorer: ShowSuperHidden = 1 (0x1)
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: DirectAnimation Java Classes - file://c:\winnt\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\java\classes\xmldso.cab
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1232652768457
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1232652752754
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
TCP: {ED0B57B0-34FC-4384-B68D-DDAE9F9AD1D5} = 192.168.0.1,192.168.0.11
Notify: !SASWinLogon - e:\program files\superantispyware\SASWINLO.dll
Notify: MetaFrame - ctxnotif.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\winnt\system32\paselilu.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\winnt\system32\paselilu.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - e:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll, schannel.dll, msnsspc.dll, digest.dll
LSA: Notification Packages = scecli c:\winnt\system32\nahafita.dll

============= SERVICES / DRIVERS ===============


============== File Associations ===============

txtfile=c:\winnt\notepad.exe "%1" note

=============== Created Last 30 ================

2009-03-12 09:56 143,360 a--sh--- c:\winnt\system32\jedexv.dll
2009-03-12 09:53 143,360 a--sh--- c:\winnt\system32\ijqyyf.dll
2009-03-12 09:38 121 ---sh--- c:\winnt\system32\ifetuken.ini
2009-03-12 09:38 143,360 a--sh--- c:\winnt\system32\arscnb.dll
2009-03-12 08:45 368,961 a------- C:\dds.scr
2009-03-12 07:26 143,360 a--sh--- c:\winnt\system32\qoddsr.dll
2009-03-11 23:37 550 -------- c:\winnt\system32\Microsoft.VC80.MFC.manifest
2009-03-11 23:37 522 -------- c:\winnt\system32\Microsoft.VC80.CRT.manifest
2009-03-11 23:36 <DIR> --d----- c:\docume~1\jnordeng\applic~1\HouseCall 6.6
2009-03-11 21:38 142,336 ---sh--- c:\winnt\system32\bfyjrr.dll
2009-03-11 21:37 142,336 ---sh--- c:\winnt\system32\fxxels.dll
2009-03-11 19:25 141,824 ---sh--- c:\winnt\system32\uwipwr.dll
2009-03-11 18:02 170,578 ----h--- c:\winnt\ShellIconCache
2009-03-11 17:57 16,384 -------t c:\winnt\system32\Perflib_Perfdata_56c.dat
2009-03-11 17:56 16,384 -------t c:\winnt\system32\Perflib_Perfdata_5bc.dat
2009-03-11 17:05 236,816 -------- c:\winnt\system32\CF12897.exe
2009-03-11 17:04 236,816 -------- c:\winnt\system32\cmd.execf
2009-03-11 13:54 16,384 -------t c:\winnt\system32\Perflib_Perfdata_748.dat
2009-03-11 12:58 16,384 -------t c:\winnt\system32\Perflib_Perfdata_774.dat
2009-03-11 12:46 16,384 -------t c:\winnt\system32\Perflib_Perfdata_57c.dat
2009-03-11 12:46 16,384 -------t c:\winnt\system32\Perflib_Perfdata_770.dat
2009-03-11 12:45 16,384 -------t c:\winnt\system32\Perflib_Perfdata_738.dat
2009-03-11 12:45 16,384 -------t c:\winnt\system32\Perflib_Perfdata_5cc.dat
2009-03-11 12:20 1,808,094 ---sh--- c:\winnt\system32\obarivib.ini2
2009-03-11 09:37 141,824 ---sh--- c:\winnt\system32\rckznc.dll
2009-03-11 09:37 1,808,094 ---sh--- c:\winnt\system32\obarivib.ini
2009-03-10 12:09 16,384 -------t c:\winnt\system32\Perflib_Perfdata_6d8.dat
2009-03-02 09:57 38,248 -------- c:\winnt\system32\drivers\WGX.SYS
2009-03-01 15:39 16,384 -------t c:\winnt\system32\Perflib_Perfdata_604.dat
2009-03-01 15:38 16,384 -------t c:\winnt\system32\Perflib_Perfdata_5d8.dat
2009-03-01 14:57 16,384 -------t c:\winnt\system32\Perflib_Perfdata_60c.dat
2009-03-01 14:50 16,384 -------t c:\winnt\system32\Perflib_Perfdata_338.dat
2009-03-01 14:48 16,384 -------t c:\winnt\system32\Perflib_Perfdata_5dc.dat
2009-03-01 14:36 16,384 -------t c:\winnt\system32\Perflib_Perfdata_4a8.dat
2009-03-01 14:36 16,384 -------t c:\winnt\system32\Perflib_Perfdata_610.dat
2009-03-01 14:35 16,384 -------t c:\winnt\system32\Perflib_Perfdata_5d0.dat
2009-03-01 14:35 16,384 -------t c:\winnt\system32\Perflib_Perfdata_4e8.dat
2009-03-01 14:12 16,384 -------t c:\winnt\system32\Perflib_Perfdata_bcc.dat
2009-03-01 14:11 136,496 -------- c:\winnt\system32\drivers\SYMEVENT.SYS
2009-03-01 14:11 60,808 -------- c:\winnt\system32\S32EVNT1.DLL
2009-03-01 14:11 10,652 -------- c:\winnt\system32\drivers\SYMEVENT.CAT
2009-03-01 14:11 806 -------- c:\winnt\system32\drivers\SYMEVENT.INF
2009-03-01 14:10 <DIR> --d----- c:\program files\Symantec
2009-03-01 13:49 16,384 -------t c:\winnt\system32\Perflib_Perfdata_3d0.dat
2009-03-01 13:42 16,384 -------t c:\winnt\system32\Perflib_Perfdata_4f0.dat
2009-03-01 13:02 16,384 -------t c:\winnt\system32\Perflib_Perfdata_51c.dat
2009-03-01 12:40 16,384 -------t c:\winnt\system32\Perflib_Perfdata_524.dat
2009-03-01 12:27 <DIR> --d----- C:\Windows
2009-03-01 11:37 16,384 -------t c:\winnt\system32\Perflib_Perfdata_650.dat
2009-02-26 09:42 16,384 -------t c:\winnt\system32\Perflib_Perfdata_994.dat
2009-02-26 08:01 <DIR> --d----- c:\program files\Yahoo!
2009-02-24 18:10 16,384 -------t c:\winnt\system32\Perflib_Perfdata_694.dat
2009-02-15 17:25 16,384 -------t c:\winnt\system32\Perflib_Perfdata_500.dat
2009-02-15 17:24 16,384 -------t c:\winnt\system32\Perflib_Perfdata_540.dat
2009-02-15 16:51 16,384 -------t c:\winnt\system32\Perflib_Perfdata_6e0.dat
2009-02-15 16:27 16,384 -------t c:\winnt\system32\Perflib_Perfdata_9e0.dat
2009-02-15 14:29 <DIR> --d----- c:\winnt\Windows Update Setup Files
2009-02-15 14:25 37,996 -------- c:\documents and settings\(My username)\TsAllUsr.Dat

==================== Find3M ====================

2009-03-12 09:57 106,496 a--sh--- c:\winnt\system32\gazomula.dll
2009-03-12 09:56 143,360 a--sh--- c:\winnt\system32\selovofa.dll
2009-03-12 09:56 103,424 a--sh--- c:\winnt\system32\serehera.dll
2009-03-12 09:53 106,496 a--sh--- c:\winnt\system32\vejidoza.dll
2009-03-12 09:53 143,360 a--sh--- c:\winnt\system32\nikezeva.dll
2009-03-12 09:53 103,424 a--sh--- c:\winnt\system32\vigoyusu.dll
2009-03-12 09:38 143,360 a--sh--- c:\winnt\system32\jabavaki.dll
2009-03-12 09:38 103,424 a--sh--- c:\winnt\system32\nekutefi.dll
2009-03-12 09:38 106,496 a--sh--- c:\winnt\system32\jasenapu.dll
2009-03-12 07:26 103,424 a--sh--- c:\winnt\system32\dopitisu.dll
2009-03-12 07:26 143,360 a--sh--- c:\winnt\system32\gavamoho.dll
2009-03-12 07:26 107,520 a--sh--- c:\winnt\system32\lidakubi.dll
2009-03-11 21:38 142,336 ---sh--- c:\winnt\system32\puyinohe.dll
2009-03-11 21:38 106,496 ---sh--- c:\winnt\system32\boninipu.dll
2009-03-11 21:38 101,888 ---sh--- c:\winnt\system32\govezamu.dll
2009-03-11 21:37 142,336 ---sh--- c:\winnt\system32\karirabo.dll
2009-03-11 21:37 106,496 ---sh--- c:\winnt\system32\hirisaki.dll
2009-03-11 21:37 101,888 ---sh--- c:\winnt\system32\welemige.dll
2009-03-11 19:25 108,032 ---sh--- c:\winnt\system32\fapilizu.dll
2009-03-11 19:25 141,824 ---sh--- c:\winnt\system32\gomevibi.dll
2009-03-11 19:25 101,376 ---sh--- c:\winnt\system32\rivikela.dll
2009-03-11 09:38 101,888 ---sh--- c:\winnt\system32\giduwama.dll
2009-03-11 09:37 106,496 ---sh--- c:\winnt\system32\paselilu.dll
2009-03-11 09:37 141,824 ---sh--- c:\winnt\system32\fijorabu.dll
2009-03-11 09:37 101,888 ---sh--- c:\winnt\system32\bivirabo.dll
2009-03-11 09:37 106,496 ---sh--- c:\winnt\system32\kefesuto.dll
2009-03-11 09:37 141,824 ---sh--- c:\winnt\system32\nekoneto.dll
2009-02-11 11:19 38,496 -------- c:\winnt\system32\drivers\mbamswissarmy.sys
2009-02-11 11:19 15,504 -------- c:\winnt\system32\drivers\mbam.sys
2009-02-03 09:54 16,384 -------t c:\winnt\system32\Perflib_Perfdata_9d0.dat
2009-02-03 09:54 16,384 -------t c:\winnt\system32\Perflib_Perfdata_6a4.dat
2009-01-22 16:23 16,384 -------t c:\winnt\system32\Perflib_Perfdata_9c4.dat
2009-01-22 16:23 16,384 -------t c:\winnt\system32\Perflib_Perfdata_6a8.dat
2009-01-22 14:54 16,384 -------t c:\winnt\system32\Perflib_Perfdata_3410.dat
2009-01-19 16:53 16,384 -------t c:\winnt\system32\Perflib_Perfdata_300.dat
2009-01-19 16:53 16,384 -------t c:\winnt\system32\Perflib_Perfdata_9c8.dat
2009-01-19 16:53 16,384 -------t c:\winnt\system32\Perflib_Perfdata_690.dat
2009-01-19 15:47 410,984 -------- c:\winnt\system32\deploytk.dll
2009-01-09 10:35 16,384 -------t c:\winnt\system32\Perflib_Perfdata_196c.dat
2009-01-02 08:21 16,384 -------t c:\winnt\system32\Perflib_Perfdata_684.dat
2008-12-23 18:07 16,384 -------t c:\winnt\system32\Perflib_Perfdata_68c.dat
2008-12-22 13:27 72,226 -------- C:\MGlogs.zip
2008-12-19 13:08 16,384 -------t c:\winnt\system32\Perflib_Perfdata_980.dat
2008-12-19 11:15 16,384 -------t c:\winnt\system32\Perflib_Perfdata_990.dat
2008-02-14 13:05 190 -------- c:\program files\common files\psasetup.log
2005-02-22 15:07 3,567 ---sh--- c:\program files\praps.dat
2005-02-21 01:53 7,471 ---sh--- c:\program files\ivigi.dat
2005-02-20 21:09 7,471 ---sh--- c:\program files\aofwx.dat
2005-02-12 07:48 7,471 ---sh--- c:\program files\xmgfp.dat
2005-02-01 08:38 3,567 ---sh--- c:\program files\ltzga.dat
2001-12-28 16:43 4,646 -------- c:\program files\INSTALL.LOG
2001-10-31 13:08 21,952 ----h--- c:\program files\folder.htt
2001-10-31 13:08 271 ----h--- c:\program files\desktop.ini
1999-12-07 07:00 32,528 -------- c:\winnt\inf\wbfirdma.sys
0000-00-00 00:00 70,144 ---sh--- c:\winnt\system32\hebayule.dll
2008-09-22 09:22 42,496 ---sh--- c:\winnt\system32\jemijeki.dll
0000-00-00 00:00 70,144 ---sh--- c:\winnt\system32\jizejaho.dll
2008-09-22 09:22 42,496 ---sh--- c:\winnt\system32\joluzeto.dll
0000-00-00 00:00 70,144 ---sh--- c:\winnt\system32\nahafita.dll
1999-12-07 07:00 78,716 ---sh--- c:\winnt\system32\wfinst.dll
1999-12-07 07:00 78,736 ---sh--- c:\winnt\system32\wfsetup.dll

============= FINISH: 10:10:05.14 ===============


I went into SuperAntispyware again and excluded the c:\program files\common files\synmantec directory and started the scan again.

Unfortunately, it made it to 651 instead of 640. However, though I excluded it, still getting hung up on c:\pogra~1\common~1\symant~1\RCEMLPXY.DLL.

The two items it found in Memory are: Trojan.Downloader-NewJuan/VM and Adware.Vundo Variant/ACE.

I also downloaded a recent copy of VundoFix, but the scan found nothing.

Thanks for any help as this is really affecting my users ability to work and my sanity. Thanks.



Below is my Hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:51:09 PM, on 3/12/2009
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
U:\WINDOWS\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\cdmsvc.exe
C:\WINNT\System32\encsvc.exe
C:\WINNT\System32\Citrix\IMA\imasrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINNT\System32\mfcom.exe
C:\PVSW\bin\w3dbsmgr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\snmptrap.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINNT\System32\svchost.exe
E:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Dell\Intel DMI Service Provider\Win32\bin\Win32sl.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Castelle\FaxPress\FaxTray.Exe
C:\Program Files\Castelle\FaxPress\ExCnvt.exe
C:\Program Files\Castelle\FaxPress\Daemon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Castelle\FaxPress\TrayFaxAlert.exe
C:\Program Files\GoldMine\gmw5.exe
C:\WINNT\system32\icabar.exe
C:\WINNT\system32\TASKMGR.EXE
C:\WINNT\system32\logon.scr
C:\WINNT\system32\rundll32.exe
e:\program files\stonefield query for goldmine\sfquery.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\wfshell.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\icabar.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Castelle\FaxPress\FaxTray.Exe
C:\Program Files\Castelle\FaxPress\ExCnvt.exe
C:\Program Files\Castelle\FaxPress\Daemon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Castelle\FaxPress\TrayFaxAlert.exe
C:\WINNT\system32\rundll32.exe
C:\Documents and Settings\jn\Desktop\dds.scr
C:\WINNT\system32\winlogon.exe
C:\Documents and Settings\jn\Desktop\dds.scr
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINNT\System32\MDM.EXE
C:\Program Files\JavaSoft\JRE\1.3\bin\javaw.exe
C:\WINNT\system32\winlogon.exe
E:\Program Files\Business Objects\Crystal Reports 11\crw32.exe
C:\WINNT\system32\wfshell.exe
C:\WINNT\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Castelle\FaxPress\FaxTray.Exe
C:\Program Files\Castelle\FaxPress\ExCnvt.exe
C:\Program Files\Castelle\FaxPress\Daemon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Microsoft Office\Office\OSA9.EXE
C:\Program Files\Castelle\FaxPress\TrayFaxAlert.exe
E:\Metafile\PDF Print Manager\PDFPrtMan.exe
C:\PROGRA~1\COMMON~1\METAFI~1\METAPR~1.EXE
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
E:\Program Files\Progress\bin\prowin32.exe
C:\PROGRA~1\MICROS~3\OFFICE11\OUTLOOK.EXE
C:\WINNT\System32\MDM.EXE
C:\WINNT\system32\winlogon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
h:\apps\Viewer.exe
C:\WINNT\system32\winlogon.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Company
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {db0a92a0-ad82-42b4-88cc-35c6b0738694} - C:\WINNT\system32\jizejaho.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {f090d11c-0ae6-4ce3-9daf-d9d3238363c2} - C:\WINNT\system32\jizejaho.dll
O2 - BHO: (no name) - {f734bb3d-f44d-4c76-beeb-a569cf3b0956} - C:\WINNT\system32\jizejaho.dll
O4 - HKLM\..\Run: [IcaBar] icabar.exe /adminonly
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CstlFaxTray] C:\Program Files\Castelle\FaxPress\FaxTray.Exe /s
O4 - HKLM\..\Run: [FPEXCNVT] C:\Program Files\Castelle\FaxPress\ExCnvt.exe
O4 - HKLM\..\Run: [CstlDaemon] C:\Program Files\Castelle\FaxPress\Daemon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [WinVNC] "E:\Program Files\UltraVNC\winvnc.exe" -servicehelper
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [jemidumewi] Rundll32.exe "C:\WINNT\system32\hebayule.dll",s
O4 - HKLM\..\Run: [mukozorapa] Rundll32.exe "C:\WINNT\system32\hebayule.dll",s
O4 - HKLM\..\Run: [gazedakufu] Rundll32.exe "C:\WINNT\system32\hebayule.dll",s
O4 - HKLM\..\Run: [c4832176] rundll32.exe "C:\WINNT\system32\nekutefi.dll",b
O4 - HKLM\..\Run: [CPMc7b012ea] Rundll32.exe "c:\winnt\system32\gazomula.dll",a
O4 - HKLM\..\Run: [CPMaffe9417] Rundll32.exe "c:\winnt\system32\gazomula.dll",a
O4 - HKUS\S-1-5-21-3647276287-2912914505-4040246719-1143\..\RunServices: [Image] rundll32 C:\WINNT\image.dll,Install (User 'D')
O4 - HKUS\S-1-5-21-3647276287-2912914505-4040246719-1151\..\Run: [ctfmon.exe] ctfmon.exe (User 'J')
O4 - HKUS\S-1-5-21-3647276287-2912914505-4040246719-1151\..\RunServices: [Image] rundll32 C:\WINNT\image.dll,Install (User 'J')
O4 - HKUS\S-1-5-21-3647276287-2912914505-4040246719-1154\..\Run: [] (User 'Jd')
O4 - HKUS\S-1-5-21-3647276287-2912914505-4040246719-1156\..\Run: [] (User 'Jh')
O4 - HKUS\S-1-5-21-3647276287-2912914505-4040246719-1157\..\Run: [] (User 'Jw')
O4 - HKUS\S-1-5-21-3647276287-2912914505-4040246719-1164\..\Run: [] (User 'mm')
O4 - HKUS\S-1-5-21-3647276287-2912914505-4040246719-1165\..\Run: [] (User 'Mp')
O4 - HKUS\S-1-5-21-3647276287-2912914505-4040246719-1165\..\RunServices: [Image] rundll32 C:\WINNT\image.dll,Install (User 'Mp')
O4 - HKUS\S-1-5-21-3647276287-2912914505-4040246719-1166\..\Run: [] (User 'Mt')
O4 - HKUS\S-1-5-21-3647276287-2912914505-4040246719-1178\..\Run: [] (User 'R')
O4 - HKUS\S-1-5-21-3647276287-2912914505-4040246719-1178\..\RunServices: [Image] rundll32 C:\WINNT\image.dll,Install (User 'R')
O4 - HKUS\S-1-5-21-3647276287-2912914505-4040246719-1201\..\Run: [] (User 'Sh')
O4 - HKUS\S-1-5-21-3647276287-2912914505-4040246719-1204\..\Run: [] (User 'Tn')
O4 - HKUS\S-1-5-21-3647276287-2912914505-4040246719-1204\..\RunServices: [Image] rundll32 C:\WINNT\image.dll,Install (User 'Tn')
O4 - HKUS\S-1-5-21-3647276287-2912914505-4040246719-1225\..\Run: [] (User 'Rm')
O4 - HKUS\S-1-5-21-3647276287-2912914505-4040246719-1243\..\Run: [] (User 'KS')
O4 - HKUS\S-1-5-21-3647276287-2912914505-4040246719-1243\..\RunServices: [Image] rundll32 C:\WINNT\image.dll,Install (User 'KS')
O4 - HKUS\S-1-5-21-3647276287-2912914505-4040246719-1250\..\Run: [] (User 'th')
O4 - HKUS\S-1-5-21-3647276287-2912914505-4040246719-1250\..\RunServices: [Image] rundll32 C:\WINNT\image.dll,Install (User 'th')
O4 - HKUS\S-1-5-21-3647276287-2912914505-4040246719-1252\..\Run: [] (User 'vb')
O4 - HKUS\S-1-5-21-3647276287-2912914505-4040246719-1252\..\RunServices: [Image] rundll32 C:\WINNT\image.dll,Install (User 'vb')
O4 - HKUS\S-1-5-21-3647276287-2912914505-4040246719-2152\..\Run: [MS Juan] rundll32 "C:\WINNT\system32\jedexv.dll",run (User 'wr')
O4 - S-1-5-21-3647276287-2912914505-4040246719-1154 Startup: HotSync Manager.lnk = Palm\hotsync.exe (User 'Jd')
O4 - S-1-5-21-3647276287-2912914505-4040246719-1166 Startup: PDF Print Manager.lnk = E:\Metafile\PDF Print Manager\PDFPrtMan.exe (User 'Mt')
O4 - S-1-5-21-3647276287-2912914505-4040246719-1204 Startup: PDF Print Manager.lnk = E:\Metafile\PDF Print Manager\PDFPrtMan.exe (User 'Tn')
O4 - S-1-5-21-3647276287-2912914505-4040246719-500 Startup: GoldSync.lnk = C:\Program Files\GoldMine\gmw5.exe (User 'administrator')
O4 - S-1-5-21-3647276287-2912914505-4040246719-500 Startup: ICA Administrator Toolbar.lnk = C:\WINNT\system32\icabar.exe (User 'administrator')
O4 - S-1-5-21-3647276287-2912914505-4040246719-500 Startup: TASKMGR.EXE.lnk = C:\WINNT\system32\TASKMGR.EXE (User 'administrator')
O4 - S-1-5-21-3647276287-2912914505-4040246719-500 Startup: w3dbsmgr.exe.lnk = C:\PVSW\bin\w3dbsmgr.exe (User 'administrator')
O4 - .DEFAULT Startup: GoldSync.lnk = C:\Program Files\GoldMine\gmw5.exe (User 'Default user')
O4 - .DEFAULT Startup: ICA Administrator Toolbar.lnk = C:\WINNT\system32\icabar.exe (User 'Default user')
O4 - .DEFAULT Startup: TASKMGR.EXE.lnk = C:\WINNT\system32\TASKMGR.EXE (User 'Default user')
O4 - .DEFAULT Startup: w3dbsmgr.exe.lnk = C:\PVSW\bin\w3dbsmgr.exe (User 'Default user')
O4 - Global Startup: Castelle Fax Daemon.lnk = C:\Program Files\Castelle\FaxPress\daemon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: TrayFaxAlert.lnk = C:\Program Files\Castelle\FaxPress\TrayFaxAlert.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - U:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - U:\WINDOWS\web\related.htm (file missing)
O10 - Broken Internet access because of LSP provider 'u:\windows\system32\rnr20.dll' missing
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1232652768457
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1232652752754
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = RomoInc.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{ED0B57B0-34FC-4384-B68D-DDAE9F9AD1D5}: NameServer = 192.168.0.1,192.168.0.11
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = RomoInc.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = RomoInc.local
O20 - Winlogon Notify: !SASWinLogon - e:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\winnt\system32\gazomula.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\winnt\system32\gazomula.dll
O23 - Service: Backup Exec Remote Agent for Windows Systems (BackupExecAgentAccelerator) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Client Network (CdmService) - Citrix Systems, Inc. - C:\WINNT\System32\cdmsvc.exe
O23 - Service: Commander Service - Seagull Scientific, Inc - C:\Program Files\Seagull\BarTender 7.10\Enterprise\CmdrSrv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Encryption Service - Citrix Systems, Inc. - C:\WINNT\System32\encsvc.exe
O23 - Service: Independent Management Architecture (IMAService) - Citrix Systems, Inc. - C:\WINNT\System32\Citrix\IMA\imasrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MetaFrame COM Server (MFCom) - Citrix Systems, Inc. - C:\WINNT\System32\mfcom.exe
O23 - Service: Pervasive PSQL Workgroup Engine (psqlWGE) - Unknown owner - C:\PVSW\bin\w3dbsmgr.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: Win32SL (Win32sl) - Intel - C:\Program Files\Dell\Intel DMI Service Provider\Win32\bin\Win32sl.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - E:\Program Files\UltraVNC\winvnc.exe (file missing)

--
End of file - 14216 bytes

Please see post here: http://www.malwarebytes.org/forums/index.php?showtopic=12519