July 23, 2008 02:08pm pdt

1. rpggamer... 152,634
2. IndiGenus 106,685
3. Firstedi... 9,800
4. 1972vet 9,200
5. briancassin 8,350
6. orangutang 6,990
7. Jonvee 6,400
8. Admin3k 6,050
9. Sheharya... 4,900
10. flubbster 3,500
11. rindi 3,250
12. gnurl 3,240
13. willcomp 2,950
14. war1 2,900
15. johnb6767 2,600
15. phototropic 2,600

1. rpggamer... 243,618
2. IndiGenus 145,850
3. Sheharya... 18,410
4. orangutang 13,990
5. Jonvee 12,562
6. johnb6767 10,443
7. Firstedi... 9,800
8. 1972vet 9,200
9. rindi 8,790
10. briancassin 8,350
11. r-k 7,845
12. war1 7,150
13. willcomp 6,510
14. Admin3k 6,050
15. souseran 5,700

05.12.2008 at 01:24PM PDT, ID: 23395841

	[x] Attachment Details

[x]

The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

The Grade of the Solution
The Zone Rank of the Expert Providing the Solution
The Number of Author and Expert Comments
The Number of Experts Contributing
The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!

7.7

Virtumonde Infection - Issue has been answered before but each infection is unique so I need help please

Zones: HijackThis Software, Miscellaneous Security, Anti-Virus Applications

Tags: Microsoft, Vista, Business

I know that I have an Virtumonde infection. I already tried the VundoFix to no avail. I have Avast 4.8, Comodo Firewall, HijackThis and the most recent version of Spybot S&D.

Here is the result of my HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:16:46 PM, on 5/12/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\WTablet\Wacom_TabletUser.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lexmark 9500 Series\lxdomon.exe
C:\Program Files\Lexmark 9500 Series\lxdoamon.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Citrix\GoToMeeting\198\g2mstart.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Users\colton\AppData\Local\Google\Update\1.1.27.0\GoogleUpdate.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Users\colton\AppData\Local\Google\Google Talk, Labs Edition\GoogleTalkLabsEdition.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Vista & XP Virtual Desktops\Virtual Desktops.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Citrix\GoToMeeting\198\g2mcomm.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Citrix\GoToMeeting\198\g2mlauncher.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\rundll32.exe
C:\Windows\Explorer.EXE
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Last.fm\LastFM.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=1080207
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: {65b56080-e8fc-a57a-d804-09ef178b2150} - {0512b871-fe90-408d-a75a-cf8e08065b56} - C:\Windows\system32\yusbragj.dll
O2 - BHO: (no name) - {0BB6EF78-FFC8-4F7A-BD2C-09DA1169A4B5} - C:\Windows\system32\vtUkiFYR.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: (no name) - {3C13E0B2-87DB-4E00-8DD5-AFCCEB83D6B9} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {54572141-e419-4fb9-97cb-49482724ce90} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {8646ACA5-C54F-4FA4-BB1E-C42CB56854C2} - C:\Windows\system32\urqRkjki.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: (no name) - {C7F75BCB-51BA-4F5D-92D7-953011C0B65D} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "c:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [lxdomon.exe] "C:\Program Files\Lexmark 9500 Series\lxdomon.exe"
O4 - HKLM\..\Run: [lxdoamon] "C:\Program Files\Lexmark 9500 Series\lxdoamon.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\vtUkiFYR.dll,#1
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [4e51628a] rundll32.exe "C:\Windows\system32\raesrtum.dll",b
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA750] command /c del "C:\Windows\System32\awtSlKcy.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2097] cmd /c del "C:\Windows\System32\awtSlKcy.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2002] command /c del "C:\Windows\System32\nwqqwbib.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5695] cmd /c del "C:\Windows\System32\nwqqwbib.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA499] command /c del "C:\Windows\System32\pobsesvb.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8258] cmd /c del "C:\Windows\System32\pobsesvb.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8030] command /c del "C:\Windows\System32\pscfjblo.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4406] cmd /c del "C:\Windows\System32\pscfjblo.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA538] command /c del "C:\Windows\System32\urqRkjki.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1613] cmd /c del "C:\Windows\System32\urqRkjki.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5890] command /c del "C:\Windows\System32\xoltlgly.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9681] cmd /c del "C:\Windows\System32\xoltlgly.dll_old"
O4 - HKCU\..\Run: [googletalk] C:\Users\colton\AppData\Roaming\Google\Google Talk\googletalk.exe /autostart
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [GoToMeeting] C:\Program Files\Citrix\GoToMeeting\198\g2mstart.exe "/Trigger RunAtLogon"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Google Update] "C:\Users\colton\AppData\Local\Google\Update\1.1.27.0\GoogleUpdate.exe" /lang en
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: EverNote.lnk = F:\My Evernote Files\Program Files\EverNote.exe
O4 - Startup: Google Talk, Labs Edition.lnk = C:\Users\colton\AppData\Local\Google\Google Talk, Labs Edition\GoogleTalkLabsEdition.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Startup: Vista & XP Virtual Desktops.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1210345199245
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL C:\Windows\system32\guard32.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GCALDaemon - Unknown owner - c:\Program Files\GCALDaemon\bin\wrapper.exe
O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: lxdoCATSCustConnectService - Lexmark International, Inc. - C:\Windows\system32\spool\DRIVERS\W32X86\3\\lxdoserv.exe
O23 - Service: lxdo_device - - C:\Windows\system32\lxdocoms.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\Windows\system32\Wacom_Tablet.exe

--
End of file - 16440 bytes

Any help is greatly appreciated -- I will even name my next child after you.
Thanks!

Start your free trial to view this solution

Question Stats

Zone: Software

Question Asked By: Mustardnut

Solution Provided By: 1972vet

Participating Experts: 3

Solution Grade: A

Translate:

Loading Advertisement...

Microsoft

Internet Protocols
Applications

Development
OS

Hardware
Windows Security

Apple

Operating Systems
Hardware

Programming
Networking

Software

Internet

Search Engines
File Sharing
WebTrends / Stats
Spy / Ad Blockers

Web Browsers
New Net Users
Web Development
Chat / IM

Anti Spam
Web Servers
Anti-Virus
Email Clients

Gamers

Tips
Online / MMORPG
Puzzle
Emulators

Action / Adventure
Role Playing
Consoles
Game Programming

Strategy
Sports
Misc
Computer Games

Digital Living

Hardware
Automotive
New Net Users
New Users

Software
Digital Music
Gaming World
Home Security

Apple
Networking Hardware

Virus & Spyware

Vulnerabilities
IDS
Encryption
Anti-Virus

Operating Systems Security
Software Firewalls
WebApplications
Cell Phones

Operating Systems
Internet
Hardware Firewalls

Hardware

Displays / Monitors
Handhelds / PDAs
Components
Peripherals
Laptops/Notebooks

Servers
Misc
Apple
Embedded Hardware
Networking Hardware

Storage
Desktops
New Users

Software

System Utilities
Industry Specific
Network Management
Photos / Graphics
Page Layout
VMware
Misc
Web Development

OS
CYGWIN
Voice Recognition
Virtualization
Message Queue
Quality Assurance
Security
Firewalls

MultiMedia Applications
Development
Database
Office / Productivity
Business Management
OS/2 Apps
Server Software
Internet / Email

ITPro

OS
Storage
Encryption
Operating Systems Security
Apple Hardware
Laptops & Notebooks
Servers
Networking Hardware
Peripherals
Devices

Displays / Monitors
WebTrends / Stats
Search Engines
Firewalls
Web Computing
WebApplications
IDS
Vulnerabilities
Email Clients
File Sharing

Spy / Ad Blockers
Web Browsers
Web Servers
Networking
Anti-Virus
Consulting
Chat / IM
Anti Spam

Developer

Web Servers
Web Browsers
Game Programming
Dev Tools
Industry Specific
Office / Productivity

Database
CYGWIN
Web Development
Search Engines
File Sharing
WebTrends / Stats

Programming
Content Management
Application Servers
Protocols

Storage

Removable Backup Media
Storage Technology
Servers

Grid
Remote Access
Backup / Restore

Misc
Hard Drives

Miscellaneous
Security
Development
Linux
VMware

MainFrame OS
Unix
Apple
OS / 2
AS / 400

BeOS
Microsoft
VMS / OpenVMS

Database

Oracle
Miscellaneous
MySQL
Software
Sybase
Contact Management
PostgreSQL
Data Manipulation
Clarion
InterSystems Cache

Siebel
MUMPS
OLAP
SQLBase
SAS
GIS & GPS
4GL
Berkeley DB
DB2
Informix

Interbase / Firebird
FoxPro
Reporting
LDAP
Filemaker Pro
MS SQL Server
dBase
MS Access

Security

Misc
Web Browsers
Software Firewalls
Operating Systems Security
File Sharing

Spy / Ad Blockers
Vulnerabilities
WebApplications
IDS
Anti-Virus

Encryption
Anti Spam
Email Clients
VPN
Chat / IM

Programming

Editors IDEs
Installation
Handhelds / PDAs
Multimedia Programming
System / Kernel
Automation

Algorithms
Game
Signal Processing
Project Management
Open Source
Database

Misc
Languages
Processor Platforms
Theory

Web Development

Scripting
Blogs
Web Servers
Software
Search Engines
Web Graphics
Web Services

Images
Internet Marketing
Images and Photos
Components
Document Imaging
Web Languages/Standards
Illustration

WebApplications
Fonts
WebTrends / Stats
Authoring
Digital Camera Software
Miscellaneous

Networking

Protocols
Apple Networking
Network Management
Message Queue
Application Servers
Content Management
File Servers
Email Servers
Misc
Java Editors & IDEs

Wireless
Networking Hardware
Backup / Restore
System Utilities
ISPs & Hosting
Web Servers
Storage Technology
Removable Backup Media
Servers
Web Computing

Broadband
Grid
OS / 2
Novell Netware
Unix Networking
Windows Networking
Security
Telecommunications
Operating Systems
Linux Networking

Other

Lounge
Business Travel
Community Support
New Net Users

Philosophy / Religion
Math / Science
Miscellaneous
URLs

Expert Lounge
Politics
Puzzles / Riddles
Automotive

Community Support

Suggestions
New to EE
New Topics
CleanUp

Announcements
General
Feedback

Input
EE Bugs

05.12.2008 at 02:43PM PDT, ID: 21550760

phototropic:

Try running Combofix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

The link is a great tutorial which includes download links. Post a log and a fresh HJT log here.

05.12.2008 at 03:17PM PDT, ID: 21550943

Rank: Wizard

rpggamergirl:

Yes, indeed the above link phototropic posted is the link that any Combofix users should do. Combofix author sUBs wants Recovery Console to be installed as there are infections that can only be fix by using RC.

You can also run Combofix without installing RC (if you choose to install it later), it's your choice but installing RC is recommended in case it's needed.

05.13.2008 at 08:15AM PDT, ID: 21555869

1972vet:

Greetings Mustardnut,

You will have problems running these fix instructions while you still have your Windows Defender and Tea Timer features running. Please disable both while these fix efforts are underway. When your system is cleaned, please re-enable those protective features again.

Along with Vundo you have the W32/VB-CYG Worm which spreads via removable media. Please remove any media you may have inserted in the CD ROM or elsewhere before you continue.

You can read more about the worm Here:
http://www.sophos.com/security/analyses/viruses-and-spyware/w32vbcyg.html

You should reboot this computer before you do anything else. Spybot S&D has a few of the vundo files arrested and wants to attempt a deletion on reboot. It may not be successful but we need to clear that scheduled task first otherwise combofix will find them and start arguing with Spybot S&D over who has control of "cmd.exe".

Allow Spybot S&D to complete it's scan on reboot and do nothing while that scan is in progress. When it completes (and it may take a very long time), please carry on with these instructions...

If you haven't run combofix yet, then please follow these instructions below:

After you've downloaded and installed the combofix utility, and after you've installed the Recovery Console, please do this first before you even execute the combofix utility:

***NOTE***
It is not recommended to use the cfscript as a first run but in this instance, the user has a scheduled task from Spybot S&D that has some of these malicious files locked up. In order to prevent a conflict, maybe even a bsod, we need to remove those files first. Since Spybot S&D isn't written to produce the other offending files that vundo writes, we make this exception just this time...other users are asked not to follow these procedures.

Please open a blank Notepad by clicking start-->run
Then, in the run box type Notepad.exe and click "OK".
Copy the text below that appears between the dotted lines and paste it into the blank Notepad. Save it as:
CFScript.txt

...Change the Save as type to:
All Files
...and save it to your desktop. Now drag the text document over to your Combofix.exe

Combofix will run again automatically. Please post back the new log that will be generated. Thanks!

-----------------------------------------------------------------
File::
C:\Windows\system32\yusbragj.dll
C:\Windows\system32\yusbragj.bak
C:\Windows\system32\yusbragj.ini
C:\Windows\system32\jgarbsuy.dll
C:\Windows\system32\vtUkiFYR.dll
C:\Windows\system32\urqRkjki.dll
C:\Windows\system32\urqRkjki.bak
C:\Windows\system32\urqRkjki.ini
C:\Windows\system32\ikjkrqru.dll
C:\Windows\system32\raesrtum.dll
C:\Windows\system32\raesrtum.bak
C:\Windows\system32\raesrtum.ini
C:\Windows\system32\mutrsear.dll
c:\windows\system32\awtSlKcy.dll
c:\windows\system32\awtSlKcy.bak
c:\windows\system32\awtSlKcy.ini
c:\windows\system32\ycklstwa.dll
c:\windows\system32\nwqqwbib.dll
c:\windows\system32\nwqqwbib.bak
c:\windows\system32\nwqqwbib.ini
c:\windows\system32\bibwqqwn.dll
c:\windows\system32\pscfjblo.dll
c:\windows\system32\pscfjblo.bak
c:\windows\system32\pscfjblo.ini
c:\windows\system32\olbjfcsp.dll
c:\windows\system32\urqRkjki.dll
c:\windows\system32\urqRkjki.bak
c:\windows\system32\urqRkjki.ini
c:\windows\system32\ikjkrqru.dll
c:\windows\system32\xoltlgly.dll
c:\windows\system32\xoltlgly.bak
c:\windows\system32\xoltlgly.ini
c:\windows\system32\ylgltlox.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{65b56080-e8fc-a57a-d804-09ef178b2150}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0512b871-fe90-408d-a75a-cf8e08065b56}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0BB6EF78-FFC8-4F7A-BD2C-09DA1169A4B5}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8646ACA5-C54F-4FA4-BB1E-C42CB56854C2}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSServer"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MSServer"=
--------------------------------------------------------------------

Before posting the logs back here, you may as well uninstall your version of Java and re-install the updated version Here:
http://www.majorgeeks.com/Sun_Java_Runtime_Environment_d4648.html

Once you've completed the installation, please do this:
Please download Malwarebytes Anti-Malware from Here:
http://www.besttechie.net/tools/mbam-setup.exe
or Here:
http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html

...Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Quick Scan, then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply along with the combofix log that was generated and fresh HijackThis log. Thanks!.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer, please do so immediately.

Good Luck!

Accepted Solution

05.13.2008 at 08:19AM PDT, ID: 21555919

1972vet:

Please pardon the oversight...in the cfscript above that you should run, the very last entry is in error. It should appear in your script as follows:
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MSServer"=-

Please replace the entry above with the one that appears in the instructions I gave you above as the "Delete" command "-" is missing from the text document.

Thanks!

05.13.2008 at 11:33AM PDT, ID: 21557883

Mustardnut:

Thanks for the quick responses. I have to find a time over the next day or two to take this machine offline and follow the instructions above. As soon as I am done, I will provide an update.

Thanks a ton!

05.13.2008 at 05:11PM PDT, ID: 21560307

Rank: Wizard

rpggamergirl:

Mustardnut,
Looks like you haven't rebooted since running Spybot, it still had to delete some files at bootup, not that it would make any difference when vundo is concern, as Combofix seems to be the best tool for vundo infection with its CFScript function during the second run.

We actually need to see the Combofix log, as there would be more files that will not be showing in the hijackthis log but will show up in the combofix log.
Please attach the result of the combofix scan.

05.14.2008 at 08:36AM PDT, ID: 21565348

Mustardnut:

Thanks all, I am working on this right now.

1972Vet -
Two things - That last line of the CFscript.... I am not following where to put the delete command or is there a corrected version that I should just copy and paste over the last line.

Also -
Spybot is still scanning and deleting files on every reboot so I assume that it still have some files lock up even now. Is it still correct to run the script first before even executing ComboFix.exe?

I have disabled windows def