We help IT Professionals succeed at work.

System Infected - Help

6,429 Views
Last Modified: 2013-12-06
My system is completely infected. It is overrunning my AV and Defender software. I ran msconfig and turned off everything and still the infection persists. Here is my hijackthis log file. Please help. Next step is to rebuild (which I may do anyway)

Logfile of HijackThis v1.99.1
Scan saved at 4:20:55 PM, on 8/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Wave Systems Corp\Common\DataServer.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Maxtor\Utils\SyncServices.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\TEMP\GX4784.EXE
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Maxtor\ManagerApp\Onetouch.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
C:\PROGRA~1\MICROS~3\Office12\OUTLOOK.EXE
C:\Program Files\DS Development\Easy Mail Merge for Outlook\EMMOpts.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Documents and Settings\rgallucci.LMV\My Documents\My Downloads\utils\Hijack This\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=2070709
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.google.com/ig?hl=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=2070709
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Security InfoCenter - {CEF2D273-7F43-4445-B9DF-FD095524C49F} - http://winsafesurf.com/ (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://server-01.lmv.local:4343/officescan/console/ClientInstall/WinNTChk.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupINICtrl Class) - https://server-01.lmv.local:4343/officescan/console/ClientInstall/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - https://server-01.lmv.local:4343/officescan/console/ClientInstall/setup.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://server-01.lmv.local:4343/officescan/console/ClientInstall/RemoveCtrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1184282442943
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1184282429102
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://netformx.webex.com/client/T23L/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = lmv.local
O17 - HKLM\Software\..\Telephony: DomainName = lmv.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{E3AE54F4-32F5-43B4-8F6B-8AC9C4BA0C61}: NameServer = 66.174.95.44 66.174.92.14
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = lmv.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = lmv.local
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - AppInit_DLLs: wxvault.dll C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

Comment
Watch Question

If it is a bad infection i would recommend just reinstalling the OS. it will save a ton of time and it is the only way to garantee all viruses and spyware has been removed.

make sure to remove all the data you want to save first then make sure to scan it with an antivirus before you put it on your new machine.

Author

Commented:
I probably will but I need to get through the weekend first. I do not have the software to reinstall where I am and will not have access to it until Monday. Thats why I need to find a work around.
if you can, install adaware and AVG spyware removal tool onto your system (free). After installing update then and boot into safe mode (press F8 on reboot) and run both. clean up as much as you can. then if you have an antivirus run that as well. if not install AVG's free version and update and run it.  I also recommend clearing out all your restore points because a lot of this junk can get saved in there.

To clear your restore points right click my computer and select properties. click on the Restore tab and click on "turn off restore points" then click ok. after you clean your system up make sure to turn it back on.

If these two programs will not run in safe mode your best bet is to log in as administrator or create a new user and do your clean up from there.

http://free.grisoft.com/doc/download-free-anti-spyware/us/frt/03
http://www.download.com/3000-2144-10045910.html

this should get you through the weekend. i just wouldnt trust your system. dont use it for any sensitive info.
I ran your HJT log through the analyser and it came up clean.  Here is the link:

http://www.hijackthis.de/logfiles/dfff34fd9105eab25b051c709b9cedd6.html

If you have concerns about infection, I would recommend downloading, updating and running PrevX:

http://info.prevx.com/downloadprevx2.asp

This is an excellent malware detector/remover which will happily co-exist with your installed a/v;

Superantispyware (terrible name, excellent app.!!!):

http://www.superantispyware.com/

But I wonder what it is that makes you so concerned...you have TrendMicro installed and your HJT log appears clean.  What are the symptoms of the infection you suspect?

Commented:
Try an online scan at Panda . . it takes a while, but does as good job

http://www.pandasecurity.com/homeusers/solutions/activescan/?

Author

Commented:
Intteresting that the hijack log comes up clean. Defender keeps cleaning browsermodifier:win32/fotomoto, windows live once care keeps cleaning viruses but I cannot get into a log to find out what they are and I have to start IE (which I uninstalled and reinstalled) becuase of some wierd ad on ljjklml.dll, yqcrgjiao.dll and awvts.dll which i have diabled
CERTIFIED EXPERT
Most Valuable Expert 2011
Top Expert 2011

Commented:
I see a few questionable things.....

C:\WINDOWS\TEMP\GX4784.EXE
Need to identify this... Windows should never run something from a Temp folder....

O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
Do you know what this is?

If not, start>run>cmd>netsh winsock reset, then reboot and see if it comes back...
CERTIFIED EXPERT
Most Valuable Expert 2011
Top Expert 2011

Commented:
Overall though, is the main problem a resource issue?

If so, I would scrap the following....

C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\SearchIndexer.exe

Windows Search, and even the google search, have been known to tank CPU's.

Also, looks like you have Trendmicro and Windows One Care running at the same time. Try disabling 1 of them for now, and seee if it improves...
The .dll's you are reporting (ljjklml.dll, yqcrgjiao.dll and awvts.dll ) are symptomatic of a Vundo infection, although that is not showing up in your HJT log.  This kind of infection would typically generate entries in 02 and 020 such as this:
 O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - awvts.dll
O20 - Winlogon Notify: pmkhi - C:\WINDOWS\System32\awvts.dll
Generally, you would expect to see popups for products such as WinFixer. Errorsafe, WinAntivirusPro...have you had this kind of thing happening?
In addition to the tools I suggested above, download Vundofix here:

http://www.atribune.org/content/view/24/2/

Run it as per the instructions on the site.  In addition, I would recommend turning off and then turning back on System Restore, to clear out the restore points. And clear temp. files with an app. such as Cleanup:

http://www.stevengould.org/index.php?option=com_content&task=view&id=28&Itemid=70

Post another HJT log when you have done this...
"...I ran msconfig and turned off everything..."
Sorry, I just noticed this.  Could you please go into msconfig - enable all - and THEN run HJT. It cannot report on software which is not running.  After you have generated the log, you can go back to msconfig and disable all, but HJT needs to run with everything enabled.  For the same reason, it is not productive to run HJT in safe mode...
CERTIFIED EXPERT
Top Expert 2007

Commented:
Vundo is there but just hiding because it hides from Hijackthis scan unless you renamed Hijackthis. that's why I always suggest this renamed hijackthis.
http://danborg.org/spy/hjt/alternativ.exe

C:\WINDOWS\TEMP\GX4784.EXE<-- this file is legit, it is TrendMicro's watchdog.

Please download VundoFix.exe to your desktop.
http://www.atribune.org/ccount/click.php?id=4
* Double-click VundoFix.exe to run it.
* Click the "Scan for Vundo" button.
* Once it's done scanning, click the "Remove Vundo" button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will reboot your computer, click OK.
* Please post the contents of C:\vundofix.txt.

Note: It is possible that VundoFix encounters a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the Scan for Vundo button." when
VundoFix appears at reboot.

Author

Commented:
So overnight, prior to reading these excellent posts, I had turned off sys restore, ran the symantec Vundu fix while in safe mode, turned back on system restore enabled all in msconfig.
I still have the above listed browser help objects listed in my add ons in Ie but they are disabled.
Agree completly with the two AV statements but TM tanks during the scan and I depratly downloaded the ms product. I will be uninstalli both and re install Trend Micro when I get to the office (and am working on a verizon wireless crd connection)

Just downloaded the altetive hijack this here is the scan.


***Hijackthis log removed by rpggamergirl, Zone Advisor***


FYI - one note just popped up and informed me it had cleaned the win32/fotomoto, so I am still infected. Not sure if it is reated but my key strokes are seriously comprimised also.

Author

Commented:
UPDATE: Went through RPGGamegirls suggestions. The Vunto fix seems to have caught the virus, it deleted a whole bunch of files. Additionaly - my keyboard seems to be responsive (could it be that the virus was sucking resources?) Here is the latest log file.


***Hijackthis log removed by rpggamergirl, Zone Advisor***
OK. The Vundo infection looks like it has gone - you should fix the following bits of registry clutter just to tidy up:

O2 - BHO: (no name) - {834FE318-C527-4784-B12C-FFA1C4CBC1F2} - C:\WINDOWS\system32\awvts.dll (file missing)
O2 - BHO: (no name) - {E4EEFFED-93CD-4CF0-A0F3-50D139121FEE} - C:\WINDOWS\system32\ljjklml.dll (file missing)

However, the following all suggest a Smitfraud infection:

O4 - HKLM\..\Run: [svrhost.exe] C:\WINDOWS\system32\svrhost.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [svrhost.exe] C:\WINDOWS\system32\svrhost.exe

Download Smitfraudfix :

http://siri.geekstogo.com/SmitfraudFix.php

Follow the instructions, run it in safemode, then post another HJT log.
CERTIFIED EXPERT
Top Expert 2007

Commented:
>>However, the following all suggest a Smitfraud infection:<<
Actually they are all SDBot variants. SDFix will remove all those, although smitfraudfix will remove this one(and only this) -->C:\Windows\xpupdate.exe



Download SDFix and save it to your desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.zip

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
*  Instead of Windows loading as normal, a menu with options should appear;
*  Select the first option, to run Windows in Safe Mode, then press "Enter".
*  Choose your usual account.

*  Open the extracted folder and double click "RunThis.bat" to start the script.
*  Type "Y" to begin the script.
*  It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
*  Press any Key and it will restart the PC.
*  Your system will take longer that normal to restart as the fixtool will be running and removing files.
*  When the desktop loads the Fixtool will complete the removal and display "Finished", then press any key to end the script and load your desktop icons.
*  Finally open the SDFix folder on your desktop and copy and paste the contents of the results file "Report.txt" back


O20 - Winlogon Notify: winxeb32 - C:\WINDOWS\SYSTEM32\winxeb32.dll
the above entry doesn't belong to SDBot trojans so you just need to let Hijackthis delete the file at Reboot -->C:\WINDOWS\SYSTEM32\winxeb32.dll and then fix the entry in Hijackthis.

Delete this service --> DomainService
Go to Start Menu > Run > type

cmd

Press OK then type or copy and paste these commands onto the cmd screen pressing Enter after each line:

sc stop DomainService
sc delete DomainService

exit

also delete these files using Hijackthis feature to delete at reboot.
C:\WINDOWS\system32\iqfvymxu.exe
C:\WINDOWS\SYSTEM32\msiconf.exe

I'll check back in 8 hours or so.
CERTIFIED EXPERT
Top Expert 2007

Commented:
Can we look at the vundofix.txt please? or can you check that vundofix deleted everything it found?

Also Download and run ATF Cleaner by Atribune.
http://www.atribune.org/ccount/click.php?id=1
 
Reboot your computer into Safe Mode.
 
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

(If you use FireFox or the Opera browser,
To keep saved passwords, click No at the prompt.)

It's normal after running ATF cleaner that the PC will be slower to boot the first time.

OR:
CCleaner:
http://www.ccleaner.com/download/
OK. As usual, rpggamergirl is quite correct...
I saw the C:\Windows\xpupdate.exe entry, which I know is associated with BraveSentry - a Smitfraud infection- and I assumed svrhost.exe was part of the same infection. I have now googled it and know different...
Please follow rpggamergirl's advice in the above two posts, and then post a fresh HJT log.
CERTIFIED EXPERT
Top Expert 2007

Commented:
You're log shows that you're running in diagnostic startup mode, so whatever startup entries that you unchecked are NOT showing in Hijackthis log, we need to know what those entries are(incase they are malware entries)

Can you run hijackthis scan again with all those startup entries checked please?
hijackthis will only scan enabled startup entries, so if you did unchecked a malware startup entries then we won't know what they are.

You could also just tell us what those entries that you disabled.

I'll leave you with these experts good hands, :) and I'll check back in 8 to 10 hours how things are.

Author

Commented:
OK - I think I have completed all the steps. The only thing was that there was no msconfig file to delete.

system is runnig much faster. Recieved on pop up for netflix when I went to Experts exchange site.

Here are the log files

***Hijackthis, Vundofix and SDFix logs removed by rpggamergirl, Zone Advisor***

Author

Commented:
So just when I thought I was safe .....

Windows Live OneCare finds:
TrojanDownloader:Win32/Nonaco.A
Trojan:Win32/Agent.PA
-and-
Trend Micro finds
TROJ_PURITYSC>AU - C:windows\temp\win26.tmp.exe
TROJ_PURITYSC>AU - C:documents and Settings\rgallucci.lmv\localsetings\temporary Internet Files\Content.IE5\ulxgl0xa\xc42[1]/exe

Both Trend Micro with results = Virus succesfully detected, but infected file can neither be cleaned nor quarantined
CERTIFIED EXPERT
Top Expert 2007

Commented:
Did you have notepad running while scanning with hijackthis?just wondering.

Please fix these entries in hijackthis:
O4 - HKLM\..\Run: [svrhost.exe] C:\WINDOWS\system32\svrhost.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [svrhost.exe] C:\WINDOWS\system32\svrhost.exe
O20 - Winlogon Notify: winxeb32 - C:\WINDOWS\SYSTEM32\winxeb32.dll


The 020 entry is the one creating files in your temp folder. You need to delete the file -->winxeb32.dll
You also need to clean your temp folder using ATF Cleaner or CCleaner.


Have you deleted all those files I mentioned in my other posts?
also delete these files below if still present:
Download Pocket Killbox.
http://www.atribune.org/downloads/KillBox.exe
*Select the "Delete on Reboot" option.
*Select "All Files"
*Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\SYSTEM32\winxeb32.dll
C:\WINDOWS\system32\dlinst0.dll
C:\WINDOWS\system32\dlinsth.dll

*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
*If the computer doesn't restart, just restart manually.


Also run combofix, it removes purityscan along other nasties:
Download ComboFix to your Desktop, from either of these locations:
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Double click "combofix.exe" and follow the prompts.
When finished, it shall produce a log for you.
Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Author

Commented:
OK - did everything you have said - Twice!
Running IE with add ons disabled.
See two entries that concern me, you may see more, they are:
C:\WINDOWS\system32\pmnnm.dll
C:\WINDOWS\system32\opnkhig.dll
When I try to remove them with Killbox it fails.


***hijackthis and Combofix logs removed by rpggamergirl, Zone Advisor***
      --- E O F ---

What is going on that there are so many infections?
CERTIFIED EXPERT
Top Expert 2007
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
I am tattered, worn and just about beaten! I am about to go for the nuclear option,



***Hijackthis/combofix logs removed by rpggamergirl, Zone Advisor***      

Author

Commented:
Ran VundoFix  and Hijack this again


***Hijackthis log removed by rpggamergirl, Zone Advisor***
CERTIFIED EXPERT
Top Expert 2007

Commented:
tell us, did you run the CFScript?
the Combofix log you posted didn't show that the script was run.
let us know if you did or didn't because they are still there! we'll then use another method if the SCRcript didn't work.

Author

Commented:
Vundo is back, MS Onecare just informed me it needed to clean it. I am not sure where the file that keeps spawning the virus is or if it just that I have not been succesfull in cleaning it completly (sounds sort of the same). Is it possable someone has a hook into my sysatem?

If I formet the HD and rebuild is there any way they could get back in (i.e. through nowing my mac address?) Please advise.

I am willling to give a clean one more chance but afdter that I am done.


Even though it has not been cleaned I will award the points to RPG - Photo I would like to give you 250 points for your help also. Should I open a seperate question worht 250 points and you can answer it? Please let me know.

Author

Commented:
I did run the script - I will do iut again
If you format and re-install you will start again with a clean sheet - what happens after that is down to your security software and your website choices...
It is strange that despite all this work, your pc still has a Vundo infection.

Advice on closing questions and awarding points is here:
https://www.experts-exchange.com/help.jsp#hs1

If you do reinstall, I would recommend the two utilities in my first post: PrevX and Superantispyware...
CERTIFIED EXPERT
Top Expert 2007

Commented:
Sometimes, vundo comes with a rootkitlike file or a driver that protects a file from deletion or respawn it. we can of course run other diagnostic tool to check for hidden drivers.

A reformat will remove the nasties present in the drive, which you can then reinstall the OS. Just to be sure, you would need to change all passwords that have been used on that infected pc.

>>I am willling to give a clean one more chance but afdter that I am done. <<
Good, let's not give up yet to malware or any nasties, I certainly won't :)
can you run the Script again, if the SCript fails we can use Avenger to delete them.
We still have some other options left.
When avenger fails, that's when I start to wonder.

After running the SCRipt, please show us a fresh hijackthis log.

All those files that I listed in the script combofix supposedly deleted and it will tell us in the log.
Just drag the CFScript and drop it into combofix.exe and combofix will run(CFScript has to be save in the same location as combofix.exe)


No need to open a new question, you can split points between experts participating on this question, thanks.

Author

Commented:
rpg - I like your style! I am not one to quit - just not sure if we could win this one. If you think we can, on princable I will keep fighting

Author

Commented:
Sorry I did not get to do any of this yesterday. RPG - I followed these steps:
Open notepad and copy/paste the text inside the lines below into it
--------------------------------------------------------------
File::
C:\WINDOWS\system32\mnnmp.ini2
C:\WINDOWS\system32\mnnmp.bak1
C:\WINDOWS\system32\pmnnm.dll
C:\WINDOWS\system32\drvhed.dll
C:\WINDOWS\system32\opnkhig.dll
C:\WINDOWS\system32\drvhedr.dll
C:\WINDOWS\system32\lmllm.bak1
C:\{8001B2E0-0000-0000-0213-27A9C0EA6983}
C:\{00004266-0000-0000-5388-324CE8E3E569}
C:\WINDOWS\system32\nnnmp.bak1
C:\WINDOWS\system32\dccdd.bak1
C:\WINDOWS\system32\llkkj.bak1
C:\WINDOWS\system32\fgjlm.bak1
C:\WINDOWS\system32\qqtwa.bak1
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CC358019-D328-40B4-8E2D-818CE142616C}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A1815D71-D97B-4501-AFB0-DE5EBC970B57}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnkhig]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnnm]

--------------------------------------------------------------
Save this as CFScript in the same location as ComboFix.exe
drag CFScript into ComboFix.exe

This will start ComboFix again. Follow the prompts. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
----------------------------
Note: I renamed the CFScript.txt to CFScript I was not sure if it needed to .txt
Here is the log (BTW - Still have Vundo - Onecare just popped up tellng me it was removing it again)


***Combofix and hijackthis logs removed by rpggamergirl, Zone Advisor***


I am going to run combofix again with the .txt extension on the script file.

Author

Commented:
This is going to be a huge post. All actions done while off line.

1: Cleared restore points
2: Del all temp files with cleanup452
3: Ran Vundo Fix (Safe mode) - reported finding no infection
4: Ran SDFix
5: Ran ATF Cleaner (safe mode)
6: Ran Hijack this to try to delete opnkhig.dll (Failed)
7: Ran combofix with the script saced as CFScript.txt (This time I watched it deleting files)
8: Plugged computer back into the network.

Here are the log files:
HijackThis Log
Logfile of HijackThis v1.99.1
Scan saved at 11:44, on 2007-08-21
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Wave Systems Corp\Common\DataServer.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Maxtor\Utils\SyncServices.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\TEMP\QK5DE8.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\Maxtor\ManagerApp\Onetouch.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Documents and Settings\rgallucci.LMV\My Documents\My Downloads\utils\alternativ.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=2070709
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {89383506-0D6D-4797-B222-B2256E0A468F} - C:\WINDOWS\system32\pmnnm.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\ManagerApp\Onetouch.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Document Manager] C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: VZAccess Manager.lnk = C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: EMBASSY Trust Suite Secure Update.lnk = C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Security InfoCenter - {CEF2D273-7F43-4445-B9DF-FD095524C49F} - http://winsafesurf.com/ (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://server-01.lmv.local:4343/officescan/console/ClientInstall/WinNTChk.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupINICtrl Class) - https://server-01.lmv.local:4343/officescan/console/ClientInstall/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - https://server-01.lmv.local:4343/officescan/console/ClientInstall/setup.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://server-01.lmv.local:4343/officescan/console/ClientInstall/RemoveCtrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1184282442943
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1184282429102
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://netformx.webex.com/client/T23L/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = lmv.local
O17 - HKLM\Software\..\Telephony: DomainName = lmv.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = lmv.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = lmv.local
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - AppInit_DLLs: wxvault.dll C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: DataSvr2 - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Common\DataServer.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: SQL Server (MSSMLBIZ) (MSSQL$MSSMLBIZ) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: MaxSyncService (NTService1) -   - C:\Program Files\Maxtor\Utils\SyncServices.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: NTRU Hybrid TSS v2.0.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe (file missing)
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE (file missing)

ComboFix Log
ComboFix 07-08-14.4 - "rgallucci" 2007-08-21 11:29:50.4 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.2352 [GMT -4:00]
Command switches used ::  C:\Documents and Settings\rgallucci.LMV\Desktop\AV\CFScript.txt

FILE::
C:\WINDOWS\system32\mnnmp.ini2
C:\WINDOWS\system32\mnnmp.bak1
C:\WINDOWS\system32\pmnnm.dll
C:\WINDOWS\system32\drvhed.dll
C:\WINDOWS\system32\opnkhig.dll
C:\WINDOWS\system32\drvhedr.dll
C:\WINDOWS\system32\lmllm.bak1
C:\{8001B2E0-0000-0000-0213-27A9C0EA6983}
C:\{00004266-0000-0000-5388-324CE8E3E569}
C:\WINDOWS\system32\nnnmp.bak1
C:\WINDOWS\system32\dccdd.bak1
C:\WINDOWS\system32\llkkj.bak1
C:\WINDOWS\system32\fgjlm.bak1
C:\WINDOWS\system32\qqtwa.bak1


(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\dccdd.bak1
C:\WINDOWS\system32\drvhed.dll
C:\WINDOWS\system32\drvhedr.dll
C:\WINDOWS\system32\fgjlm.bak1
C:\WINDOWS\system32\llkkj.bak1
C:\WINDOWS\system32\lmllm.bak1
C:\WINDOWS\system32\nnnmp.bak1
C:\WINDOWS\system32\opnkhig.dll
C:\WINDOWS\system32\qqtwa.bak1


(((((((((((((((((((((((((   Files Created from 2007-07-21 to 2007-08-21  )))))))))))))))))))))))))))))))


2007-08-19 00:04      51,200      --a------      C:\WINDOWS\nircmd.exe
2007-08-18 23:40      <DIR>      d--------      C:\!KillBox
2007-08-18 11:34      <DIR>      d--------      C:\WINDOWS\ERUNT
2007-08-16 15:08      <DIR>      d--------      C:\DOCUME~1\RGALLU~1.LMV\WebEx
2007-08-16 00:25      <DIR>      d--------      C:\DOCUME~1\ALLUSE~1\APPLIC~1\Maxtor
2007-08-16 00:20      <DIR>      d--------      C:\Program Files\Maxtor
2007-08-15 23:43      <DIR>      d--------      C:\WINDOWS\pss
2007-08-13 16:42      <DIR>      d--------      C:\Program Files\Trimble Outdoors
2007-08-07 07:22      <DIR>      d--------      C:\VundoFix Backups
2007-08-07 00:24      81,024      --a------      C:\WINDOWS\system32\drivers\msfwdrv.sys
2007-08-07 00:24      105,856      --a------      C:\WINDOWS\system32\drivers\msfwhlpr.sys
2007-08-07 00:21      67,784      --a------      C:\WINDOWS\system32\drivers\MpFilter.sys
2007-08-07 00:14      <DIR>      d--------      C:\Program Files\Microsoft Windows OneCare Live
2007-08-06 20:11      <DIR>      d--------      C:\{8001B2E0-0000-0000-0213-27A9C0EA6983}
2007-08-06 20:11      <DIR>      d--------      C:\{00004266-0000-0000-5388-324CE8E3E569}
2007-08-06 18:24      <DIR>      d--------      C:\Program Files\Windows Live Safety Center
2007-08-03 10:28      <DIR>      d--------      C:\DOCUME~1\RGALLU~1.LMV\APPLIC~1\Smith Micro
2007-08-03 10:24      17,024      --a--c---      C:\WINDOWS\system32\dllcache\usbohci.sys
2007-08-03 10:24      17,024      --a------      C:\WINDOWS\system32\drivers\usbohci.sys
2007-08-03 10:22      65,536      --a------      C:\WINDOWS\system32\pxfhwmcp.dll
2007-08-03 10:22      58,240      --a------      C:\WINDOWS\system32\drivers\PTDCWWAN.sys
2007-08-03 10:22      41,728      --a------      C:\WINDOWS\system32\drivers\PTDCMdm.sys
2007-08-03 10:22      39,808      --a------      C:\WINDOWS\system32\drivers\PTDCVsp.sys
2007-08-03 10:22      319,456      --a------      C:\WINDOWS\system32\DIFxAPI.dll
2007-08-03 10:22      27,520      --a------      C:\WINDOWS\system32\drivers\PTDCBus.sys
2007-08-03 10:22      14,336      --a------      C:\WINDOWS\system32\PTDCCID.dll
2007-08-03 10:22      <DIR>      d--------      C:\Program Files\Verizon Wireless
2007-08-03 10:22      <DIR>      d--------      C:\Program Files\PANTECH
2007-07-31 11:05      <DIR>      d--------      C:\WINDOWS\system32\XPSViewer
2007-07-31 11:04      <DIR>      d--------      C:\Program Files\Reference Assemblies
2007-07-31 11:03      14,048      --a------      C:\WINDOWS\system32\spmsg2.dll
2007-07-31 11:02      <DIR>      d--------      C:\Program Files\Windows Media Connect 2
2007-07-31 10:49      36,352      --a------      C:\WINDOWS\system32\tsgqec.dll
2007-07-31 10:49      288,768      --a------      C:\WINDOWS\system32\rhttpaa.dll
2007-07-31 10:49      116,736      --a------      C:\WINDOWS\system32\aaclient.dll
2007-07-27 14:26      <DIR>      d--------      C:\Program Files\Windows Defender
2007-07-27 14:23      <DIR>      d--------      C:\Program Files\Trend Micro
2007-07-26 12:48      <DIR>      d--------      C:\DOCUME~1\RGALLU~1.LMV\APPLIC~1\Sonic
2007-07-25 10:56      <DIR>      d--------      C:\DOCUME~1\RGALLU~1.LMV\APPLIC~1\WebEx
2007-07-25 10:55      202,314      --a------      C:\WINDOWS\system32\atasnt40.dll
2007-07-25 10:54      51,304      --a------      C:\WINDOWS\system32\drivers\atnt40k.sys
2007-07-25 09:52      56,912      --a------      C:\DOCUME~1\RGALLU~1.LMV\g2mdlhlpx.exe
2007-07-25 09:52      <DIR>      d--------      C:\Program Files\Citrix
2007-07-25 09:51      1,156      --a------      C:\WINDOWS\mozver.dat
2007-07-25 09:49      0      --a------      C:\WINDOWS\nsreg.dat
2007-07-25 09:49      <DIR>      d--------      C:\DOCUME~1\RGALLU~1.LMV\APPLIC~1\Talkback


((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-16 00:23      ---------      d--h-----      C:\Program Files\InstallShield Installation Information
2007-07-31 11:08      ---------      d--------      C:\Program Files\MSBuild
2007-07-19 02:59      3583488      --a--c---      C:\WINDOWS\system32\dllcache\mshtml.dll
2007-07-19 01:24      ---------      d--------      C:\Program Files\MSXML 6.0
2007-07-19 01:24      ---------      d--------      C:\Program Files\Microsoft SQL Server
2007-07-19 01:20      ---------      d--------      C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-07-19 01:13      ---------      d--------      C:\Program Files\MSXML 4.0
2007-07-16 17:12      ---------      d--------      C:\DOCUME~1\RGALLU~1.LMV\APPLIC~1\Research In Motion
2007-07-16 17:11      ---------      d--------      C:\Program Files\Research In Motion
2007-07-16 17:11      ---------      d--------      C:\Program Files\Common Files\Research In Motion
2007-07-15 23:12      ---------      d--------      C:\DOCUME~1\RGALLU~1.LMV\APPLIC~1\DSDevelopment
2007-07-14 23:18      ---------      d--------      C:\DOCUME~1\RGALLU~1.LMV\APPLIC~1\Google
2007-07-14 21:30      ---------      d--------      C:\DOCUME~1\RGALLU~1.LMV\APPLIC~1\DS Development
2007-07-14 21:17      ---------      d--------      C:\DOCUME~1\RGALLU~1.LMV\APPLIC~1\Windows Desktop Search
2007-07-14 21:17      ---------      d--------      C:\DOCUME~1\RGALLU~1.LMV\APPLIC~1\Dell
2007-07-13 21:03      ---------      d--------      C:\Program Files\Bonjour
2007-07-13 20:48      ---------      d--------      C:\Program Files\Common Files\Macrovision Shared
2007-07-13 19:49      5986      --a------      C:\WINDOWS\pchealth\helpctr\PackageStore\SkuStore.bin
2007-07-13 19:48      9328      --a------      C:\WINDOWS\pchealth\helpctr\Config\Cntstore.bin
2007-07-13 18:03      ---------      d--------      C:\Program Files\DS Development
2007-07-13 16:56      ---------      d--------      C:\Program Files\Pro Imaging Powertoys
2007-07-13 16:56      ---------      d--------      C:\Program Files\Common Files\Nikon
2007-07-13 16:20      ---------      d--------      C:\Program Files\Zune
2007-07-13 16:19      ---------      d--------      C:\Program Files\DIFX
2007-07-13 16:19      ---------      d--------      C:\Program Files\Common Files\ComponentOne
2007-07-12 19:31      765952      --a--c---      C:\WINDOWS\system32\dllcache\vgx.dll
2007-07-12 19:30      ---------      d--------      C:\Program Files\Microsoft MapPoint
2007-07-12 19:30      ---------      d--------      C:\Program Files\Microsoft Location Finder
2007-07-12 18:41      ---------      d--------      C:\Program Files\Microsoft Small Business
2007-07-12 18:38      ---------      d--------      C:\Program Files\Microsoft.NET
2007-07-12 17:58      ---------      d--------      C:\Program Files\Windows Desktop Search
2007-07-12 17:47      ---------      d--------      C:\Program Files\Microsoft Works
2007-07-12 17:13      ---------      d--------      C:\Program Files\Microsoft Windows Small Business Server
2007-07-12 16:49      ---------      d--------      C:\Program Files\Google
2007-07-09 23:12      ---------      d--h-----      C:\DOCUME~1\RGALLU~1.LMV\APPLIC~1\Gtek
2007-07-09 23:12      ---------      d--------      C:\Program Files\Sonic
2007-07-09 23:12      ---------      d--------      C:\Program Files\Roxio
2007-07-09 23:12      ---------      d--------      C:\Program Files\Dell Support
2007-07-09 23:12      ---------      d--------      C:\Program Files\Common Files\SureThing Shared
2007-07-09 23:12      ---------      d--------      C:\Program Files\Common Files\Sonic Shared
2007-07-09 23:12      ---------      d--------      C:\Program Files\Common Files\InstallShield
2007-07-09 23:11      ---------      d--------      C:\Program Files\Digital Line Detect
2007-07-09 23:11      ---------      d--------      C:\Program Files\BAE
2007-07-09 23:10      ---------      d--------      C:\Program Files\NetWaiting
2007-07-09 23:10      ---------      d--------      C:\Program Files\Modem Helper
2007-07-09 23:10      ---------      d--------      C:\Program Files\Dell
2007-07-09 23:10      ---------      d--------      C:\Program Files\CyberLink
2007-07-09 23:10      ---------      d--------      C:\DOCUME~1\RGALLU~1.LMV\APPLIC~1\InstallShield
2007-07-09 23:09      ---------      d--------      C:\Program Files\Wave Systems Corp
2007-07-09 23:07      ---------      d--------      C:\Program Files\NTRU Cryptosystems
2007-07-09 23:07      ---------      d--------      C:\Program Files\Broadcom
2007-07-09 23:05      ---------      d--------      C:\Program Files\Sigmatel
2007-07-09 23:05      ---------      d--------      C:\Program Files\CONEXANT
2007-07-09 23:02      ---------      d--------      C:\Program Files\BlueTooth
2007-07-09 23:01      ---------      d--------      C:\Program Files\Toshiba
2007-07-09 23:00      ---------      d--------      C:\Program Files\Messenger
2007-07-09 22:46      ---------      d--------      C:\Program Files\Apoint
2007-07-09 22:43      5840      --a------      C:\WINDOWS\system32\drivers\1028_Dell_LAT_D820.mrk
2007-06-27 10:34      823808      --a--c---      C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-27 10:34      671232      --a--c---      C:\WINDOWS\system32\dllcache\mstime.dll
2007-06-27 10:34      6058496      -----c---      C:\WINDOWS\system32\dllcache\ieframe.dll
2007-06-27 10:34      52224      -----c---      C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-06-27 10:34      477696      --a--c---      C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-06-27 10:34      459264      -----c---      C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-06-27 10:34      44544      --a--c---      C:\WINDOWS\system32\dllcache\iernonce.dll
2007-06-27 10:34      384512      --a--c---      C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-06-27 10:34      383488      -----c---      C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-06-27 10:34      27648      --a--c---      C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-06-27 10:34      267776      -----c---      C:\WINDOWS\system32\dllcache\iertutil.dll
2007-06-27 10:34      232960      --a--c---      C:\WINDOWS\system32\dllcache\webcheck.dll
2007-06-27 10:34      230400      --a--c---      C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-06-27 10:34      193024      --a--c---      C:\WINDOWS\system32\dllcache\msrating.dll
2007-06-27 10:34      153088      --a--c---      C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-06-27 10:34      132608      --a--c---      C:\WINDOWS\system32\dllcache\extmgr.dll
2007-06-27 10:34      124928      --a--c---      C:\WINDOWS\system32\dllcache\advpack.dll
2007-06-27 10:34      1152000      --a--c---      C:\WINDOWS\system32\dllcache\urlmon.dll
2007-06-27 10:34      105984      --a--c---      C:\WINDOWS\system32\dllcache\url.dll
2007-06-27 10:34      102400      --a--c---      C:\WINDOWS\system32\dllcache\occache.dll
2007-06-27 04:27      63488      --a--c---      C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-06-27 04:27      625152      --a--c---      C:\WINDOWS\system32\dllcache\iexplore.exe
2007-06-27 04:27      13824      -----c---      C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-06-27 03:00      161792      --a--c---      C:\WINDOWS\system32\dllcache\ieakui.dll
2007-06-26 02:08      1104896      --a--c---      C:\WINDOWS\system32\dllcache\msxml3.dll
2007-06-26 02:08      1104896      --a------      C:\WINDOWS\system32\msxml3.dll
2007-06-19 09:31      282112      --a--c---      C:\WINDOWS\system32\dllcache\gdi32.dll
2007-06-19 09:31      282112      --a------      C:\WINDOWS\system32\gdi32.dll
2007-06-13 06:23      1033216      --a--c---      C:\WINDOWS\system32\dllcache\explorer.exe
2007-06-13 06:23      1033216      --a------      C:\WINDOWS\explorer.exe
2007-06-11 23:51      10834944      --a--c---      C:\WINDOWS\system32\dllcache\wmp.dll


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{89383506-0D6D-4797-B222-B2256E0A468F}]
                  C:\WINDOWS\system32\pmnnm.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2005-11-02 23:32]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"OneCareUI"="C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe" [2007-08-02 10:47]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-01-19 09:14]
"Zune Launcher"="C:\Program Files\Zune\ZuneLauncher.exe" [2007-03-14 17:03]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-12 09:22]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 17:30 C:\WINDOWS\stsystra.exe]
"nwiz"="nwiz.exe" [2006-01-19 09:14 C:\WINDOWS\system32\nwiz.exe]
"NVHotkey"="nvHotkey.dll" [2006-01-19 09:14 C:\WINDOWS\system32\nvhotkey.dll]
"mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [2006-08-11 11:15]
"MaxtorOneTouch"="C:\Program Files\Maxtor\ManagerApp\Onetouch.exe" [2006-08-11 08:45]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 17:50]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 17:50]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-07-25 09:11]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 21:29]
"Document Manager"="C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [2006-09-08 09:32]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 06:20]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2007-02-20 13:29]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2006-11-22 18:35]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-12 09:17 C:\WINDOWS\system32\bthprops.cpl]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-10-07 13:13]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 09:18]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-12 16:35]

C:\Documents and Settings\rgallucci.LMV\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 20:24:54]
VZAccess Manager.lnk - C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe [2007-08-03 10:22:35]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2005-11-18 18:46:00]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2007-07-09 23:11:04]
EMBASSY Trust Suite Secure Update.lnk - C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe [2006-08-25 10:45:30]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 15:40:46]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 15:39 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wxvault.dll C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 wvauth

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"


R0 PBADRV;PBADRV;C:\WINDOWS\system32\drivers\pbadrv.sys
R1 MSFWHLPR;MSFWHLPR;C:\WINDOWS\system32\DRIVERS\msfwhlpr.sys
R2 MSFWDrv;MSFWDrv;C:\WINDOWS\system32\DRIVERS\msfwdrv.sys
R2 msfwsvc;OneCare Firewall;"C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe"
R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);"c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ
R2 ntrtscan;Trend Micro Client/Server Security Agent RealTime Scan;C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
R2 OneCareMP;OneCare AntiSpyware and AntiVirus;"C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe"
R2 SQLBrowser;SQL Server Browser;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe"
R2 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"
R2 tmlisten;Trend Micro Client/Server Security Agent Listener;C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
R2 TmPreFilter;Trend Micro PreFilter;\??\C:\Program Files\Trend Micro\OfficeScan Client\TmPreFlt.sys
R3 guardian2;guardian2;C:\WINDOWS\system32\Drivers\oz776.sys
R3 MpFilter;Microsoft Malware Protection Driver;C:\WINDOWS\system32\DRIVERS\MpFilter.sys
S3 MXOPSWD;Maxtor OneTouch Security Driver;C:\WINDOWS\system32\DRIVERS\mxopswd.sys
S3 PTDCBus;PANTECH PC Card Composite Device Driver (UDP);C:\WINDOWS\system32\DRIVERS\PTDCBus.sys
S3 PTDCMdm;PANTECH PC Card Drivers (UDP);C:\WINDOWS\system32\DRIVERS\PTDCMdm.sys
S3 PTDCVsp;PANTECH PC Card Diagnostic Serial Port (UDP);C:\WINDOWS\system32\DRIVERS\PTDCVsp.sys
S3 PTDCWWAN;PANTECH PC Card WWAN Controller device driver;C:\WINDOWS\system32\DRIVERS\PTDCWWAN.sys


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-21 11:40:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-21 11:42:12 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-21 11:42
C:\ComboFix2.txt ... 2007-08-21 08:43
C:\ComboFix3.txt ... 2007-08-19 08:09

      --- E O F ---

SDFix Log

SDFix: Version 1.99

Run by RGallucci on Tue 08/21/2007 at 10:40 AM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found




Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.
 
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.
 


                                 Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------


Files with Hidden Attributes:

C:\Documents and Settings\rgallucci.LMV\My Documents\My Music\Zune\Unknown Artist\BillOReilly.com\desktop.ini
C:\Documents and Settings\rgallucci.LMV\My Documents\My Music\Zune\Unknown Artist\The Radio Factor on BillOReilly.com\desktop.ini
C:\Documents and Settings\Administrator\NTUSER.DAT.COPY.TMP.LOG
C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp
C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp
C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\lock.tmp
C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch4\lock.tmp
C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch5\lock.tmp
C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch6\lock.tmp
C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp
C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp
C:\Documents and Settings\RGallucci\NTUSER.DAT.COPY.TMP.LOG
C:\Documents and Settings\rgallucci.LMV\My Documents\Dell 820 Restore from Damaged HD\Documents and Settings\RGallucci.landmark1\My Documents\Landmark\H5\Appetizers\~WRL1204.tmp
C:\Documents and Settings\rgallucci.LMV\My Documents\Dell 820 Restore from Damaged HD\Documents and Settings\RGallucci.landmark1\My Documents\Landmark\H5\Appetizers\~WRL1628.tmp
C:\Documents and Settings\rgallucci.LMV\My Documents\Dell 820 Restore from Damaged HD\Documents and Settings\RGallucci.landmark1\My Documents\Landmark\H5\Appetizers\~WRL2629.tmp
C:\Documents and Settings\rgallucci.LMV\My Documents\Dell 820 Restore from Damaged HD\Documents and Settings\RGallucci.landmark1\My Documents\Landmark\H5\Appetizers\~WRL3189.tmp
C:\Documents and Settings\rgallucci.LMV\My Documents\Dell 820 Restore from Damaged HD\Documents and Settings\RGallucci.landmark1\My Documents\Landmark\H5\Appetizers\~WRL3768.tmp
C:\Documents and Settings\rgallucci.LMV\My Documents\Dell 820 Restore from Damaged HD\Documents and Settings\RGallucci.landmark1\My Documents\Landmark\H5\Appetizers\~WRL4093.tmp
C:\Documents and Settings\rgallucci.LMV\My Documents\Dell 820 Restore from Damaged HD\Documents and Settings\RGallucci.landmark1\My Documents\Toshiba My Documents and PST\Outlook\~outlook0.ost.tmp
C:\Program Files\Google\Google Desktop Search\BIT162.tmp
C:\Program Files\Google\Google Desktop Search\BIT163.tmp
C:\WINDOWS\system32\config\SAM.tmp.LOG
C:\WINDOWS\system32\config\SECURITY.tmp.LOG

                                 Finished

Please tell me the nightmare is over and that my system is clean. If not RPG I am in your hands - let me know next steps.
RG
Apart from two pieces of registry clutter, your log looks cool.
Fix these just to tidy up:

O2 - BHO: (no name) - {89383506-0D6D-4797-B222-B2256E0A468F} - C:\WINDOWS\system32\pmnnm.dll (file missing)
O9 - Extra button: Security InfoCenter - {CEF2D273-7F43-4445-B9DF-FD095524C49F} - http://winsafesurf.com/ (file missing) (HKCU)

Is your av software still detecting Vundo infection?


Author

Commented:
Hey Photo

Not since this mornings combo scan. Hopefully it is gone. I will clean up the entries you mention, wait 24 hours and then declare the battle won.

Thanks for the time and effort in helping me with this one.

Fingers crossed...
CERTIFIED EXPERT
Top Expert 2007

Commented:
>>Ran Hijack this to try to delete opnkhig.dll (Failed)<<
Hijackthis can't remove entries while infection is still active.


>>Ran combofix with the script saced as CFScript.txt (This time I watched it deleting files)<<
Yeah, it is a text file name CFSript.

Logs show that vundo is gone, looks good.
I knew we can beat them, :)

Author

Commented:
Hopefully the last Hijack log

Thanks all

Logfile of HijackThis v1.99.1
Scan saved at 12:27:28 AM, on 2007-08-22
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Wave Systems Corp\Common\DataServer.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Maxtor\Utils\SyncServices.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\TEMP\WYF802.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\Maxtor\ManagerApp\Onetouch.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\PROGRA~1\MICROS~3\Office12\OUTLOOK.EXE
C:\Program Files\DS Development\Easy Mail Merge for Outlook\EMMOpts.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\rgallucci.LMV\My Documents\My Downloads\utils\alternativ.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=2070709
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\ManagerApp\Onetouch.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Document Manager] C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: VZAccess Manager.lnk = C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: EMBASSY Trust Suite Secure Update.lnk = C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://server-01.lmv.local:4343/officescan/console/ClientInstall/WinNTChk.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupINICtrl Class) - https://server-01.lmv.local:4343/officescan/console/ClientInstall/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - https://server-01.lmv.local:4343/officescan/console/ClientInstall/setup.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://server-01.lmv.local:4343/officescan/console/ClientInstall/RemoveCtrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1184282442943
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1184282429102
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://netformx.webex.com/client/T23L/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = lmv.local
O17 - HKLM\Software\..\Telephony: DomainName = lmv.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = lmv.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = lmv.local
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - AppInit_DLLs: wxvault.dll C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: DataSvr2 - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Common\DataServer.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: SQL Server (MSSMLBIZ) (MSSQL$MSSMLBIZ) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: MaxSyncService (NTService1) -   - C:\Program Files\Maxtor\Utils\SyncServices.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: NTRU Hybrid TSS v2.0.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe (file missing)
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE (file missing)

Just to throw it out there (i would like to know what everyone thinks on the issue)

Wouldnt it have saved you lot of time and energy to just backup and reinstall once you got back to the office on Monday? I understand not being able to during the weekend. But now you have put all this time into cleaning up this system that you havent even got fully cleaned. Not to knock anyone here for the job they have done. But how confident are you that you will have a fully sanatized machine?

IN my opinion i would rather just spend a few hours reinstalling and restoring from backup and knowing that my system is completely clean than to spend days on top of days trying to get my system clean (trust me i have once or twice before).

my general rule of thumb for my network  is if a bad infestation is found on any system the system is to be backed up completely wiped and reinstalled. The backed up data is then sanitized and placed back on the fresh install.

What does everyone else think on this issue.

Author

Commented:
Thatguy 

Your talking business - This became personal!

That said, I am going to be rebuilding this system shortly.

The one this that this did confirm is the need for "Ghost" type solution in our ecosystem. I have moved us to standardized platforms and have just begun looking into solutions. That would have saved the most amount of time.

"But now you have put all this time into cleaning up this system that you havent even got fully cleaned"
Do you see something else still lingering?

Thanks
"Do you see something else still lingering?"
I though i has seen one of your last post were you said you thought something was still on there. I guess not.

I can see it more from a personal side than a business side. yes



CERTIFIED EXPERT
Top Expert 2007

Commented:
>>Do you see something else still lingering?<<
Your hijackthis log is clean! although some nasties can also hide from hijackthis scan(just like an antivirus missing viruses)

Thank you for the points!
Are you still having problems?


>>What does everyone else think on this issue.
A reformat is always my last resort, or in the case where I can see that the system is definitely compromised, then I wouldn't even try and clean it.
Backing up of data, reformatting, cleaning the backup, reinstaling also takes time, and not everyone prefers that option(unless really necessary)

Author

Commented:
RPG - I like the ability to work through the problem. Although I am no longer on the front line of support it felt good to get my hands wet again. I learned an incredable amount through the process.

That said, and as mentioned in a previous reply, I am going to roll out Ghost or some similiar technolgy fairly quickly. My company had doubled in size the past year and we expect treble growth over the coming 12 months. We simply do not have the bandwidth to fight infections. It is much quicker to ghost back onto the box.

Additionaly I never stated howI became infected. It was a classic case of Dumb user trying to bypass safeguards. We have a volume license for XP. I had a brocken notebook and instead of searching for a cal I went to a hack site and opened a file with boot cals. Obviously the cals did not work and I seriously infected my system. So I get idiot of the year and paid heavily for it.  
CERTIFIED EXPERT
Top Expert 2007

Commented:
>>It is much quicker to ghost back onto the box.<<
yes, I agree, that's good and sensible idea.

Best of luck!
Just to add my two cents:

Formating and reinstalling is a last resort...
The whole issue of malware resolves to a battle of wits between the people who write the malicious software and the people who write the a/v software. If your response to every infection is to format and reinstall, that battle will be lost -  most of the tools used in cleaning ajulianolmv's pc were not commercially produced, they were designed by concerned individuals.
Removing malware from domestic and corporate pcs is an essential part of this process, and to simply wipe the hdd and start again can only mean that in the long run you will have to format and reinstall more and more frequently.
I can see that in an office environment it makes sense to do this in the short term. The bigger picture demands a different approach...

"...Your talking business - This became personal!..."
I know what you mean!  I always feel like reformating a customer's computer after a battle with malware is an admission of failure - and I don't often do it...




Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.