Trojan.Vundo + Malware.Trace [Solved]

Hi there lets see if I can resolve this for you

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTScanit2 to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

• Close ALL OTHER PROGRAMS.
• Open the OTScanit folder and double-click on OTScanit.exe to start the program.
• Check the box that says Scan All Users
• Check the Radio button for Rootkit check YES
• Under Additional Scans check the following:
  • File - Lop Check
  • File - Purity Scan
  • Evnt - EventViewer Errors/Warnings (last 10)
• Now click the Run Scan button on the toolbar.
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

To attach a file, do the following:

• Click Add Reply
• Under the reply panel is the Attachments Panel
• Browse for the attachment file you want to upload, then click the green Upload button
• Once it has uploaded, click the Manage Current Attachments drop down box
• Click on to insert the attachment into your post

Hey, thanks for the reply. Log attached! hope this helps

Try this

Start OTScanit. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Unregister Dlls]
[Registry - Safe List]
< Run [HKEY_USERS\S-1-5-20\] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "dawomayanu" -> %SystemRoot%\system32\jajukufe.DLL [Rundll32.exe "C:\WINDOWS\system32\jajukufe.dll",s]
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
*AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls
YY -> nxezyd.dll -> %SystemRoot%\system32\nxezyd.dll
YN ->  yrqnbq.dll hdgetg.dll -> 
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
YN -> "C:\Documents and Settings\Letori\Application Data\Twain\Twain.exe" -> C:\Documents and Settings\Letori\Application Data\Twain\Twain.exe [C:\Documents and Settings\Letori\Application Data\Twain\Twain.exe:*:Enabled:Twain]
YN -> "C:\Documents and Settings\Letori\Local Settings\Temp\nsh14.tmp" -> C:\Documents and Settings\Letori\Local Settings\Temp\nsh14.tmp [C:\Documents and Settings\Letori\Local Settings\Temp\nsh14.tmp:*:Enabled:nsh14]
[Files/Folders - Created Within 30 Days]
NY -> geBTnmMf.dll -> %SystemRoot%\System32\geBTnmMf.dll
NY -> ddcDUKaA.dll -> %SystemRoot%\System32\ddcDUKaA.dll
NY -> hdgetg.dll -> %SystemRoot%\System32\hdgetg.dll
NY -> oepbvtad.dll -> %SystemRoot%\System32\oepbvtad.dll
NY -> yrqnbq.dll -> %SystemRoot%\System32\yrqnbq.dll
NY -> iroosems.dll -> %SystemRoot%\System32\iroosems.dll
NY -> nxezyd.dll -> %SystemRoot%\System32\nxezyd.dll
NY -> ydtlvpoi.dll -> %SystemRoot%\System32\ydtlvpoi.dll
NY -> tgovvjbr.ini -> %SystemRoot%\System32\tgovvjbr.ini
NY -> ogepazih.ini -> %SystemRoot%\System32\ogepazih.ini
NY -> upuboban.ini -> %SystemRoot%\System32\upuboban.ini
NY -> kpcqsi.dll -> %SystemRoot%\System32\kpcqsi.dll
NY -> indqhpcs.dll -> %SystemRoot%\System32\indqhpcs.dll
NY -> unihuvov.ini -> %SystemRoot%\System32\unihuvov.ini
NY -> uyobamin.ini -> %SystemRoot%\System32\uyobamin.ini
NY -> nqewyjqb.dll -> %SystemRoot%\System32\nqewyjqb.dll
NY -> dvmgfb.dll -> %SystemRoot%\System32\dvmgfb.dll
NY -> hykxmi.dll -> %SystemRoot%\System32\hykxmi.dll
NY -> aojfwwvg.dll -> %SystemRoot%\System32\aojfwwvg.dll
NY -> bopwkj.dll -> %SystemRoot%\System32\bopwkj.dll
NY -> dbwtprta.dll -> %SystemRoot%\System32\dbwtprta.dll
NY -> ahibudam.ini -> %SystemRoot%\System32\ahibudam.ini
NY -> Twain -> %AppData%\Twain
NY -> crsmrreo.ini -> %SystemRoot%\System32\crsmrreo.ini
NY -> dtdgwg.dll -> %SystemRoot%\System32\dtdgwg.dll
NY -> hasgioqr.dll -> %SystemRoot%\System32\hasgioqr.dll
NY -> foi -> %SystemRoot%\System32\foi
NY -> .# -> %UserProfile%\Local Settings\Application Data\.#
NY -> xxyxUono.dll -> %SystemRoot%\System32\xxyxUono.dll
NY -> mlJaaaAQ.dll -> %SystemRoot%\System32\mlJaaaAQ.dll
NY -> mzmgrq.dll -> %SystemRoot%\System32\mzmgrq.dll
NY -> kcfvcmvc.ini -> %SystemRoot%\System32\kcfvcmvc.ini
NY -> kgscjvhj.dll -> %SystemRoot%\System32\kgscjvhj.dll
NY -> jtfyllfp.job -> %SystemRoot%\tasks\jtfyllfp.job
NY -> yayyYPiJ.dll.vir -> %SystemRoot%\System32\yayyYPiJ.dll.vir
[Files/Folders - Modified Within 30 Days]
NY -> jtfyllfp.job -> %SystemRoot%\tasks\jtfyllfp.job
NY -> vijoloju -> %SystemRoot%\System32\vijoloju
NY -> geBTnmMf.dll -> %SystemRoot%\System32\geBTnmMf.dll
NY -> ddcDUKaA.dll -> %SystemRoot%\System32\ddcDUKaA.dll
NY -> oepbvtad.dll -> %SystemRoot%\System32\oepbvtad.dll
NY -> hdgetg.dll -> %SystemRoot%\System32\hdgetg.dll
NY -> yrqnbq.dll -> %SystemRoot%\System32\yrqnbq.dll
NY -> iroosems.dll -> %SystemRoot%\System32\iroosems.dll
NY -> ydtlvpoi.dll -> %SystemRoot%\System32\ydtlvpoi.dll
NY -> nxezyd.dll -> %SystemRoot%\System32\nxezyd.dll
NY -> tgovvjbr.ini -> %SystemRoot%\System32\tgovvjbr.ini
NY -> ogepazih.ini -> %SystemRoot%\System32\ogepazih.ini
NY -> upuboban.ini -> %SystemRoot%\System32\upuboban.ini
NY -> kpcqsi.dll -> %SystemRoot%\System32\kpcqsi.dll
NY -> indqhpcs.dll -> %SystemRoot%\System32\indqhpcs.dll
NY -> unihuvov.ini -> %SystemRoot%\System32\unihuvov.ini
NY -> uyobamin.ini -> %SystemRoot%\System32\uyobamin.ini
NY -> nqewyjqb.dll -> %SystemRoot%\System32\nqewyjqb.dll
NY -> dvmgfb.dll -> %SystemRoot%\System32\dvmgfb.dll
NY -> hykxmi.dll -> %SystemRoot%\System32\hykxmi.dll
NY -> aojfwwvg.dll -> %SystemRoot%\System32\aojfwwvg.dll
NY -> yehifuni.dll -> %SystemRoot%\System32\yehifuni.dll
NY -> dbwtprta.dll -> %SystemRoot%\System32\dbwtprta.dll
NY -> bopwkj.dll -> %SystemRoot%\System32\bopwkj.dll
NY -> ahibudam.ini -> %SystemRoot%\System32\ahibudam.ini
NY -> tubiwewa.dll -> %SystemRoot%\System32\tubiwewa.dll
NY -> crsmrreo.ini -> %SystemRoot%\System32\crsmrreo.ini
NY -> hasgioqr.dll -> %SystemRoot%\System32\hasgioqr.dll
NY -> dtdgwg.dll -> %SystemRoot%\System32\dtdgwg.dll
NY -> kcfvcmvc.ini -> %SystemRoot%\System32\kcfvcmvc.ini
NY -> xxyxUono.dll -> %SystemRoot%\System32\xxyxUono.dll
NY -> mlJaaaAQ.dll -> %SystemRoot%\System32\mlJaaaAQ.dll
NY -> mzmgrq.dll -> %SystemRoot%\System32\mzmgrq.dll
NY -> kgscjvhj.dll -> %SystemRoot%\System32\kgscjvhj.dll
NY -> yayyYPiJ.dll.vir -> %SystemRoot%\System32\yayyYPiJ.dll.vir
[File - Lop Check]
NY -> Twain -> C:\Documents and Settings\Letori\Application Data\Twain
NY -> jtfyllfp.job -> C:\WINDOWS\Tasks\jtfyllfp.job
[Empty Temp Folders]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new Hijackthis log.

I will review the information when it comes back in.

THEN

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

Ok, I got a read access error from the remove temp folders part of the fix you gave me, but I assume it was because I had firefox open at the time. Closed firefox, and ran fix against without trouble. This is the log it generated.

[Registry - Safe List]
Registry value HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\dawomayanu not found.
Registry delete failed. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:nxezyd.dll scheduled to be deleted on reboot.
File C:\WINDOWS\system32\nxezyd.dll not found.
Registry delete failed. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls: yrqnbq.dll hdgetg.dll scheduled to be deleted on reboot.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Documents and Settings\Letori\Application Data\Twain\Twain.exe not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Documents and Settings\Letori\Local Settings\Temp\nsh14.tmp not found.
[Files/Folders - Created Within 30 Days]
File C:\WINDOWS\System32\geBTnmMf.dll not found!
File C:\WINDOWS\System32\ddcDUKaA.dll not found!
File C:\WINDOWS\System32\hdgetg.dll not found!
File C:\WINDOWS\System32\oepbvtad.dll not found!
File C:\WINDOWS\System32\yrqnbq.dll not found!
File C:\WINDOWS\System32\iroosems.dll not found!
File C:\WINDOWS\System32\nxezyd.dll not found!
File C:\WINDOWS\System32\ydtlvpoi.dll not found!
File C:\WINDOWS\System32\tgovvjbr.ini not found!
File C:\WINDOWS\System32\ogepazih.ini not found!
File C:\WINDOWS\System32\upuboban.ini not found!
File C:\WINDOWS\System32\kpcqsi.dll not found!
File C:\WINDOWS\System32\indqhpcs.dll not found!
File C:\WINDOWS\System32\unihuvov.ini not found!
File C:\WINDOWS\System32\uyobamin.ini not found!
File C:\WINDOWS\System32\nqewyjqb.dll not found!
File C:\WINDOWS\System32\dvmgfb.dll not found!
File C:\WINDOWS\System32\hykxmi.dll not found!
File C:\WINDOWS\System32\aojfwwvg.dll not found!
File C:\WINDOWS\System32\bopwkj.dll not found!
File C:\WINDOWS\System32\dbwtprta.dll not found!
File C:\WINDOWS\System32\ahibudam.ini not found!
File C:\Documents and Settings\Letori\Application Data\Twain not found!
File C:\WINDOWS\System32\crsmrreo.ini not found!
File C:\WINDOWS\System32\dtdgwg.dll not found!
File C:\WINDOWS\System32\hasgioqr.dll not found!
File C:\WINDOWS\System32\foi not found!
File C:\Documents and Settings\Letori\Local Settings\Application Data\.# not found!
File C:\WINDOWS\System32\xxyxUono.dll not found!
File C:\WINDOWS\System32\mlJaaaAQ.dll not found!
File C:\WINDOWS\System32\mzmgrq.dll not found!
File C:\WINDOWS\System32\kcfvcmvc.ini not found!
File C:\WINDOWS\System32\kgscjvhj.dll not found!
File C:\WINDOWS\tasks\jtfyllfp.job not found!
File C:\WINDOWS\System32\yayyYPiJ.dll.vir not found!
[Files/Folders - Modified Within 30 Days]
File C:\WINDOWS\tasks\jtfyllfp.job not found!
File C:\WINDOWS\System32\vijoloju not found!
File C:\WINDOWS\System32\geBTnmMf.dll not found!
File C:\WINDOWS\System32\ddcDUKaA.dll not found!
File C:\WINDOWS\System32\oepbvtad.dll not found!
File C:\WINDOWS\System32\hdgetg.dll not found!
File C:\WINDOWS\System32\yrqnbq.dll not found!
File C:\WINDOWS\System32\iroosems.dll not found!
File C:\WINDOWS\System32\ydtlvpoi.dll not found!
File C:\WINDOWS\System32\nxezyd.dll not found!
File C:\WINDOWS\System32\tgovvjbr.ini not found!
File C:\WINDOWS\System32\ogepazih.ini not found!
File C:\WINDOWS\System32\upuboban.ini not found!
File C:\WINDOWS\System32\kpcqsi.dll not found!
File C:\WINDOWS\System32\indqhpcs.dll not found!
File C:\WINDOWS\System32\unihuvov.ini not found!
File C:\WINDOWS\System32\uyobamin.ini not found!
File C:\WINDOWS\System32\nqewyjqb.dll not found!
File C:\WINDOWS\System32\dvmgfb.dll not found!
File C:\WINDOWS\System32\hykxmi.dll not found!
File C:\WINDOWS\System32\aojfwwvg.dll not found!
File C:\WINDOWS\System32\yehifuni.dll not found!
File C:\WINDOWS\System32\dbwtprta.dll not found!
File C:\WINDOWS\System32\bopwkj.dll not found!
File C:\WINDOWS\System32\ahibudam.ini not found!
File C:\WINDOWS\System32\tubiwewa.dll not found!
File C:\WINDOWS\System32\crsmrreo.ini not found!
File C:\WINDOWS\System32\hasgioqr.dll not found!
File C:\WINDOWS\System32\dtdgwg.dll not found!
File C:\WINDOWS\System32\kcfvcmvc.ini not found!
File C:\WINDOWS\System32\xxyxUono.dll not found!
File C:\WINDOWS\System32\mlJaaaAQ.dll not found!
File C:\WINDOWS\System32\mzmgrq.dll not found!
File C:\WINDOWS\System32\kgscjvhj.dll not found!
File C:\WINDOWS\System32\yayyYPiJ.dll.vir not found!
[File - Lop Check]
File C:\Documents and Settings\Letori\Application Data\Twain not found!
File C:\WINDOWS\Tasks\jtfyllfp.job not found!
[Empty Temp Folders]
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_5b4.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_f8.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
RecycleBin -> emptied.
< End of fix log >
OTScanIt2 by OldTimer - Version 1.0.4.2 fix logfile created on 12302008_134037

Files moved on Reboot...
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat moved successfully.
File C:\WINDOWS\temp\Perflib_Perfdata_5b4.dat not found!
File C:\WINDOWS\temp\Perflib_Perfdata_f8.dat not found!

Registry entries deleted on Reboot...
Registry delete failed. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:nxezyd.dll scheduled to be deleted on reboot.
Registry delete failed. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls: yrqnbq.dll hdgetg.dll scheduled to be deleted on reboot.






HT logfile here:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:45:25 PM, on 12/30/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\notepad.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Letori\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.update.mi...t.aspx?ln=en-us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\RunOnce: [OTScanIt] "C:\Documents and Settings\Letori\Desktop\OTScanIt2\OTScanIt2.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Letori\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1200126726422
O20 - AppInit_DLLs: yrqnbq.dll hdgetg.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe

--
End of file - 4843 bytes





Will post again in a moment with the MWB log (wouldn't let me update the program before, but seems to work fine now :-\ )

Here's the logfile from the updated Malwarebytes quickscan:

Malwarebytes' Anti-Malware 1.31
Database version: 1579
Windows 5.1.2600 Service Pack 3

12/30/2008 1:51:24 PM
mbam-log-2008-12-30 (13-51-24).txt

Scan type: Quick Scan
Objects scanned: 48179
Time elapsed: 3 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prunnet (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\dalusulo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gopikobi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tesavohi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

How is it running now ?

I would just like to confirm that one entry has gone

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O20 - AppInit_DLLs: yrqnbq.dll hdgetg.dll

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

Gotta say, things are running noticeably smoother. I did the HT scan and removed the entry you indicated. Thank you so much for your help. Think I'll go read those threads on "How to avoid infection" now

Even better

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so...Download and run this small programme and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove along with ERUNT. But they may be useful tools to keep

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View Tab.
• Under the Hidden files and folders heading select Do not show hidden files and folders.
• Click Yes to confirm.
• Click OK.

Please download JavaRa to your desktop and unzip it to its own folder

• Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
• Accept any prompts.
• Open JavaRa.exe again and select Search For Updates.
• Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

XP
Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:

• Select Start > All Programs > Accessories > System tools > System Restore.
• On the dialogue box that appears select Create a Restore Point
• Click NEXT
• Enter a name e.g. Clean
• Click CREATE

You now have a clean restore point, to get rid of the bad ones:

• Select Start > All Programs > Accessories > System tools > Disk Cleanup.
• In the Drop down box that appears select your main drive e.g. C
• Click OK
• The System will do some calculation and the display a dialogue box with TABS
• Select the More Options Tab.
• At the bottom will be a system restore box with a CLEANUP button click this
• Accept the Warning and select OK again, the program will close and you are done

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

• SpywareBlaster to help prevent spyware from installing in the first place.
• SuperAntispyware Run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit

• Secunia Software inspector To check your programme update status
• Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.