I have one or more malware on my computer. Spybot S&D said that it's virtumonde, but can't fix it. So I used VundoFix.exe and VirtumundoBeGone.exe to remove it, but there is still some infection, please help me.
Here is HJT log (this is batko.exe):
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:01:56, on 5/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\AppServ\Apache2.2\bin\httpd.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
D:\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\WINDOWS\system32\nvsvc32.exe
D:\AppServ\Apache2.2\bin\httpd.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Install\AntiMalware\batko.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.co...earch_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.kaiowas.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.kaiowas.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {091C54FD-9AA0-4922-B2F6-F5E13B569C79} - C:\WINDOWS\system32\fccdeBSI.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {917F5C16-FD15-488F-B1B4-99DD5F158390} - (no file)
O2 - BHO: (no name) - {B3102264-D09D-4322-B625-503FBF18DD7E} - (no file)
O2 - BHO: (no name) - {B6BCDC57-1E60-4B0C-BBF6-CE413E4279DD} - (no file)
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [BM8b632314] Rundll32.exe "C:\WINDOWS\system32\qdjqxhab.dll",s
O4 - HKLM\..\RunOnce: [NCInstallQueue] rundll32 netman.dll,ProcessQueue
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-1292428093-573735546-725345543-1003\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1191689892265
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0BAF74F-BD3F-4964-8269-DC1A50124CAD}: NameServer = 84.54.136.129
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: opnlJcaY - C:\WINDOWS\
O23 - Service: Apache2.2 - Apache Software Foundation - D:\AppServ\Apache2.2\bin\httpd.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: MySQL - Unknown owner - D:\MySQL\MySQL.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SF FrontLine Drivers Auto Removal (v1) (sfrem01) - Protection Technology (StarForce) - C:\WINDOWS\system32\sfrem01.exe
O23 - Service: Start BT in service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
--
End of file - 8311 bytes
and log from VirtumundoBeGone.exe (VBG.TXT):
[05/17/2008, 20:43:18] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Senator\Desktop\VirtumundoBeGone.exe" )
[05/17/2008, 20:43:22] - Detected System Information:
[05/17/2008, 20:43:22] - Windows Version: 5.1.2600, Service Pack 2
[05/17/2008, 20:43:22] - Current Username: Senator (Admin)
[05/17/2008, 20:43:22] - Windows is in SAFE mode with Networking.
[05/17/2008, 20:43:22] - Searching for Browser Helper Objects:
[05/17/2008, 20:43:22] - BHO 1: {0000CC75-ACF3-4cac-A0A9-DD3868E06852} (DAPHelper Class)
[05/17/2008, 20:43:22] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[05/17/2008, 20:43:22] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[05/17/2008, 20:43:22] - BHO 4: {B3102264-D09D-4322-B625-503FBF18DD7E} ()
[05/17/2008, 20:43:22] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/17/2008, 20:43:22] - Checking for HKLM\...\Winlogon\Notify\opnlJcaY
[05/17/2008, 20:43:22] - Found: HKLM\...\Winlogon\Notify\opnlJcaY - This is probably Virtumundo.
[05/17/2008, 20:43:22] - Assigning {B3102264-D09D-4322-B625-503FBF18DD7E} MSEvents Object
[05/17/2008, 20:43:22] - BHO list has been changed! Starting over...
[05/17/2008, 20:43:22] - BHO 1: {0000CC75-ACF3-4cac-A0A9-DD3868E06852} (DAPHelper Class)
[05/17/2008, 20:43:22] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[05/17/2008, 20:43:22] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[05/17/2008, 20:43:22] - BHO 4: {B3102264-D09D-4322-B625-503FBF18DD7E} (MSEvents Object)
[05/17/2008, 20:43:22] - ALERT: Found MSEvents Object!
[05/17/2008, 20:43:22] - BHO 5: {B6BCDC57-1E60-4B0C-BBF6-CE413E4279DD} ()
[05/17/2008, 20:43:22] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/17/2008, 20:43:22] - No filename found. Continuing.
[05/17/2008, 20:43:22] - BHO 6: {F5F76B80-9542-4591-B4D2-7E09A6029E90} ()
[05/17/2008, 20:43:22] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/17/2008, 20:43:22] - Checking for HKLM\...\Winlogon\Notify\fccdeBSI
[05/17/2008, 20:43:22] - Key not found: HKLM\...\Winlogon\Notify\fccdeBSI, continuing.
[05/17/2008, 20:43:22] - Finished Searching Browser Helper Objects
[05/17/2008, 20:43:22] - *** Detected MSEvents Object
[05/17/2008, 20:43:22] - Trying to remove MSEvents Object...
[05/17/2008, 20:43:23] - Terminating Process: IEXPLORE.EXE
[05/17/2008, 20:43:23] - Terminating Process: RUNDLL32.EXE
[05/17/2008, 20:43:23] - Disabling Automatic Shell Restart
[05/17/2008, 20:43:23] - Terminating Process: EXPLORER.EXE
[05/17/2008, 20:43:23] - Suspending the NT Session Manager System Service
[05/17/2008, 20:43:23] - Terminating Windows NT Logon/Logoff Manager
[05/17/2008, 20:48:52] - Re-enabling Automatic Shell Restart
[05/17/2008, 20:48:52] - File to disable: C:\WINDOWS\system32\opnlJcaY.dll
[05/17/2008, 20:48:52] - Renaming C:\WINDOWS\system32\opnlJcaY.dll -> C:\WINDOWS\system32\opnlJcaY.dll.vir
[05/17/2008, 20:48:52] - File successfully renamed!
[05/17/2008, 20:48:52] - Removing HKLM\...\Browser Helper Objects\{B3102264-D09D-4322-B625-503FBF18DD7E}
[05/17/2008, 20:48:52] - Removing HKCR\CLSID\{B3102264-D09D-4322-B625-503FBF18DD7E}
[05/17/2008, 20:48:52] - Adding Kill Bit for ActiveX for GUID: {B3102264-D09D-4322-B625-503FBF18DD7E}
[05/17/2008, 20:48:52] - Deleting ATLEvents/MSEvents Registry entries
[05/17/2008, 20:48:52] - Removing HKLM\...\Winlogon\Notify\opnlJcaY
[05/17/2008, 20:48:52] - Searching for Browser Helper Objects:
[05/17/2008, 20:48:52] - BHO 1: {0000CC75-ACF3-4cac-A0A9-DD3868E06852} (DAPHelper Class)
[05/17/2008, 20:48:52] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[05/17/2008, 20:48:52] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[05/17/2008, 20:48:52] - BHO 4: {B6BCDC57-1E60-4B0C-BBF6-CE413E4279DD} ()
[05/17/2008, 20:48:52] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/17/2008, 20:48:52] - No filename found. Continuing.
[05/17/2008, 20:48:52] - BHO 5: {F5F76B80-9542-4591-B4D2-7E09A6029E90} ()
[05/17/2008, 20:48:52] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/17/2008, 20:48:52] - Checking for HKLM\...\Winlogon\Notify\fccdeBSI
[05/17/2008, 20:48:52] - Key not found: HKLM\...\Winlogon\Notify\fccdeBSI, continuing.
[05/17/2008, 20:48:52] - Finished Searching Browser Helper Objects
[05/17/2008, 20:48:52] - Finishing up...
[05/17/2008, 20:48:52] - A restart is needed.
[05/17/2008, 20:49:04] - Attempting to Restart via STOP error (Blue Screen!)