I've been infected with umonitor. After doing some on-line research it looks like there's no easy fix, but so far I've:
Removed C:\Program Files\SED (and the applicable registry entry).
I've just run findit, output file follows. Anyone who can help will be my new GOD!
Thanks
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.
Find.bat is running from: C:\findit\Find It NT-2K-XP
------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is 5833-2363
Directory of C:\WINNT\System32
13/01/2005 10:26a 224,592 kfd103.dll
13/01/2005 10:23a 224,592 dn6s01j7e.dll
13/01/2005 10:04a 223,232 c8000idme80a0.dll
06/01/2005 02:13p 223,232 tbpmonui.dll
06/01/2005 12:44p 224,892 j0p0la7m1d.dll
5 File(s) 1,120,540 bytes
0 Dir(s) 13,055,973,376 bytes free
------- Hidden Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is 5833-2363
Directory of C:\WINNT\System32
03/12/2004 04:23p 79,872 taskmgn.exe
28/06/2001 04:45p <DIR> GroupPolicy
1 File(s) 79,872 bytes
1 Dir(s) 13,055,973,376 bytes free
------------ Files Named "Guard" ---------------
Volume in drive C has no label.
Volume Serial Number is 5833-2363
Directory of C:\WINNT\System32
------ Temp Files in System32 Directory ------
Volume in drive C has no label.
Volume Serial Number is 5833-2363
Directory of C:\WINNT\System32
13/01/2003 02:57p 589,881 SET2C05.tmp
08/05/2001 08:00a 487,481 OLD2C08.tmp
08/05/2001 08:00a 2,577 CONFIG.TMP
3 File(s) 1,079,939 bytes
0 Dir(s) 13,055,973,376 bytes free
------------------ User Agent ----------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{2A0D7344-EE3B-4A55-B9EF-5D2391253CA3}"=""
------------- Keys Under Notify -------------
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WebCheck]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\kfd103.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
------------- Locate.com Results -------------
-------- Strings.exe Qoologic Results --------
--------- Strings.exe Aspack Results ---------
-------------- HKLM Run Key ----------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"Smapp"="C:\\Program Files\\Analog Devices\\SoundMAX\\Smtray.exe"
"PROMon.exe"="PROMon.exe"
"ChkAdmin"="C:\\PROGRA~1\\Compaq\\COMPAQ~1\\CHKADMIN.EXE"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"WeatherOnTray"="C:\\Program Files\\Hotbar\\bin\\4.4.5.0\\WeatherOnTray.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~1\\VPTray.exe"
"Windows Task Manager"="C:\\winnt\\system32\\taskmgn.exe"
"WebRebates0"="\"C:\\Program Files\\Web_Rebates\\WebRebates0.exe\""
"IE Menu Extension toolbar"="rundll32.exe \"C:\\PROGRA~1\\IEMENU~1\\tbextn.dll\" DllShowTB"
"VBundleOuterDL"="C:\\Program Files\\VBouncer\\BundleOuter.EXE"
"WinTools"="C:\\Program Files\\Common Files\\WinTools\\WToolsA.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"