syspotect/vundo problem - HELP!

I've got this same sys protect thing that's going around. here's a copy of my log, any help would be great, thanks!

Logfile of HijackThis v1.99.1
Scan saved at 1:17:35 AM, on 7/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\AOL\1153288283\ee\AOLSoftware.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\program files\common files\aol\1153288283\ee\aim6.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://blackboard.stthomas.edu/webapps/login
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DosSpecFolder Object - {FDA4DFFB-2C3D-4730-8D7E-28523C7F2F67} - C:\WINDOWS\system32\mllmj.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QBReminderFlash] "C:\Program Files\Intuit\QuickBooks 2005\Atom\QBReminder.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1153288283\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: mlljj - C:\WINDOWS\system32\mlljj.dll (file missing)
O20 - Winlogon Notify: mllmj - C:\WINDOWS\system32\mllmj.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

 

Hi again blakkout

Cleaning instructions:

Download and install Ewido Anti-Spyware 4.0 -> http://www.ewido.net/en/download/

-> Open Ewido Anti-Spyware
-> Click the Update icon at the top of the window
-> Click the Start update button
-> Wait for the update to download and install
-> Quit the program, we'll use this later.

Download ATF Cleaner by Atribune to your desktop -> http://www.atribune.org/ccount/click.php?id=1
Do NOT run yet.

Go to Control Panel -> Add/Remove programs -> Remove MyWaySA or similar if found

Download VundoFix.exe to your desktop -> http://www.atribune.org/ccount/click.php?id=4

* Double-click VundoFix.exe to run it.
* Put a check next to Run VundoFix as a task.
* You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
* When VundoFix re-opens, click the Scan for Vundo button.
* Once it's done scanning, click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will shutdown your computer, click OK.
* Turn your computer back on

Run HijackThis. Press Do a system scan only, then close all other windows, checkmark the following entries and press Fix checked

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: DosSpecFolder Object - {FDA4DFFB-2C3D-4730-8D7E-28523C7F2F67} - C:\WINDOWS\system32\mllmj.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O20 - Winlogon Notify: mlljj - C:\WINDOWS\system32\mlljj.dll (file missing)
O20 - Winlogon Notify: mllmj - C:\WINDOWS\system32\mllmj.dll

Make your hidden files visible -> http://www.bleepingcomputer.com/tutorials/tutorial62.html
Restart your computer to the safemode -> http://www.pchell.com/support/safemode.shtml

Delete these folders (if found):
C:\Program Files\MyWaySA

Run ATF Cleaner -> Check select all -> Press Empty selected

-> Open Ewido Anti-Spyware
-> Click the Scanner icon at the top of the window
-> Click the Settings tab then select Recommended Options and choose Quarantine
-> Click the Scan tab
-> Select Complete System Scan. The scanning begins.

-> When the scan has completed:
-> If infections were found you'll be prompted about what to do.
-> Please make sure that the Set all elements to is set to Quarantine (in downleft corner of the window)
-> Then press Apply all actions and answer yes to all if it asks about something
-> Click on the Save Scan Report button and save the scan to your Desktop.
-> Copy and paste the scan results into your next post

Clean the Recycle bin.

Restart your computer normally.

Post the following logs to here:
-> a fresh HijackThis log
-> Ewido's log
-> Contents of C:\vundofix.txt

 

Thank yo very much for all your help. Before I show you my logs, I have one last question. Now that I've downloaded HijackThis, Ewido, ATF-Cleaner, and VundoFix, assuming that the vundo is gone is it ok for me to delete all 4 of those programs? Also, when I was removing the files from HijackThis like you said, some of the ones you listed weren't on my HJT report, is this normal? Thanks, here are my logs:

Logfile of HijackThis v1.99.1
Scan saved at 1:45:31 PM, on 7/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\HijackThis\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1153288283\ee\AOLSoftware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://blackboard.stthomas.edu/webapps/login
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QBReminderFlash] "C:\Program Files\Intuit\QuickBooks 2005\Atom\QBReminder.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1153288283\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\HijackThis\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\HijackThis\ewido anti-spyware 4.0\guard.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 1:36:21 PM 7/23/2006

+ Scan result:



C:\WINDOWS\system32\smcuyvxh.dll -> Logger.VBStat.c : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ahvlgvor.exe -> Trojan.Agent.ny : Cleaned with backup (quarantined).
C:\WINDOWS\system32\cdswcful.exe -> Trojan.Agent.ny : Cleaned with backup (quarantined).
C:\WINDOWS\system32\gqfavmjp.exe -> Trojan.Agent.ny : Cleaned with backup (quarantined).
C:\WINDOWS\system32\htrpbcbv.exe -> Trojan.Agent.ny : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ilqflhfl.exe -> Trojan.Agent.ny : Cleaned with backup (quarantined).
C:\WINDOWS\system32\kioljufy.exe -> Trojan.Agent.ny : Cleaned with backup (quarantined).
C:\WINDOWS\system32\lgksyiii.exe -> Trojan.Agent.ny : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ljbkawtj.exe -> Trojan.Agent.ny : Cleaned with backup (quarantined).
C:\WINDOWS\system32\mibuowaj.exe -> Trojan.Agent.ny : Cleaned with backup (quarantined).
C:\WINDOWS\system32\nuvxamxb.exe -> Trojan.Agent.ny : Cleaned with backup (quarantined).
C:\WINDOWS\system32\payamssn.exe -> Trojan.Agent.ny : Cleaned with backup (quarantined).
C:\WINDOWS\system32\pkxwqqro.exe -> Trojan.Agent.ny : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ravtbjsx.exe -> Trojan.Agent.ny : Cleaned with backup (quarantined).
C:\WINDOWS\system32\rlnepejc.exe -> Trojan.Agent.ny : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ruosmkhh.exe -> Trojan.Agent.ny : Cleaned with backup (quarantined).
C:\WINDOWS\system32\vkyqsxhj.exe -> Trojan.Agent.ny : Cleaned with backup (quarantined).


::Report end


VundoFix V5.1.5

Running as SYSTEM
from c:\windows\system32\VundoFix.exe

Checking Java version...

Java version is 1.4.2.3

Scan started at 12:33:03 PM 7/23/2006

Listing files found while scanning....

C:\windows\system32\mllmj.dll
C:\windows\system32\jmllm.ini
C:\windows\system32\jmllm.bak1
C:\windows\system32\jmllm.bak2
C:\windows\system32\jmllm.ini2
C:\windows\system32\jmllm.tmp
C:\WINDOWS\system32\Drivers\DP.sys

Beginning removal...

The process smss.exe was successfully stopped

The process winlogon.exe was successfully stopped

The process explorer.exe was successfully stopped

The process iexplore.exe was successfully stopped

The process rundll32.exe was successfully stopped

Attempting to delete C:\windows\system32\mllmj.dll
C:\windows\system32\mllmj.dll Has been deleted!

Attempting to delete C:\windows\system32\jmllm.ini
C:\windows\system32\jmllm.ini Has been deleted!

Attempting to delete C:\windows\system32\jmllm.bak1
C:\windows\system32\jmllm.bak1 Has been deleted!

Attempting to delete C:\windows\system32\jmllm.bak2
C:\windows\system32\jmllm.bak2 Has been deleted!

Attempting to delete C:\windows\system32\jmllm.ini2
C:\windows\system32\jmllm.ini2 Has been deleted!

Attempting to delete C:\windows\system32\jmllm.tmp
C:\windows\system32\jmllm.tmp Has been deleted!

Attempting to delete C:\WINDOWS\system32\Drivers\DP.sys
C:\WINDOWS\system32\Drivers\DP.sys Has been deleted!

Performing Repairs to the registry.
Done!

 

Sorry to butt in, but I have a similar problem. Can I just follow the same instructions, or do I need to do something specific to my PC?

I have HJT installed, so I can post a log if someone doesn't mind helping me.

Thanks in advance.

 

@blakkout

Yes you can remove those programs if you want but I recommend that you keep Ewido. It is a good scanner and you could update & scan your computer regularly with it.

You're looking clean now

You don't seem to have a firewall on your pc, I recommend that you install one.

These are good (free) firewalls:
ZoneAlarm --> http://www.zonelabs.com
Kerio--> http://www.sunbelt-software.com/Kerio.cfm
Outpost-> http://www.agnitum.com

If you used windows firewall, disable it after installing new firewall.

Then you can make your hidden files hidden again.

Then you can clean Ewido's quarantine:
-> Open Ewido
-> Choose "Infections"
-> Click "Select all"
-> Click "Remove finally"
-> Close Ewido

You should update your Java (old version has all kinds of vulnerabilities)

1. Click "Start"-> "Control panel" -> Double-click Java icon (coffee cup)
2. Move to "Update" tab and update Java by clicking "Update Now". After that do a restart.
3. If you can't make automatic update, get new version manually from here -> http://www.java.com/en/download/manual.jsp
4. After updating, uninstall the old Java (if found) from Add/Remove Programs, named as
Java 2 Runtime Environment, SE v1.4.2_03

Now that you're clean, here are some tips how to stay clean.

-> Stand Up and Be Counted, Malware Complaints -> http://www.malwarecomplaints.info
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

-> Clear your system restore -> http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
This will clear the system restore folders from possible malware that was left behind during the cleaning process. Remember to create a new restore point after the cleaning.

-> Use CCleaner -> http://www.ccleaner.com
Download and install CCleaner. Clean your registry and temporary files with it regularly.

-> Use Ad-Aware -> http://www.bleepingcomputer.com/forums/?showtutorial=48
Download and install Ad-Aware. Update it and scan your computer regularly with it.

-> Use Ewido -> http://www.ewido.net/en
Download and install Ewido. Update it and scan your computer regularly with it.

-> Install SpywareBlaster -> http://www.javacoolsoftware.com/spywareblaster.html
SpywareBlaster will prevent spyware from being installed to your computer.

-> Install MVPS Hosts file -> http://mvps.org/winhelp2002/hosts.htm
This prevents your computer from connecting to harmful sites.

-> Change your browser to Firefox -> http://www.mozilla.org
Firefox is faster, safer and quicker browser than Internet Explorer.

-> Keep your systen up-to-date -> http://windowsupdate.microsoft.com
Visit Windows Update regularly.

-> Keep your antivirus and firewall up-to-date
Scan your computer regularly with your antivirus.

-> Read this article by TonyKlein -> http://castlecops.com/postlite7736-.html
So how did I get infected in the first place?

Stay clean

-------------------------------------------

@barkat

Yes you can post your HjT log to here

 

Thanks you very much for all of your help. It's really nice to know that there are still good people out there willing to help everyone else...

 

You're welcome

 

Thanks, JaPK.

At the moment, I'm getting a few 'sysprotect' popups. I was also getting some popups for Expedia, but I think they may have stopped now.

Thanks in advance.

Logfile of HijackThis v1.99.1
Scan saved at 07:58:52, on 01/08/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\insight\tools\aiclient.exe
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\PROGRA~1\insight\tools\AICR.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\SYSTEM32\DWRCS.EXE
c:\epa.epa\EPAService.exe
c:\epa.epa\EPMService.exe
c:\epa.epa\epm.exe
C:\Program Files\Borland\InterBase\bin\ibguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Novadigm\radexecd.exe
C:\Program Files\Novadigm\radsched.exe
C:\Program Files\Novadigm\Radstgms.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wltrysvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\bcmwltry.exe
C:\Program Files\Borland\InterBase\bin\ibserver.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SYSTEM32\DWRCST.exe
C:\WINNT\system32\WLTRAY.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINNT\system32\PRPCUI.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\Winamp\winampa.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Douwe Egberts Coffee Manager\CoffeeManager.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Dell\Bluetooth Software\BTTray.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Barry\Software\ProcessExplorerNt\procexp.exe
C:\Program Files\Common Files\PCSuite\Services\NclBTHandler.exe
C:\PROGRA~1\Dell\BLUETO~1\BTSTAC~1.EXE
C:\Barry\Pers\Bemused\BemusedServer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\Program Files\Sophos SWEEP for NT\SWUPDATE.EXE
C:\Program Files\Winamp\winamp.exe
C:\PROGRA~1\Citrix\icaweb32\Wfcrun32.exe
C:\PROGRA~1\Citrix\icaweb32\WFICA32.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\PROGRA~1\Citrix\icaweb32\WFICA32.EXE
C:\WINNT\system32\rundll32.exe
C:\Barry\Pers\Downloads\PC Apps\HijackThis_v1.99.1.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://focus/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Vodafone Office Systems
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://netcache/proxy.pac
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3C31330D-36A5-483D-8666-0B7C9E282059} - C:\WINNT\system32\ssqon.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {98E18836-F05E-4C28-8A23-8EE3B6E0FB3B} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINNT\system32\WLTRAY
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v2] "C:\WINNT\system32\spool\DRIVERS\W32X86\3\fppdis2a.exe" /source=HKLM
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Cobian Backup 7] "C:\Program Files\Cobian Backup 7\CobBU.exe"
O4 - HKCU\..\Run: [Douwe Egberts Koffiemanager] C:\Program Files\Douwe Egberts Coffee Manager\CoffeeManager.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk.disabled
O4 - Startup: Backup_prompt.bat.lnk = C:\Documents and Settings\lennonb1\Desktop\Vx_Memos.bat
O4 - Startup: Process Explorer.lnk = C:\Barry\Software\ProcessExplorerNt\procexp.exe
O4 - Startup: ScreenHunter 4.0 Free.lnk.disabled
O4 - Startup: Shortcut to BemusedServer.exe.lnk = C:\Barry\Pers\Bemused\BemusedServer.exe
O4 - Startup: Vodafone Application Access Portal - Login.url
O4 - Startup: Winamp.lnk = C:\Program Files\Winamp\winamp.exe
O4 - Startup: Yahoo Mail.url
O4 - Global Startup: BTTray.lnk = C:\Program Files\Dell\Bluetooth Software\BTTray.exe
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .tif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O14 - IERESET.INF: START_PAGE_URL=http://focus/
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - file://C:\Barry\Temp\Learndirect\aw_player52\awswaxf.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2A493D5F-8914-4D3E-8BF3-767F281862F4} (TraderMediaImgX Control) - http://sell.autotrader.co.uk/uk-ola/common/TraderMediaX.cab
O16 - DPF: {3527C5BD-4A46-4362-94B6-12341D087A4B} (esProxy.GeneralHandler) - http://echospin.com/wizard/files/esWizard.cab
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1140511587971
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} - http://www.autodesk.com/global/dwfviewer/installer/DwfViewerSetup.cab
O16 - DPF: {aa44da02-7f61-11d4-a3e1-00c04fa32518} -
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {CAFECAFE-0013-0001-0024-ABCDEFABCDEF} (JInitiator 1.3.1.24) -
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = vfl.vodafone
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = vfl.vodafone
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = vfl.vodafone
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINNT\system32\btxppanel.dll
O20 - Winlogon Notify: igfxcui - C:\WINNT\
O20 - Winlogon Notify: ssqon - C:\WINNT\system32\ssqon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Asset Insight Client (AICLIENT) - Unknown owner - C:\PROGRA~1\insight\tools\aiclient.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EXE
O23 - Service: EPAService - Unknown owner - c:\epa.epa\EPAService.exe
O23 - Service: EPMService - Unknown owner - c:\epa.epa\EPMService.exe
O23 - Service: InterBase Guardian (InterBaseGuardian) - Inprise Corporation - C:\Program Files\Borland\InterBase\bin\ibguard.exe
O23 - Service: InterBase Server (InterBaseServer) - Inprise Corporation - C:\Program Files\Borland\InterBase\bin\ibserver.exe
O23 - Service: NetOp Helper ver. 8.00 (2005095) (NetOp Host for NT Service) - Danware Data A/S - C:\Program Files\danware data\netop remote control\HOST\NHOSTSVC.EXE
O23 - Service: OracleClientCache80 - Unknown owner - C:\ORANT\BIN\ONRSD80.EXE
O23 - Service: Radia Notify Daemon (radexecd) - Novadigm - C:\Program Files\Novadigm\radexecd.exe
O23 - Service: Radia Scheduler Daemon (radsched) - Novadigm - C:\Program Files\Novadigm\radsched.exe
O23 - Service: Radia MSI Redirector (Radstgms) - Novadigm - C:\Program Files\Novadigm\Radstgms.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Sophos Anti-Virus Network (SweepNet) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
O23 - Service: Sophos Anti-Virus (SWEEPSRV.SYS) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
O23 - Service: Sophos Anti-Virus Update (SweepUpdate) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWUPDATE.EXE
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINNT\System32\wltrysvc.exe

 

Hi barkat, you're infected.

Download VundoFix.exe to your desktop -> http://www.atribune.org/ccount/click.php?id=4

* Double-click VundoFix.exe to run it.
* Put a check next to Run VundoFix as a task.
* You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
* When VundoFix re-opens, click the Scan for Vundo button.
* Once it's done scanning, click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will shutdown your computer, click OK.
* Turn your computer back on

Run a scan with WinPFind -> http://www.bleepingcomputer.com/files/winpfind.php
Save its log and post it to here

Post a new HijackThis log and the contents of C:\vundofix.txt and the WinPfind log.

 

JaKP

Thanks for your reply and your offer of help.

Unfortunately I could not get VUNDO to run 'as a task'. I really don't know why (tried a few times and tried in Safe Mode, etc.).

As it happens, I've logged into the work network this morning and received an e-mail saying that a virus has been spotted and someone from the IT helpdesk will contact me about it, so I may not need to bother you further.

Thanks again - I may be in touch soon!