Member Panel

smijovincent

From the past 2 days my system has become very slow with high CPU utilization. On logging on to the internet I get a pop about my system patches and updates being updated...this is followed by many IE windows opening up to download winantispyware application. The NAV Intenet Security version 2006 installed on my comp pops up with message of Trojan.Vundo detected on my computer which it sometimes is able to fix but most of the time i manually delete the files

> I downloaded the symantec vundo removal tool and ran it...but it is no help to me.
> Tried VundoFix...it found some dll files which it deleted ...but whenever i logon to the internet the pops come up
> Scanned the computer using VirtumundoBeGone but with no help

All the scans seem to be deleting the infected dll files, reg keys etc but whenever i logon to the internet still have the same issues ... slow response, system hanging, explorer,exe errors and the pop ups .

A Full computer scan with NAV does not find any infections..... hence please help

Hijack this logs
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 6:00:33 PM, on 7/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Intel\IDU\awServ.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Sify Broadband\BBClient.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\Sify Broadband\BBImpSec.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Smijo Vincent\Desktop\HiJackThis_v2.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SMIJO VINCENT
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 3.235.168.180:3120
O1 - Hosts: 203.27.235.25 www.payseal.icicibank.com
O1 - Hosts: 210.210.19.82 Shopping | Online Shopping | Shopping Mall | Outlet Store | Discount Shopping | Retail India Shopping
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\jrighkji.dll",forkonce
O4 - HKCU\..\Run: [SifyBB] C:\Program Files\Sify Broadband\BBImpSec.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://infrastructure.home.ge.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {254AA86E-5655-4518-AA87-185D7CC41801} (LogMeIn Rescue Technician Console) - https://secure.logmeinrescue.com/Tec...cueControl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{61B4103A-AA9A-48B7-AD95-723B3DA2277D}: NameServer = 202.144.105.4,202.144.10.50
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Admin Works Agent X8 (AWService) - OSA Technologies Inc., An Avocent Company - C:\Program Files\Intel\IDU\awServ.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Diskeeper - Diskeeper® Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
--
End of file - 9714 bytes

Hijack This Start up logs

StartupList report, 7/31/2007, 6:03:34 PM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Smijo Vincent\Desktop\HiJackThis_v2.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.5730.0011)
* Using default options
==================================================
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Intel\IDU\awServ.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Sify Broadband\BBClient.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\Sify Broadband\BBImpSec.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Documents and Settings\Smijo Vincent\Desktop\HiJackThis_v2.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
--------------------------------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HotKeysCmds = C:\WINDOWS\system32\hkcmd.exe
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
Symantec PIF AlertEng = "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
Windows Defender = "C:\Program Files\Windows Defender\MSASCui.exe" -hide
SystemOptimizer = rundll32.exe "C:\WINDOWS\system32\jrighkji.dll",forkonce
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
SifyBB = C:\Program Files\Sify Broadband\BBImpSec.exe
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
--------------------------------------------------
Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\system32\logon.scr
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------------------------------

Enumerating Browser Helper Objects:
(no name) - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
Norton Internet Security 2006 - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll - {9ECB9560-04F9-4bbc-943D-298DDF1699E1}
NAV Helper - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD}
(no name) - c:\program files\google\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
(no name) - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll - {AE7CD045-E861-484f-8273-0445EE161910}
(no name) - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A}
--------------------------------------------------
Enumerating Task Scheduler jobs:
Norton AntiVirus - Run Full System Scan - Smijo Vincent.job
AppleSoftwareUpdate.job
MP Scheduled Scan.job
--------------------------------------------------
Enumerating Download Program Files:
[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\LegitCheckControl.DLL
CODEBASE = http://go.microsoft.com/fwlink/?linkid=39204
[LogMeIn Rescue Technician Console]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\RescueControl.dll
CODEBASE = https://secure.logmeinrescue.com/Tec...cueControl.cab
--------------------------------------------------
Enumerating Winsock LSP files:
NameSpace #4: C:\Program Files\Bonjour\mdnsNSP.dll
--------------------------------------------------
Enumerating ShellServiceObjectDelayLoad items:
PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll
--------------------------------------------------
End of report, 6,725 bytes
Report generated in 0.063 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

smijovincent

VirtumundoBeGone Logs

[07/31/2007, 17:27:40] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Smijo Vincent\Desktop\VirtumundoBeGone.exe" )
[07/31/2007, 17:27:46] - Detected System Information:
[07/31/2007, 17:27:46] - Windows Version: 5.1.2600, Service Pack 2
[07/31/2007, 17:27:46] - Current Username: Smijo Vincent (Admin)
[07/31/2007, 17:27:46] - Windows is in NORMAL mode.
[07/31/2007, 17:27:46] - Searching for Browser Helper Objects:
[07/31/2007, 17:27:47] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[07/31/2007, 17:27:47] - BHO 2: {3964D8D6-86D0-493A-B460-A805B5401114} ()
[07/31/2007, 17:27:47] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/31/2007, 17:27:47] - Checking for HKLM\...\Winlogon\Notify\qommnom
[07/31/2007, 17:27:47] - Found: HKLM\...\Winlogon\Notify\qommnom - This is probably Virtumundo.
[07/31/2007, 17:27:47] - Assigning {3964D8D6-86D0-493A-B460-A805B5401114} MSEvents Object
[07/31/2007, 17:27:47] - BHO list has been changed! Starting over...
[07/31/2007, 17:27:47] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[07/31/2007, 17:27:47] - BHO 2: {3964D8D6-86D0-493A-B460-A805B5401114} (MSEvents Object)
[07/31/2007, 17:27:47] - ALERT: Found MSEvents Object!
[07/31/2007, 17:27:47] - BHO 3: {3B5EAA06-A5EA-47CB-913D-3648CD4BEF4F} ()
[07/31/2007, 17:27:47] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/31/2007, 17:27:47] - Checking for HKLM\...\Winlogon\Notify\mllml
[07/31/2007, 17:27:47] - Key not found: HKLM\...\Winlogon\Notify\mllml, continuing.
[07/31/2007, 17:27:47] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[07/31/2007, 17:27:47] - BHO 5: {9ECB9560-04F9-4bbc-943D-298DDF1699E1} (CNisExtBho Class)
[07/31/2007, 17:27:47] - BHO 6: {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} (CNavExtBho Class)
[07/31/2007, 17:27:48] - BHO 7: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[07/31/2007, 17:27:48] - BHO 8: {AE7CD045-E861-484f-8273-0445EE161910} (AcroIEToolbarHelper Class)
[07/31/2007, 17:27:48] - BHO 9: {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} ()
[07/31/2007, 17:27:48] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/31/2007, 17:27:48] - Checking for HKLM\...\Winlogon\Notify\jnthovgn
[07/31/2007, 17:27:48] - Key not found: HKLM\...\Winlogon\Notify\jnthovgn, continuing.
[07/31/2007, 17:27:48] - BHO 10: {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} (EpsonToolBandKicker Class)
[07/31/2007, 17:27:48] - Finished Searching Browser Helper Objects
[07/31/2007, 17:27:48] - *** Detected MSEvents Object
[07/31/2007, 17:27:48] - Trying to remove MSEvents Object...
[07/31/2007, 17:27:49] - Terminating Process: IEXPLORE.EXE
[07/31/2007, 17:27:50] - Terminating Process: RUNDLL32.EXE
[07/31/2007, 17:27:50] - Disabling Automatic Shell Restart
[07/31/2007, 17:27:50] - Terminating Process: EXPLORER.EXE
[07/31/2007, 17:27:51] - Suspending the NT Session Manager System Service
[07/31/2007, 17:27:51] - Terminating Windows NT Logon/Logoff Manager
[07/31/2007, 17:27:51] - Re-enabling Automatic Shell Restart
[07/31/2007, 17:27:51] - File to disable: C:\WINDOWS\system32\qommnom.dll
[07/31/2007, 17:27:51] - Renaming C:\WINDOWS\system32\qommnom.dll -> C:\WINDOWS\system32\qommnom.dll.vir
[07/31/2007, 17:27:51] - ! File rename was unsucessful.
[07/31/2007, 17:27:51] - Attempting to Deny Access to C:\WINDOWS\system32\qommnom.dll
[07/31/2007, 17:27:52] - *** IMPORTANT: Delete/Rename/Move on reboot (like Killbox) MAY NOT work.
[07/31/2007, 17:27:52] - processed file: C:\WINDOWS\system32\qommnom.dll
[07/31/2007, 17:27:52] - *** IMPORTANT: The file is disabled and will need to be deleted by the user.
[07/31/2007, 17:27:52] - Removing HKLM\...\Browser Helper Objects\{3964D8D6-86D0-493A-B460-A805B5401114}
[07/31/2007, 17:27:52] - Removing HKCR\CLSID\{3964D8D6-86D0-493A-B460-A805B5401114}
[07/31/2007, 17:27:52] - Adding Kill Bit for ActiveX for GUID: {3964D8D6-86D0-493A-B460-A805B5401114}
[07/31/2007, 17:27:52] - Deleting ATLEvents/MSEvents Registry entries
[07/31/2007, 17:27:52] - Removing HKLM\...\Winlogon\Notify\qommnom
[07/31/2007, 17:27:52] - Searching for Browser Helper Objects:
[07/31/2007, 17:27:52] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[07/31/2007, 17:27:52] - BHO 2: {3B5EAA06-A5EA-47CB-913D-3648CD4BEF4F} ()
[07/31/2007, 17:27:52] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/31/2007, 17:27:52] - Checking for HKLM\...\Winlogon\Notify\mllml
[07/31/2007, 17:27:52] - Key not found: HKLM\...\Winlogon\Notify\mllml, continuing.
[07/31/2007, 17:27:52] - BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[07/31/2007, 17:27:52] - BHO 4: {9ECB9560-04F9-4bbc-943D-298DDF1699E1} (CNisExtBho Class)
[07/31/2007, 17:27:52] - BHO 5: {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} (CNavExtBho Class)
[07/31/2007, 17:27:52] - BHO 6: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[07/31/2007, 17:27:52] - BHO 7: {AE7CD045-E861-484f-8273-0445EE161910} (AcroIEToolbarHelper Class)
[07/31/2007, 17:27:52] - BHO 8: {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} ()
[07/31/2007, 17:27:52] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/31/2007, 17:27:52] - Checking for HKLM\...\Winlogon\Notify\jnthovgn
[07/31/2007, 17:27:52] - Key not found: HKLM\...\Winlogon\Notify\jnthovgn, continuing.
[07/31/2007, 17:27:52] - BHO 9: {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} (EpsonToolBandKicker Class)
[07/31/2007, 17:27:52] - Finished Searching Browser Helper Objects
[07/31/2007, 17:27:52] - Finishing up...
[07/31/2007, 17:27:52] - A restart is needed.
[07/31/2007, 17:27:52] - Automatic Reboot on STOP Error is not set. User will have to manually restart.
[07/31/2007, 17:28:09] - Attempting to Restart via STOP error (Blue Screen!)

chiaz

Hello, and sorry for the delay. The security team had been very busy.

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

smijovincent

Chiaz ..thanks for the reply .. the hy[perlink to the app name in your post does not work hence downloaded the app from http://download.bleepingcomputer.com/sUBs/ComboFix.exe

The log is attached to the Reply

Cheers !!
Smijo Vincent

chiaz

Right.

Post a new HijackThis log in your next reply. Are you still getting the Vundo pop-ups?

smijovincent

Installed windows defender and did a complete scan ...it found some of these creeps. The Popups stopped after that ...however my ever sleeping NAV comes up with a alert reporting a Vundo and it is trying its best to kill it ...... it never did any good. Attached is my latest log files ...hijackthis, combofix and VBG

Member Panel

Sponsors and Ads

Live Tag Cloud