My computer is realy alow and I can't do anything with it. My nod32 warnes me for C:\WINDOWS\system32\pmnno.dll - een variant van Win32/Adware.Virtumonde.FP applicatie
C:\WINDOWS\system32\ddcbcbc.dll - mogelijke variant van Win32/Genetik trojan but I can't delete the files I'm realy thinking about formatting C and start all over. But it would take me forever to get all my proggies up and running again...

Please help!!

Please download and install the latest version of HijackThis v2.0.2:

Download the HijackThis Installer from this link: HijackThis

1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

Hi
after a search in this forem I already downloaded and runed the vundo fix and I hope I got rid of the virtumonde It took 2 times to clean al the vundo

I runed the scan as stated above:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:23:37, on 19-8-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
g:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ALCMTR.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
G:\Program Files\Eset\nod32kui.exe
C:\Program Files\QuickTime\qttask.exe
G:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Garmin\gStart.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\TimeLeft3\TimeLeft.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wuauclt.exe
g:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.nl/0SENLNL/SAOS01?FORM...
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.nl/0SENLNL/SAOS01?FORM...
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.nl/0SENLNL/SAOS01?FORM...
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00311} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {E3218A77-BCD5-4D0E-9FCA-D91FC00F293B} - C:\WINDOWS\system32\pmnno.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nod32kui] "g:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "G:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [gStart] C:\Garmin\gStart.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: TimeLeft.lnk = C:\Program Files\TimeLeft3\TimeLeft.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O8 - Extra context menu item: &Search - http://kn.bar.need2find.com/KN/menu...
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd....
O8 - Extra context menu item: Openen in een nieuwe achtergrondtab - res://C:\Program Files\Windows Live Toolbar\Components\nl-nl\msntabres.dll.mui/229?91369feb38874a8c9717473b9e07063b
O8 - Extra context menu item: Openen in een nieuwe voorgrondtab - res://C:\Program Files\Windows Live Toolbar\Components\nl-nl\msntabres.dll.mui/230?91369feb38874a8c9717473b9e07063b
O8 - Extra context menu item: Post2Blog - C:\Program Files\Post2Blog\post2blog_ie.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\g1227656.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\g1227656.dll (file missing)
O9 - Extra button: Post2Blog - {5D0647D9-1B01-41C5-B84E-4FA664F13C6E} - C:\Program Files\Post2Blog\post2blog_ie.html
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: (no name) - {63A31F37-93B2-4061-9AEB-58CE1632C6C0} - C:\Program Files\Post2Blog\post2blog_ie.html
O9 - Extra 'Tools' menuitem: Post2Blog - {63A31F37-93B2-4061-9AEB-58CE1632C6C0} - C:\Program Files\Post2Blog\post2blog_ie.html
O9 - Extra button: Movies Extractor Scout - {A5C246F8-5BCA-4E81-A02C-310FE41A0A04} - C:\Program Files\Movies Extractor Scout\flashextract.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult...
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/Phot...
O17 - HKLM\System\CCS\Services\Tcpip\..\{F90DE070-8ECB-418A-B5B5-48BE309422CD}: NameServer = 195.64.32.3,195.18.115.5
O22 - SharedTaskScheduler: z - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00311} - (no file)
O22 - SharedTaskScheduler: Windowz Updater - {259BA021-2005-45E9-A965-10EDB9C00618} - (no file)
O22 - SharedTaskScheduler: Windowz Updater - Software\Classes\CLSID\Software\Classes\CLSID\ - (no file)
O22 - SharedTaskScheduler: Windowz Updater -
- (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - g:\Program Files\Eset\nod32krn.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 10170 bytes

vundufix log:

VundoFix V6.5.7

Checking Java version...

Java version is 1.5.0.7
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.11

Scan started at 16:10:40 19-8-2007

Listing files found while scanning....

C:\DOCUME~1\PGNODD~1\LOCALS~1\Temp\mqgmqrta.dll
C:\windows\system32\anonwdiu.tmp
C:\WINDOWS\system32\byucfdho.dll
C:\WINDOWS\system32\ddcbcbc.dll
C:\windows\system32\deqmagmf.ini2
C:\windows\system32\deqmagmf.tmp
C:\windows\system32\fmgamqed.dll
C:\windows\system32\onnmp.bak1
C:\windows\system32\onnmp.bak2
C:\windows\system32\onnmp.ini
C:\windows\system32\onnmp.ini2
C:\windows\system32\onnmp.tmp
C:\WINDOWS\system32\pmnno.dll
C:\WINDOWS\system32\rtsueihv.dll
C:\windows\system32\uidwnona.dll

Beginning removal...

Attempting to delete C:\windows\system32\anonwdiu.tmp
C:\windows\system32\anonwdiu.tmp Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddcbcbc.dll
C:\WINDOWS\system32\ddcbcbc.dll Could not be deleted.

Attempting to delete C:\windows\system32\deqmagmf.ini2
C:\windows\system32\deqmagmf.ini2 Has been deleted!

Attempting to delete C:\windows\system32\deqmagmf.tmp
C:\windows\system32\deqmagmf.tmp Has been deleted!

Attempting to delete C:\windows\system32\fmgamqed.dll
C:\windows\system32\fmgamqed.dll Has been deleted!

Attempting to delete C:\windows\system32\onnmp.bak1
C:\windows\system32\onnmp.bak1 Has been deleted!

Attempting to delete C:\windows\system32\onnmp.bak2
C:\windows\system32\onnmp.bak2 Has been deleted!

Attempting to delete C:\windows\system32\onnmp.ini
C:\windows\system32\onnmp.ini Has been deleted!

Attempting to delete C:\windows\system32\onnmp.ini2
C:\windows\system32\onnmp.ini2 Has been deleted!

Attempting to delete C:\windows\system32\onnmp.tmp
C:\windows\system32\onnmp.tmp Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmnno.dll
C:\WINDOWS\system32\pmnno.dll Has been deleted!

Attempting to delete C:\windows\system32\uidwnona.dll
C:\windows\system32\uidwnona.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.7

Checking Java version...

Java version is 1.5.0.7
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.11

Scan started at 16:17:10 19-8-2007

Listing files found while scanning....

C:\windows\system32\ddcbcbc.dll

Beginning removal...

Attempting to delete C:\windows\system32\ddcbcbc.dll
C:\windows\system32\ddcbcbc.dll Has been deleted!

Performing Repairs to the registry.
Done!

Run Hijack This again, close all windows except Hijack This, place a check to the left of the following items and press "fix checked":

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00311} - (no file)

O2 - BHO: (no name) - {E3218A77-BCD5-4D0E-9FCA-D91FC00F293B} - C:\WINDOWS\system32\pmnno.dll (file missing)

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O8 - Extra context menu item: &Search - http://kn.bar.need2find.com/KN/menu...

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\g1227656.dll (file missing)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\g1227656.dll (file missing)

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe

O22 - SharedTaskScheduler: z - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00311} - (no file)

O22 - SharedTaskScheduler: Windowz Updater - {259BA021-2005-45E9-A965-10EDB9C00618} - (no file)

O22 - SharedTaskScheduler: Windowz Updater - Software\Classes\CLSID\Software\Classes\CLSID\ - (no file)
O22 - SharedTaskScheduler: Windowz Updater -
- (no file)

Temporarily disable any of the following anti-spyware realtime protection programs that you may have as per the instructions at this site Disable Realtime Protection

Please download ComboFix to the desktop from this link:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)

Please post the log it produces, combofix.txt.

ComboFix 07-08-17.2 - "P Gnodde" 2007-08-20 14:04:52.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1043.18.490 [GMT 2:00]
* Created a new restore point

((((((((((((((((((((((((( Files Created from 2007-07-20 to 2007-08-20 )))))))))))))))))))))))))))))))

2007-08-20 14:02 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-19 16:10 <DIR> d-------- C:\VundoFix Backups
2007-08-17 23:00 17,346 --a------ C:\WINDOWS\system32\gibloceg.dll
2007-08-16 19:45 23,186 --a------ C:\WINDOWS\system32\cnlyvjje.dll
2007-08-16 06:19 65,526 --a------ C:\WINDOWS\system32\dwuftfwk.dll
2007-08-16 06:13 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-08-14 16:04 61,146 --a------ C:\WINDOWS\system32\ggvvbsto.dll
2007-08-12 08:52 59,686 --a------ C:\WINDOWS\system32\xnloqgon.dll
2007-08-10 13:27 82,248 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-08-10 13:27 57,672 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-08-10 13:27 38,728 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-08-10 13:27 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-08-10 13:27 <DIR> d-------- C:\DOCUME~1\PGNODD~1\APPLIC~1\PC Tools
2007-08-10 13:08 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-08-10 13:06 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-08-01 14:37 <DIR> d-------- C:\WINDOWS\Replay Media Catcher
2007-07-31 10:11 <DIR> d-------- C:\Program Files\AWS
2007-07-31 10:03 <DIR> d-------- C:\Program Files\Common Files\3DO Shared
2007-07-31 10:03 <DIR> d-------- C:\Program Files\3DO
2007-07-29 08:47 <DIR> d--h----- C:\WINDOWS\PIF
2007-07-27 19:06 7,296 --a------ C:\WINDOWS\system32\drivers\grmnusb.sys
2007-07-27 19:06 17,536 --a------ C:\WINDOWS\system32\drivers\grmn0200.sys
2007-07-27 19:06 17,024 --a------ C:\WINDOWS\system32\drivers\grmngen.sys
2007-07-27 19:06 16,512 --a------ C:\WINDOWS\system32\drivers\grmn0400.sys
2007-07-27 19:06 11,776 --a------ C:\WINDOWS\system32\drivers\grmn1200.sys
2007-07-27 19:06 <DIR> d-------- C:\Garmin
2007-07-22 11:17 <DIR> d-------- C:\Program Files\THQ
2007-07-22 11:11 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-07-22 11:11 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Sjablonen
2007-07-21 21:04 <DIR> d-------- C:\DOCUME~1\PGNODD~1\APPLIC~1\BullGuard
2007-07-21 21:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\BullGuard
2007-07-21 14:02 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AntiVir PersonalEdition Classic(2)
2007-07-20 23:21 9,699,328 --a------ C:\DOCUME~1\PGNODD~1\ntuser.dat

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-19 2OCUME~1\PGNODD~1\APPLIC~1\dvdcss
2007-08-19 1rogram Files\nbpro
2007-08-13 1rogram Files\PKR
2007-08-11 0rogram Files\Everest Poker
2007-08-03 0rogram Files\World of Warcraft
2007-07-31 10:13 28400 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2007-07-22 1rogram Files\PartyGaming
2007-07-22 1rogram Files\Google
2007-07-05 1rogram Files\iPod
2007-07-05 1rogram Files\QuickTime
2007-07-05 1rogram Files\Apple Software Update
2007-07-05 1rogram Files\Common Files\Apple
2007-06-26 08:10 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-23 1rogram Files\RegistryFix
2007-06-21 18:11 512096 --a------ C:\WINDOWS\system32\drivers\amon.sys
2007-06-21 18:11 298104 --a------ C:\WINDOWS\system32\imon.dll
2007-06-21 18:11 15424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys
2007-06-19 15:33 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-13 15:24 1036800 --a------ C:\WINDOWS\explorer.exe

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2005-04-26 08:16 C:\WINDOWS\RTHDCPL.EXE]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 17:05]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 14:00 C:\WINDOWS\system32\bthprops.cpl]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2006-11-08 14:27]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-01-30 00:48]
"nod32kui"="g:\Program Files\Eset\nod32kui.exe" [2007-06-21 18:11]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="G:\Program Files\iTunes\iTunesHelper.exe" [2007-06-28 09:14]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]
"gStart"="C:\Garmin\gStart.exe" [2006-09-06 10:05]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"PcSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

C:\Documents and Settings\P Gnodde\Menu Start\Programma's\Opstarten\
TimeLeft.lnk - C:\Program Files\TimeLeft3\TimeLeft.exe [2007-06-02 19:27:09]

C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
BlueSoleil.lnk - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2006-11-27 10:19:28]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

R0 SI3132;SiI-3132 SATALink Controller;C:\WINDOWS\system32\DRIVERS\SI3132.sys
S3 BTNetFilter;Bluetooth Network Filter;\??\C:\WINDOWS\system32\drivers\BTNetFilter.sys
S3 grmnusb;grmnusb;C:\WINDOWS\system32\drivers\grmnusb.sys

Contents of the 'Scheduled Tasks' folder
2007-07-05 11:15:46 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
2007-08-20 11:32:08 C:\WINDOWS\Tasks\Controleren op updates voor Windows Live Toolbar.job - C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-20 14:07:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-20 14:07:53

--- E O F ---

Please download “Avenger” by swandog46 to your desktop from this link http://swandog46.geekstogo.com/avenger.zip

1. Click on Avenger.zip to open the file
Extract avenger.exe to your desktop

2. Copy all the text contained in the area between the X"s below to your Clipboard by highlighting it and pressing (Ctrl+C):
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Files to delete:
C:\WINDOWS\system32\cnlyvjje.dll
C:\WINDOWS\system32\ggvvbsto.dll

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, start The Avenger program by clicking on its icon on your desktop.
Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger's actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.

Submit the following files to be analyzed to this link Jotti's. Submit one file at a time then post the results of the scan:

C:\WINDOWS\system32\gibloceg.dll

C:\WINDOWS\system32\dwuftfwk.dll

C:\WINDOWS\system32\xnloqgon.dll

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\mcmsarro

*******************

Script file located at: \??\C:\WINDOWS\xprthtlr.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\cnlyvjje.dll deleted successfully.
File C:\WINDOWS\system32\ggvvbsto.dll deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

JOTI'S:

C:\WINDOWS\system32\gibloceg.dll
File: gibloceg.dll
Status:
OK
MD5: bd4ac36d34d3c29b8378aa81a3a4abcc
Packers detected:
PE_PATCH
Bit9 reports: File not found
Scanner results
Scan taken on 21 Aug 2007 17:38:28 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Rising Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

C:\WINDOWS\system32\dwuftfwk.dll
Service load:
0% 100%
File: dwuftfwk.dll
Status:
INFECTED/MALWARE
MD5: 50cdad2abad498ef400320106b9d9cdf
Packers detected:
-
Bit9 reports: File not found
Scanner results
Scan taken on 21 Aug 2007 17:27:46 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found Win32:Vundo-gen47
AVG Antivirus
Found BHO.AOD
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found Trojan.Virtumod
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Rising Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found Adware.Vundo.P.Gen
VBA32
Found nothing

C:\WINDOWS\system32\xnloqgon.dll
File: xnloqgon.dll
Status:
INFECTED/MALWARE
MD5: e17c0758ffe215de087c14555ee43869
Packers detected:
-
Bit9 reports: File not found
Scanner results
Scan taken on 21 Aug 2007 17:35:05 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found Win32:Vundo-gen46
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found Trojan.Virtumod
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found W32/Vundo.dam
Panda Antivirus
Found nothing
Rising Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found Adware.Vundo.P.Gen
VBA32
Found nothing

This seems a little long but it mostly explains using AVG AntiSpyware.

Run avenger again and delete these files:

C:\WINDOWS\system32\dwuftfwk.dll

C:\WINDOWS\system32\xnloqgon.dll

Go to start>control panel>add/remove programs and uninstall this program:

Weatherbug

Then navigate to and delete this folder:

C:\Program Files\AWS

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.

Please download ATF-Cleaner to your desktop from this link
http://www.atribune.org/content/view/19/2/ We will need it later in safe mode

Please download AVG Anti-Spyware

This is a 30-day trial of the program - This means that after 30 days the "background guard" protection will be de-activated. However, this version can continue to be manually updated and used as an on-demand scanner forever.
Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the setup program.
Once the setup is complete you will need to run AVG Anti-Spyware and update the definition files.
On the top of the main screen select the "Update" icon, then under the "Manual update" section click the "Start update" button.
The update will start and a progress bar will show the updates being installed.
Once the update has completed (the progress bar will display "Update successful!") select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the "Settings" screen:
Click on "Recommended actions" -> select "Quarantine".
Under "Reports:" -> select "Do not automatically generate reports".
Close AVG Anti-Spyware. Please do NOT run a scan yet!

Next please reboot your computer in Safe Mode by doing the following :

Restart your computer

After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;

Instead of Windows loading as normal, a menu with options should appear;

Select the first option, to run Windows in Safe Mode, then press "Enter".

Choose your usual account.

Run AFT Cleaner from safe mode. Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Then please run a scan with AVG Anti-Spyware from safe mode:

IMPORTANT: Do NOT open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning process.

Launch AVG Anti-Spyware by double-clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the "Scan" tab. Click on "Complete System Scan".
AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select the "Apply all actions" button, AVG Anti-Spyware will then display "All actions have been applied" on the right hand side.
Next select the "Save Report" button at the bottom.
Then select the "Save report as" button in the lower left hand corner of the screen and save it as a text file on your system (make sure to remember where you saved that file, this is important!).
Close AVG Anti-Spyware and reboot your system normally into Windows. Please post the contents of the AVG Anti-Spyware report in your next reply.

Next post a new Hijack This log and a new Combofix log please.

This might be a bit late, but go to http://www.geekstogo.com/forum/How-...
& download VundoFix.
It seems to have worked for me.

Before posting try google. Backup. Use anti virus software.