[amit1234]

Hey sjb - I've followed all your instructions and have tried deleting the jobajob.dll file in Windows Safe Mode, however, when I try to delete it, I get the following pop error message:

Error Deleting File or Folder

Cannot delete jobajob: Access is denied

Make sure the disk is not full or write protected and that the file is not currently in use.

Any idea what to do? If I right click on jobajob.dll and select Properties, am I able to disable write protection? I'm not sure.

THANKS AGAIN sjb. I know I've said it before but I really appreciate your help.

[amit1234]

sjb - I just got rid of jobajob.dll by going into the Windows Recovery Console:

1. Loaded the Windows Recovery Console
2. Typed (w/out quotes) “cd C:\WINDOWS\System32″
3. Typed (w/out quotes) “DELETE jobajob.dll �
4. Typed EXIT
5. Rebooted in Normal mode and verified the file is gone.

I also deleted jobajob.dll.bak since I believe that's the backup file (did a little research).

However, when I do the Malwarebytes' Anti-Malware scan, it says there are still 4 objects affected and one of them is jobajob.dll. I'll attach the Malware log file in my next reply.

(So frustrated....)

[amit1234]

Attached is the Malware log.

[amit1234]

Results of RSIT log.txt

Logfile of random's system information tool 1.04 (written by random/random)
Run by Paul Hanounik & Amit at 2008-12-17 01:28:42
Microsoft Windows XP Professional Service Pack 2
System drive C: has 31 GB (81%) free of 38 GB
Total RAM: 190 MB (18% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:31:27 AM, on 12/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Paul Hanounik & Amit\Desktop\RSIT.exe
C:\Program Files\trend micro\Paul Hanounik & Amit.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {60BE9EC6-CC8B-4C55-99F6-15FE9F708456} - c:\windows\system32\jobajob.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1170815341049
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1170815329351
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/downlo...BundleId=26688
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: dfhxgcbm - jobajob.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 5715 bytes

[amit1234]

(cont'd)

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2008-12-12 455960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{60BE9EC6-CC8B-4C55-99F6-15FE9F708456}]
c:\windows\system32\jobajob.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}]
Groove GFS Browser Helper - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL [2006-10-27 2210608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
Java(tm) Plug-In SSV Helper - C:\Program Files\Java\jre6\bin\ssv.dll [2008-12-14 320920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
AVG Security Toolbar - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2008-12-12 2055960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2008-12-14 34816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2008-12-14 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{A057A204-BACC-4D26-9990-79A187E2698E} - AVG Security Toolbar - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2008-12-12 2055960]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2006-10-25 282624]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2006-10-30 256576]
"CARPService"=C:\WINDOWS\system32\carpserv.exe [2003-05-21 4608]
"GrooveMonitor"=C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2006-10-27 31016]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2008-12-13 1261336]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2008-12-14 136600]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2004-08-04 1667584]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]

C:\Documents and Settings\Paul Hanounik & Amit\Start Menu\Programs\Startup
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="avgrsstx.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dfhxgcbm]
jobajob.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL [2006-10-27 2210608]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDrives"=0
"NoDriveAutoRun"=67108863

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDrives"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE"="C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"="C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\Program Files\burst\core-new1.1.3\btdownloadheadless.exe"="C:\Program Files\burst\core-new1.1.3\btdownloadheadless.exe:*:Disabled:burst! download engine"
"C:\Program Files\AVG\AVG8\avgam.exe"="C:\Program Files\AVG\AVG8\avgam.exe:*:Enabled:avgam.exe"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"C:\Program Files\AVG\AVG8\avgnsx.exe"="C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

======List of files/folders created in the last 1 months======

2008-12-16 23:42:25 ----D---- C:\WINDOWS\system32\CatRoot_bak
2008-12-16 22:31:26 ----D---- C:\Program Files\ERUNT
2008-12-15 21:06:23 ----D---- C:\rsit
2008-12-15 20:37:45 ----SHD---- C:\RECYCLER
2008-12-14 14:59:38 ----D---- C:\WINDOWS\Sun
2008-12-14 14:58:23 ----A---- C:\WINDOWS\system32\deploytk.dll
2008-12-14 14:58:22 ----A---- C:\WINDOWS\system32\javaws.exe
2008-12-14 14:58:22 ----A---- C:\WINDOWS\system32\javaw.exe
2008-12-14 14:58:21 ----A---- C:\WINDOWS\system32\java.exe
2008-12-14 14:57:12 ----D---- C:\Program Files\Java
2008-12-14 14:55:34 ----D---- C:\Documents and Settings\Paul Hanounik & Amit\Application Data\Sun
2008-12-14 14:45:37 ----D---- C:\WINDOWS\temp
2008-12-14 14:45:28 ----A---- C:\ComboFix.txt
2008-12-13 13:39:47 ----D---- C:\_OTMoveIt
2008-12-13 13:26:47 ----D---- C:\Program Files\Trend Micro
2008-12-13 11:55:03 ----D---- C:\WINDOWS\ERUNT
2008-12-13 09:59:51 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-13 09:42:53 ----A---- C:\WINDOWS\ntbtlog.txt
2008-12-13 03:15:03 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2$
2008-12-13 03:14:44 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$
2008-12-13 03:14:27 ----HDC---- C:\WINDOWS\$NtUninstallKB946648$
2008-12-13 03:13:54 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2008-12-13 03:13:20 ----HDC---- C:\WINDOWS\$NtUninstallKB952069_WM9$
2008-12-13 03:13:05 ----HDC---- C:\WINDOWS\$NtUninstallKB955839$
2008-12-13 03:12:50 ----HDC---- C:\WINDOWS\$NtUninstallKB956391$
2008-12-13 03:12:36 ----HDC---- C:\WINDOWS\$NtUninstallKB957095$
2008-12-13 03:11:12 ----HDC---- C:\WINDOWS\$NtUninstallKB958215$
2008-12-13 03:10:19 ----HDC---- C:\WINDOWS\$NtUninstallKB950974$
2008-12-13 03:09:36 ----HDC---- C:\WINDOWS\$NtUninstallKB951698$
2008-12-13 03:08:37 ----HDC---- C:\WINDOWS\$NtUninstallKB954211$
2008-12-13 03:07:29 ----HDC---- C:\WINDOWS\$NtUninstallKB956841$
2008-12-13 03:06:58 ----HDC---- C:\WINDOWS\$NtUninstallKB950762$
2008-12-13 03:06:40 ----HDC---- C:\WINDOWS\$NtUninstallKB957097$
2008-12-13 03:06:22 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$
2008-12-13 03:05:58 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
2008-12-13 03:05:38 ----HDC---- C:\WINDOWS\$NtUninstallKB938464$
2008-12-13 03:05:04 ----HDC---- C:\WINDOWS\$NtUninstallKB954600$
2008-12-13 03:04:21 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$
2008-12-13 03:03:28 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$
2008-12-13 03:02:46 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$
2008-12-13 03:01:48 ----HDC---- C:\WINDOWS\$NtUninstallKB944338-v2$
2008-12-13 02:49:07 ----D---- C:\VundoFix Backups
2008-12-13 02:49:07 ----A---- C:\VundoFix.txt
2008-12-13 02:19:06 ----A---- C:\Boot.bak
2008-12-13 02:18:40 ----RASHD---- C:\cmdcons
2008-12-13 02:13:14 ----A---- C:\WINDOWS\zip.exe
2008-12-13 02:13:14 ----A---- C:\WINDOWS\VFIND.exe
2008-12-13 02:13:14 ----A---- C:\WINDOWS\SWXCACLS.exe
2008-12-13 02:13:14 ----A---- C:\WINDOWS\SWSC.exe
2008-12-13 02:13:14 ----A---- C:\WINDOWS\SWREG.exe
2008-12-13 02:13:14 ----A---- C:\WINDOWS\sed.exe
2008-12-13 02:13:14 ----A---- C:\WINDOWS\NIRCMD.exe
2008-12-13 02:13:14 ----A---- C:\WINDOWS\grep.exe
2008-12-13 02:13:14 ----A---- C:\WINDOWS\fdsv.exe
2008-12-13 02:13:07 ----D---- C:\WINDOWS\ERDNT
2008-12-13 02:13:07 ----D---- C:\Qoobox
2008-12-12 22:51:55 ----D---- C:\Documents and Settings\Paul Hanounik & Amit\Application Data\Malwarebytes
2008-12-12 22:51:33 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-12-12 22:51:32 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-12-12 22:37:40 ----HD---- C:\$AVG8.VAULT$
2008-12-12 22:34:57 ----A---- C:\WINDOWS\system32\avgrsstx.dll
2008-12-12 22:34:53 ----D---- C:\Documents and Settings\Paul Hanounik & Amit\Application Data\AVGTOOLBAR
2008-12-12 22:34:16 ----D---- C:\Program Files\AVG
2008-12-12 22:34:15 ----D---- C:\Documents and Settings\All Users\Application Data\avg8
2008-12-12 21:37:24 ----D---- C:\Program Files\MSECache
2008-12-12 21:18:41 ----D---- C:\Program Files\IZArc
2008-12-12 21:16:15 ----D---- C:\WINDOWS\system32\appmgmt
2008-12-12 19:37:01 ----A---- C:\WINDOWS\system32\msonpmon.dll
2008-12-12 19:33:36 ----D---- C:\Program Files\Microsoft Works
2008-12-12 19:33:03 ----D---- C:\Program Files\MSBuild
2008-12-12 19:31:45 ----D---- C:\Program Files\Microsoft Visual Studio
2008-12-12 19:31:44 ----D---- C:\Program Files\Common Files\DESIGNER
2008-12-12 19:20:51 ----D---- C:\WINDOWS\SHELLNEW
2008-12-12 19:18:33 ----D---- C:\Program Files\Microsoft Office
2008-12-12 19:18:25 ----D---- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-12-12 19:16:38 ----RHD---- C:\MSOCache
2008-12-12 18:48:42 ----N---- C:\WINDOWS\system32\xpsp3res.dll
2008-12-12 07:51:43 ----D---- C:\WINDOWS\system32\PreInstall
2008-12-12 07:51:38 ----HDC---- C:\WINDOWS\$NtUninstallKB898461$
2008-12-12 07:51:38 ----HD---- C:\WINDOWS\$hf_mig$
2008-12-12 07:37:21 ----D---- C:\WINDOWS\Prefetch
2008-12-12 00:59:00 ----D---- C:\WINDOWS\ServicePackFiles
2008-12-12 00:43:00 ----HDC---- C:\WINDOWS\$NtServicePackUninstall$
2008-12-12 00:32:24 ----A---- C:\WINDOWS\system32\MRT.INI

======List of files/folders modified in the last 1 months======

2008-12-17 01:18:04 ----D---- C:\WINDOWS\system32\CatRoot
2008-12-17 01:18:03 ----D---- C:\WINDOWS\system32\CatRoot2
2008-12-17 01:17:31 ----HD---- C:\WINDOWS\inf
2008-12-17 00:18:56 ----D---- C:\WINDOWS\system32\drivers
2008-12-16 23:42:22 ----D---- C:\WINDOWS\Debug
2008-12-16 22:41:21 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-12-16 22:31:26 ----RD---- C:\Program Files
2008-12-16 19:32:24 ----D---- C:\WINDOWS\system32
2008-12-14 14:59:38 ----D---- C:\WINDOWS
2008-12-14 14:59:29 ----SD---- C:\WINDOWS\Downloaded Program Files
2008-12-14 14:59:12 ----SHD---- C:\WINDOWS\Installer
2008-12-14 14:37:46 ----A---- C:\WINDOWS\system.ini
2008-12-14 14:29:42 ----D---- C:\WINDOWS\AppPatch
2008-12-14 14:29:42 ----D---- C:\Program Files\Common Files
2008-12-13 13:01:41 ----SD---- C:\Documents and Settings\Paul Hanounik & Amit\Application Data\Microsoft
2008-12-13 11:56:37 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-12-13 03:14:55 ----A---- C:\WINDOWS\imsins.BAK
2008-12-13 03:14:31 ----D---- C:\Program Files\Messenger
2008-12-13 03:11:37 ----D---- C:\Program Files\Internet Explorer
2008-12-13 03:05:43 ----D---- C:\WINDOWS\WinSxS
2008-12-13 02:25:34 ----D---- C:\WINDOWS\system32\config
2008-12-13 02:19:06 ----RASH---- C:\boot.ini
2008-12-12 22:44:42 ----D---- C:\WINDOWS\system
2008-12-12 22:33:58 ----D---- C:\Program Files\Common Files\Microsoft Shared
2008-12-12 21:15:49 ----D---- C:\Documents and Settings\All Users\Application Data\WinZip
2008-12-12 19:30:37 ----RSD---- C:\WINDOWS\Fonts
2008-12-12 19:29:33 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-12-12 19:29:32 ----D---- C:\WINDOWS\PCHEALTH
2008-12-12 19:23:18 ----A---- C:\WINDOWS\win.ini
2008-12-12 19:22:44 ----D---- C:\Program Files\Common Files\System
2008-12-12 07:56:33 ----D---- C:\WINDOWS\security
2008-12-12 07:41:53 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-12-12 07:39:28 ----D---- C:\WINDOWS\system32\inetsrv
2008-12-12 07:37:58 ----D---- C:\WINDOWS\system32\wbem
2008-12-12 07:37:27 ----A---- C:\WINDOWS\setuplog.txt
2008-12-12 07:36:56 ----D---- C:\WINDOWS\Minidump
2008-12-12 07:36:45 ----SHD---- C:\System Volume Information
2008-12-12 01:21:22 ----D---- C:\WINDOWS\system32\Setup
2008-12-12 01:21:21 ----D---- C:\WINDOWS\Help
2008-12-12 01:21:18 ----D---- C:\WINDOWS\ime
2008-12-12 01:19:19 ----D---- C:\WINDOWS\system32\oobe
2008-12-12 01:19:18 ----D---- C:\Program Files\Windows Media Player
2008-12-12 01:19:15 ----D---- C:\WINDOWS\peernet
2008-12-12 01:19:14 ----D---- C:\Program Files\Movie Maker
2008-12-12 01:19:12 ----D---- C:\WINDOWS\Media
2008-12-12 00:58:04 ----D---- C:\WINDOWS\system32\Restore
2008-12-12 00:58:04 ----D---- C:\WINDOWS\system32\npp
2008-12-12 00:58:04 ----D---- C:\WINDOWS\msagent
2008-12-12 00:58:00 ----D---- C:\WINDOWS\srchasst
2008-12-12 00:57:55 ----D---- C:\Program Files\NetMeeting
2008-12-12 00:57:51 ----D---- C:\WINDOWS\system32\Com
2008-12-12 00:57:44 ----D---- C:\Program Files\Windows NT
2008-12-12 00:57:44 ----D---- C:\Program Files\Outlook Express
2008-12-12 00:56:45 ----D---- C:\WINDOWS\system32\usmt
2008-12-12 00:52:28 ----RD---- C:\WINDOWS\Web
2008-12-12 00:51:49 ----A---- C:\ntdetect.com
2008-12-12 00:49:29 ----D---- C:\WINDOWS\system32\ReinstallBackups
2008-12-12 00:41:51 ----D---- C:\WINDOWS\EHome
2008-12-09 15:24:38 ----A---- C:\WINDOWS\system32\MRT.exe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdK7;AMD K7 Processor Driver; C:\WINDOWS\System32\DRIVERS\amdk7.sys [2004-08-04 37376]
R1 AvgLdx86;AVG AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2008-12-12 98440]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2008-12-12 26824]
R1 AvgTdiX;AVG8 Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2008-12-12 90632]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\System32\DRIVERS\mdmxsdk.sys [2003-04-09 11043]
R2 StreamDispatcher;StreamDispatcher; C:\WINDOWS\System32\DRIVERS\strmdisp.sys [2003-05-21 30592]
R3 aliadwdm;ALi Audio Accelerator WDM driver; C:\WINDOWS\system32\drivers\ac97ali.sys [2004-08-04 231552]
R3 ati2mtag;ati2mtag; C:\WINDOWS\System32\DRIVERS\ati2mtag.sys [2004-05-15 701952]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\System32\DRIVERS\CmBatt.sys [2004-08-04 14080]
R3 FA312;NETGEAR FA330/FA312/FA311 Fast Ethernet Adapter Driver; C:\WINDOWS\System32\DRIVERS\FA312nd5.sys [2001-08-17 16074]
R3 GEARAspiWDM;GEARAspiWDM; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2006-09-19 15664]
R3 HSF_DP;HSF_DP; C:\WINDOWS\System32\DRIVERS\HSF_DP.sys [2003-05-21 1063040]
R3 HSFHWALI;HSFHWALI; C:\WINDOWS\System32\DRIVERS\HSFHWALI.sys [2003-05-21 179712]
R3 MBAMSwissArmy;MBAMSwissArmy; \??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys []
R3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbohci.sys [2004-08-04 17024]
R3 winachsf;winachsf; C:\WINDOWS\System32\DRIVERS\HSF_CNXT.sys [2003-05-21 631296]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\System32\Ati2evxx.exe [2004-05-15 397312]
R2 avg8wd;AVG8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-12-12 231704]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2008-12-14 152984]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2006-10-30 492608]
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2006-10-27 65824]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2006-10-26 441136]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]

-----------------EOF-----------------

[sjb007]

Howdy there Amit

From what I see from the file is no longer there, only the redundant registry entries are showing, did you remove it with MBAM after you posted the log?

Please delete the version of combofix that you currently have on your desktop

Download the latest version from here - Combofix

Go to start menu - Select Run and in the command box type in notepad
Next - copy/paste the text in the code box below into it:

Code:

Killall::
 
File::
C:\WINDOWS\imsins.BAK
 
Dirlook::
C:\WINDOWS\system32\inetsrv
 
Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{60BE9EC6-CC8B-4C55-99F6-15FE9F708456}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dfhxgcbm]

- Save this to your desktop as CFScript.txt
- Drag the CFScript.txt over onto Combofix.exe and release.



Combofix will then execute the script and produce a fresh log, save this log and post it in your next reply.

====================================

Download GMER Rootkit Scanner from here or here.



* Extract the contents of the zipped file to desktop.
* Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
* If it gives you a warning about rootkit activity and asks if you want to run scan...say NO.
* Leave all settings at default. Ensure the Show all box is not checked.
* Then click the Scan button & wait for it to finish.
* Once done click on the [Save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
Save it where you can easily find it, such as your desktop and post it back in your next reply along with the combofix log

Please do not run any other scans apart from what is in the fix - Thanks

[amit1234]

Hey sjb - Everytime I try removing the 4 infected objects with MBAM, it says that in order to delete them,I have to restart my computer.

I do that, however, when I run the Malwarebytes' Anti-Malware scan again after rebooting, it shows the 4 objects are still infected with Trojan.Vundo.

I will try again tonight and advise.

Thanks for the ComboFix instructions. I'll follow them and report back to you tonight.

Thanks again sjb!

[sjb007]

Quote:

I'll follow them and report back to you tonight.

Not a problem,

[amit1234]

Hey sjb - I did what you said.

Attached is fresh Combofix log.

[amit1234]

I will post the GMER log shortly.

Thanks alot sjb.