I just did a scan with Norton Anti-Virus, SuperAnti Spyware, RUBotted and MalwareBytes.

Here is my HijackThis Log, please let me know if there is anything else that should be removed. Thanks!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:02:23 PM, on 2/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: leftsidebuddy search enhancer - {180A7F35-81C1-FC4C-3D85-0282AD185C08} - C:\WINDOWS\system32\eecfpkmvxvde.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TMRUBottedTray] "C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1180625529093
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1180630790412
O16 - DPF: {A903E5AB-C67E-40FB-94F1-E1305982F6E0} (KooPlayer Control) - http://www.ooxtv.com/livetv.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = foremost.cc
O17 - HKLM\Software\..\Telephony: DomainName = foremost.cc
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = foremost.cc
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Trend Micro RUBotted Service (RUBotted) - Trend Micro Inc. - C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 5772 bytes

So I'm assuming that the log looks clean to everyone?

Please go to Jotti's or to virustotal and have this file scanned. Post the results back here.

C:\WINDOWS\system32\eecfpkmvxvde.dll

Please go to Jotti's or to virustotal and have this file scanned. Post the results back here.

C:\WINDOWS\system32\eecfpkmvxvde.dll

Unfortunately I won't be able to do so until Tuesday. I work as a Computer Hardware Tech and the HTJ log I posted is from a computer at work. I'll do so first thing Tuesday, is it ok if I PM you to let you know I have gotten the results or will you get notified that I replied to this post?

I will get notified of your reply.

The file you asked me to scan appears to have been removed according to our Norton Anti-Virus. I also checked the System32 folder and it is no where to be found.

Currently Super AntiSpyware is running. If it produces a log would you like me to post it? It is showing that there are files infected.

Yes, but leave out the tracking cookies.

Tracking Cookies weren't found

Here is the log.

SUPERAntiSpyware Scan Log
[url]http://www.superantispyware.com[/url]

Generated 02/24/2009 at 11:21 AM

Application Version : 4.25.1012

Core Rules Database Version : 3772
Trace Rules Database Version: 1731

Scan type       : Complete Scan
Total Scan Time : 00:48:43

Memory items scanned      : 430
Memory threats detected   : 0
Registry items scanned    : 5393
Registry threats detected : 63
File items scanned        : 28540
File threats detected     : 3

Adware.Vundo Variant
    HKLM\Software\Classes\CLSID\{12c7290a-157b-4f43-b109-97e792c598ed}
    HKCR\CLSID\{12C7290A-157B-4F43-B109-97E792C598ED}
    HKCR\CLSID\{12C7290A-157B-4F43-B109-97E792C598ED}
    HKCR\CLSID\{12C7290A-157B-4F43-B109-97E792C598ED}\InprocServer32
    HKCR\CLSID\{12C7290A-157B-4F43-B109-97E792C598ED}\InprocServer32#ThreadingModel
    HKCR\CLSID\{12C7290A-157B-4F43-B109-97E792C598ED}\ProgID
    HKCR\CLSID\{12C7290A-157B-4F43-B109-97E792C598ED}\Programmable
    HKCR\CLSID\{12C7290A-157B-4F43-B109-97E792C598ED}\TypeLib
    HKCR\CLSID\{12C7290A-157B-4F43-B109-97E792C598ED}\VersionIndependentProgID
    HKCR\WinGDIApp.WinGDI.1
    HKCR\WinGDIApp.WinGDI.1\CLSID
    HKCR\WinGDIApp.WinGDI
    HKCR\WinGDIApp.WinGDI\CLSID
    HKCR\WinGDIApp.WinGDI\CurVer
    HKCR\TypeLib\{8a10fc9b-8d76-4e95-a9be-acda2f665c30}
    HKCR\TypeLib\{8a10fc9b-8d76-4e95-a9be-acda2f665c30}\1.0
    HKCR\TypeLib\{8a10fc9b-8d76-4e95-a9be-acda2f665c30}\1.0\0
    HKCR\TypeLib\{8a10fc9b-8d76-4e95-a9be-acda2f665c30}\1.0\0\win32
    HKCR\TypeLib\{8a10fc9b-8d76-4e95-a9be-acda2f665c30}\1.0\FLAGS
    HKCR\TypeLib\{8a10fc9b-8d76-4e95-a9be-acda2f665c30}\1.0\HELPDIR
    C:\WINDOWS\IEHOST.DLL
    HKLM\Software\Classes\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}
    HKCR\CLSID\{EC43E3FD-5C60-46A6-97D7-E0B85DBDD6C4}
    HKCR\CLSID\{EC43E3FD-5C60-46A6-97D7-E0B85DBDD6C4}\InprocServer32
    HKCR\CLSID\{EC43E3FD-5C60-46A6-97D7-E0B85DBDD6C4}\InprocServer32#ThreadingModel
    C:\WINDOWS\SYSTEM32\MOBAHIBE.DLL
    HKCR\CLSID\{EC43E3FD-5C60-46A6-97D7-E0B85DBDD6C4}

Browser Hijacker.MJCore
    HKLM\Software\Classes\CLSID\{D88E1558-7C2D-407A-953A-C044F5607CEA}
    HKCR\CLSID\{D88E1558-7C2D-407A-953A-C044F5607CEA}
    HKCR\CLSID\{D88E1558-7C2D-407A-953A-C044F5607CEA}
    HKCR\CLSID\{D88E1558-7C2D-407A-953A-C044F5607CEA}\InprocServer32
    HKCR\CLSID\{D88E1558-7C2D-407A-953A-C044F5607CEA}\InprocServer32#ThreadingModel
    HKCR\CLSID\{D88E1558-7C2D-407A-953A-C044F5607CEA}\ProgID
    HKCR\CLSID\{D88E1558-7C2D-407A-953A-C044F5607CEA}\Programmable
    HKCR\CLSID\{D88E1558-7C2D-407A-953A-C044F5607CEA}\TypeLib
    HKCR\CLSID\{D88E1558-7C2D-407A-953A-C044F5607CEA}\VersionIndependentProgID
    HKCR\BHO_MyJavaCore.Mjcore.1
    HKCR\BHO_MyJavaCore.Mjcore.1\CLSID
    HKCR\BHO_MyJavaCore.Mjcore
    HKCR\BHO_MyJavaCore.Mjcore\CLSID
    HKCR\BHO_MyJavaCore.Mjcore\CurVer
    HKCR\TypeLib\{E0F01490-DCF3-4357-95AA-169A8C2B2190}
    HKCR\TypeLib\{E0F01490-DCF3-4357-95AA-169A8C2B2190}\1.0
    HKCR\TypeLib\{E0F01490-DCF3-4357-95AA-169A8C2B2190}\1.0\0
    HKCR\TypeLib\{E0F01490-DCF3-4357-95AA-169A8C2B2190}\1.0\0\win32
    HKCR\TypeLib\{E0F01490-DCF3-4357-95AA-169A8C2B2190}\1.0\FLAGS
    HKCR\TypeLib\{E0F01490-DCF3-4357-95AA-169A8C2B2190}\1.0\HELPDIR
    C:\PROGRAM FILES\MJCORE\MJCORE.DLL
    HKLM\SOFTWARE\Classes\BHO_MyJavaCore.Mjcore
    HKLM\SOFTWARE\Classes\BHO_MyJavaCore.Mjcore\CLSID
    HKLM\SOFTWARE\Classes\BHO_MyJavaCore.Mjcore\CurVer
    HKCR\Interface\{17E44256-51E0-4D46-A0C8-44E80AB4BA5B}
    HKCR\Interface\{17E44256-51E0-4D46-A0C8-44E80AB4BA5B}\ProxyStubClsid
    HKCR\Interface\{17E44256-51E0-4D46-A0C8-44E80AB4BA5B}\ProxyStubClsid32
    HKCR\Interface\{17E44256-51E0-4D46-A0C8-44E80AB4BA5B}\TypeLib
    HKCR\Interface\{17E44256-51E0-4D46-A0C8-44E80AB4BA5B}\TypeLib#Version

Trojan.VideoCach/Gen
    HKCR\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}
    HKCR\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\ProxyStubClsid
    HKCR\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\ProxyStubClsid32
    HKCR\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\TypeLib
    HKCR\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\TypeLib#Version
    HKCR\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}
    HKCR\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid
    HKCR\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32
    HKCR\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib
    HKCR\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib#Version

Try running this too. It's the premium Vundo removal tool today.

Download Malwarebytes' Anti-Malware (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure to checkmark the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Make sure that you restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

Post new HJT log.

Way ahead of you on that one. We ran the scan for Malware Bytes at 9:25am

Here is the log. I am punching out of work in a few minutes so you wont hear back from me with actual results with instructions you provide me until tomorrow.

Malwarebytes' Anti-Malware 1.25
Database version: 1087
Windows 5.1.2600 Service Pack 2

12:28:15 PM 8/25/2008
mbam-log-08-25-2008 (12-28-15).txt

Scan type: Full Scan (C:\|)
Objects scanned: 90611
Time elapsed: 1 hour(s), 36 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\winsrc.dll (Adware.Search Toolbar) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{037C7B8A-151A-49E6-BAED-CC05FCB50328} (Adware.Search Toolbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{037c7b8a-151a-49e6-baed-cc05fcb50328} (Adware.Search Toolbar) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ieupdate (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\ieupdates.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winsrc.dll (Adware.Search Toolbar) -> Delete on reboot.

Way ahead of you on that one. We ran the scan for Malware Bytes at 9:25am

Actually, you are way behind. That version of MBA-M is about a hundred years old. Please follow my instructions :).

Actually, you are way behind. That version of MBA-M is about a hundred years old. Please follow my instructions :).

Haha alright, I did the updates after I originally downloaded it on Friday. I guess they didn't apply or something. I'll post back with a new log after I get the scan done tomorrow.

I be here

Problem got solved. My coworker was working on it all day yesterday as I was some where else working. He manually removed the infections and everything is fine now.

Thanks for your help!

Marking as Solved.

I can near guarantee he never got the lot if he did it manually.

Your right about that, a virus just popped up on the system again but I'm not allowed to run the Malwarebytes at the moment.

However I did find the correct log I meant to send you. I accidentally sent you a really old one. I'm not sure if these still issues still exist but feel free to look through it.

Malwarebytes' Anti-Malware 1.34
Database version: 1797
Windows 5.1.2600 Service Pack 3

2/24/2009 9:25:54 AM
mbam-log-2009-02-24 (09-25-54).txt

Scan type: Full Scan (C:\|)
Objects scanned: 142000
Time elapsed: 48 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{d88e1558-7c2d-407a-953a-c044f5607cea} (Trojan.BHO) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{12c7290a-157b-4f43-b109-97e792c598ed} (Trojan.FakeAlert) -> Delete on reboot.
HKEY_CLASSES_ROOT\Typelib\{e0f01490-dcf3-4357-95aa-169a8c2b2190} (Trojan.BHO) -> Delete on reboot.
HKEY_CLASSES_ROOT\Typelib\{8a10fc9b-8d76-4e95-a9be-acda2f665c30} (Trojan.FakeAlert) -> Delete on reboot.
HKEY_CLASSES_ROOT\bho_myjavacore.mjcore (Trojan.BHO) -> Delete on reboot.
HKEY_CLASSES_ROOT\bho_myjavacore.mjcore.1 (Trojan.BHO) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I would suggest that when you can, update MBA-M and run a scan. Remove what it finds and reboot. Post it's log and a new hijackthis log.
No hurry as I am away visiting my mum for a couple of days.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.