Virtumonde hijack

Good evening,

I have a stubborn infection that cannot be deleted with SpyBot or Malware Bytes. It also deactivates my Symantec Anti-Virus. The following files and keys are the ones that keep showing up on the scans:

Files:
C:\Windows\system32\eaxmufm.dll
C:\Windows\Temp\wqtmfcqv.dat

Registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{67cab31f-58f3-451c-85f7-14f214050504}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\thqrbvud

HKEY_CLASSES_ROOT\CLSID\{67cab31f-58f3-451c-85f7-14f214050504}


Here is my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:46:19 PM, on 5/5/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\program files\mirra\mirra.watchdog.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Mirra\Mirra.Service.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Mirra\Mirra.Client.exe
C:\Documents and Settings\carter.mecham\Start Menu\Programs\Startup\FaxCtrl.exe
C:\Documents and Settings\carter.mecham\Start Menu\Programs\Startup\VPTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\userinit.exe
E:\hijackgpthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Advanced Equities
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;
O1 - Hosts: ::1 localhost
O1 - Hosts: 94.232.248.66 browser-security.microsoft.com
O1 - Hosts: 94.232.248.66 antivguardian.com
O1 - Hosts: 94.232.248.66 www.antivguardian.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {67CAB31F-58F3-451C-85F7-14F214050504} - c:\windows\system32\eaxmufm.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\faxctrl.exe
O4 - HKLM\..\Run: [ccApp] -
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA9601] command.com /c del "C:\WINDOWS\system32\sdra64.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2001] cmd.exe /c del "C:\WINDOWS\system32\sdra64.exe"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA1363] command.com /c del "C:\WINDOWS\system32\elkbpfyj.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3102] cmd.exe /c del "C:\WINDOWS\system32\elkbpfyj.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7752] command.com /c del "C:\WINDOWS\system32\elkbpfyj.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1228] cmd.exe /c del "C:\WINDOWS\system32\elkbpfyj.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2523] command.com /c del "C:\WINDOWS\system32\elkbpfyj.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7084] cmd.exe /c del "C:\WINDOWS\system32\elkbpfyj.dll"
O4 - S-1-5-18 Startup: FaxCtrl.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: VPTray.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: FaxCtrl.exe (User 'Default user')
O4 - .DEFAULT Startup: VPTray.exe (User 'Default user')
O4 - Startup: FaxCtrl.exe
O4 - Startup: VPTray.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Mirra.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: SEAGULL WinJa Java Client 4_0C11 - https://www2.netxpro.com/WinJa/applet/40C11/winja_ie.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1240435015182
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1240435000004
O16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} (QuickBooks Online Edition Utilities Class v10) - https://accounting.quickbooks.com/c13/v18.161/qboax10.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://sslvpn.firstallied.com/dana-cached/setup/JuniperSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad.corp
O17 - HKLM\Software\..\Telephony: DomainName = ad.corp
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ad.corp
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ad.corp
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ad.corp
O18 - Protocol hijack: flowto - {C7101FB0-28FB-11D5-883A-204C4F4F5021}
O20 - Winlogon Notify: thqrbvud - C:\WINDOWS\SYSTEM32\eaxmufm.dll
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MirraSync Service (Mirra.Service) - Mirra, Inc. - C:\Program Files\Mirra\Mirra.Service.exe
O23 - Service: Mirra Watchdog Service (Mirra.Watchdog) - Mirra, Inc. - c:\program files\mirra\mirra.watchdog.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 7696 bytes


Thank you,

John C

Hello.
The reason the files won't go away is because they are being locked by a rootkit, called Sentinal. The same goes for the registry keys. If you already have MBAM on the system, I need you to up date it to the latest database, which is able to kill the rootkit. Before doing anything, we need to remove some of the malicious entries in Hijack This.

• Open HijackThis
  
• Choose "Do a system scan only"
  
• Check the boxes in front of these lines:
  
  
  O1 - Hosts: ::1 localhost
  O1 - Hosts: 94.232.248.66 browser-security.microsoft.com
  O1 - Hosts: 94.232.248.66 antivguardian.com
  O1 - Hosts: 94.232.248.66 www.antivguardian.com
  O2 - BHO: (no name) - {67CAB31F-58F3-451C-85F7-14F214050504} - c:\windows\system32\eaxmufm.dll
  O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
  O4 - HKLM\..\RunOnce: [SpybotDeletingA9601] command.com /c del "C:\WINDOWS\system32\sdra64.exe"
  O4 - HKLM\..\RunOnce: [SpybotDeletingC2001] cmd.exe /c del "C:\WINDOWS\system32\sdra64.exe"
  O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
  O4 - HKLM\..\RunOnce: [SpybotDeletingA1363] command.com /c del "C:\WINDOWS\system32\elkbpfyj.dll"
  O4 - HKLM\..\RunOnce: [SpybotDeletingC3102] cmd.exe /c del "C:\WINDOWS\system32\elkbpfyj.dll"
  O4 - HKLM\..\RunOnce: [SpybotDeletingA7752] command.com /c del "C:\WINDOWS\system32\elkbpfyj.dll"
  O4 - HKLM\..\RunOnce: [SpybotDeletingC1228] cmd.exe /c del "C:\WINDOWS\system32\elkbpfyj.dll"
  O4 - HKLM\..\RunOnce: [SpybotDeletingA2523] command.com /c del "C:\WINDOWS\system32\elkbpfyj.dll"
  O4 - HKLM\..\RunOnce: [SpybotDeletingC7084] cmd.exe /c del "C:\WINDOWS\system32\elkbpfyj.dll"
  O18 - Protocol hijack: flowto - {C7101FB0-28FB-11D5-883A-204C4F4F5021}
  O20 - Winlogon Notify: thqrbvud - C:\WINDOWS\SYSTEM32\eaxmufm.dll
  
  
  
• Press "Fix Checked"
  
• Close Hijack This.
  

The latest database as of right now is 2079. Update MBAM, run the scan and post the log.

Hello,

I am unable to update MBAM on the infected computer. I tried loading it onto a jump drive on another computer and transfer it but it did not work.

I am also unable to access any websites. There doesn't appear to be anything wrong with the connection unless I'm missing something; it's the same connection I'm using with the clean system.

Any suggestions?

Thanks.

Hello.
I'll take a wild guess and say you have more than one rootkit here.

1. Please download The Avenger by Swandog46 to your Desktop
Link: HERE or HERE.

• Click on Avenger.zip to open the file
  
• Extract avenger.exe to your desktop
  

Note: This tool was posted specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

2. Now, start The Avenger program by clicking on its icon on your desktop.

• Leave the script box empty.
  
• Leave the ticked box "Scan for rootkit" ticked.
  
• Then tick "Disable any rootkits found"
  
• Now click on the Execute to begin execution of the script.
  
• Answer "Yes" twice when prompted.
  
  The Avenger will automatically do the following:
  
  
• It will Restart your computer.
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  

3. Please copy/paste the content of c:\avenger.txt into your reply.

Here's the avenger.txt:

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Completed script processing.

*******************

Finished! Terminate.

Hmmm.
Okay, good work. No rootkit there, but my feelings tell me we'll need to use the avenger again. We will, but we need to find that rootkit that is locking the files. This scanner will find it, and once it has, we can put a stop to it.

• Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
  Link 1
  Link 2
  
• Double click DDS.scr to run
  
• When complete, two logs will open. Save both of the report to your Desktop.
  
• Copy and paste DDS.txt back here, I don't need to see attach.txt.
  

DDS.txt:


DDS (Ver_09-03-16.01) - NTFSx86
Run by carter.mecham at 9:18:46.95 on Wed 05/06/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.643 [GMT -4:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\program files\mirra\mirra.watchdog.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Mirra\Mirra.Service.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Mirra\Mirra.Client.exe
C:\Documents and Settings\carter.mecham\Start Menu\Programs\Startup\FaxCtrl.exe
C:\Documents and Settings\carter.mecham\Start Menu\Programs\Startup\VPTray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Documents and Settings\carter.mecham\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uWindow Title = Microsoft Internet Explorer provided by Advanced Equities
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll
BHO: : {67cab31f-58f3-451c-85f7-14f214050504} - c:\windows\system32\eaxmufm.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [RightFAX Print-to-Fax Driver] c:\program files\rightfax\faxctrl.exe
mRun: [ccApp] -
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
mRunOnce: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRunOnce: [Spybot - Search & Destroy] "c:\program files\spybot - search & destroy\SpybotSD.exe" /autocheck
mRunOnce: [Cleanup] C:\cleanup.exe
StartupFolder: c:\documents and settings\carter.mecham\start menu\programs\startup\FaxCtrl.exe
StartupFolder: c:\documents and settings\carter.mecham\start menu\programs\startup\VPTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mirra.lnk - c:\program files\mirra\Mirra.Client.exe
uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)
uPolicies-explorer: NoTaskGrouping = 1 (0x1)
uPolicies-explorer: NoSimpleStartMenu = 1 (0x1)
uPolicies-explorer: NoWelcomeScreen = 1 (0x1)
uPolicies-explorer: NoThemesTab = 1 (0x1)
uPolicies-system: NoVisualStyleChoice = 1 (0x1)
uPolicies-system: NoColorChoice = 1 (0x1)
uPolicies-system: Wallpaper = c:\windows\web\wallpaper\aewallpaper.jpg
uPolicies-system: WallpaperStyle = 2
uPolicies-system: NoDispAppearancePage = 0 (0x0)
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
mPolicies-explorer: DisableLocalMachineRunOnce = 1 (0x1)
mPolicies-explorer: DisableLocalMachineRun = 1 (0x1)
mPolicies-system: LogonType = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: SEAGULL WinJa Java Client 4_0C11 - hxxps://www2.netxpro.com/WinJa/applet/40C11/winja_ie.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1240435015182
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1240435000004
DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} - hxxps://accounting.quickbooks.com/c13/v18.161/qboax10.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://sslvpn.firstallied.com/dana-cached/setup/JuniperSetupSP1.cab
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: thqrbvud - eaxmufm.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 mtrjmsno;mtrjmsno;c:\windows\system32\drivers\mtrjmsno.sys [2003-3-31 23424]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-2-4 53896]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-6-2 161392]
R2 Mirra.Service;MirraSync Service;c:\program files\mirra\Mirra.Service.exe [2007-9-12 49152]
R2 Mirra.Watchdog;Mirra Watchdog Service;c:\program files\mirra\Mirra.Watchdog.exe [2007-9-12 20480]
R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2005-6-23 124608]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2005-6-23 1715904]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-6-2 83568]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20061204.017\naveng.sys [2007-8-1 79240]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20061204.017\navex15.sys [2007-8-1 831880]
S3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys --> c:\windows\system32\drivers\rcvpn.sys [?]
S4 ccEvtMgr;Symantec Event Manager;- --> - [?]
S4 SAVRT;SAVRT;- --> - [?]

=============== Created Last 30 ================

2009-05-05 20:50 135,168 a------- C:\zip.exe
2009-05-05 20:50 19,286 a------- C:\cleanup.exe
2009-05-05 20:50 574 a------- C:\cleanup.bat
2009-05-05 20:16 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-05-05 20:16 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-05 20:16 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-05 11:59 305 a------- c:\windows\wininit.ini
2009-05-04 12:01 --d----- c:\program files\Spybot - Search & Destroy
2009-05-04 12:01 --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-04-22 17:42 410,984 a------- c:\windows\system32\deploytk.dll
2009-04-22 17:42 73,728 a------- c:\windows\system32\javacpl.cpl
2009-04-22 17:35 --d----- c:\documents and settings\carter.mecham\.SunDownloadManager
2009-04-22 17:17 23,576 a------- c:\windows\system32\wuapi.dll.mui
2009-04-22 15:43 --d----- c:\windows\pss
2009-04-22 09:32 --d----- c:\docume~1\carter~1.mec\applic~1\Malwarebytes
2009-04-22 09:32 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

==================== Find3M ====================


============= FINISH: 9:19:08.93 ===============

That found the little devil.

1. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Drivers to disable:
mtrjmsno

Drivers to delete:
mtrjmsno

Files to delete:
c:\windows\system32\drivers\mtrjmsno.sys
c:\windows\system32\eaxmufm.dll

Registry keys to delete:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\thqrbvud
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{67cab31f-58f3-451c-85f7-14f214050504}

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

2. Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Input script here:", paste in the script from the quote box above.
  
• Leave the ticked box "Scan for rootkit" ticked.
  
• Then tick "Disable any rootkits found"
  
• Now click on the Execute to begin execution of the script.
  
• Answer "Yes" twice when prompted.
  
  The Avenger will automatically do the following:
  
  
• It will Restart your computer.
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  

3. Please copy/paste the content of c:\avenger.txt into your reply.

Avenger.txt:

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "mtrjmsno" disabled successfully.
Driver "mtrjmsno" deleted successfully.
File "c:\windows\system32\drivers\mtrjmsno.sys" deleted successfully.
File "c:\windows\system32\eaxmufm.dll" deleted successfully.
Registry key "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\thqrbvud" deleted successfully.
Registry key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{67cab31f-58f3-451c-85f7-14f214050504}" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Okay, that should do it for the rootkit.

Now we have to address the antivirus issue. I see it's Symantec, but it's disabled and outdated. Your leaving yourself wide open to another attack.

Is it a trial version? just a guess.

If it is, it needs to be removed and replaced with something free and easy to update.

Would you recommend AVG or something else?

Hello. I recommend Avira.

Please install Avira antivirus otherwise you won't be protected.

1) Antivir PersonalEditionClassic
-Free anti-virus software for Windows.
-Detects and removes more than 50,000 viruses. Free support.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts.

Then I want to see what's installed so I can direct you on uninstall Symantec.

• Open HijackThis.
  
• When Hijack This opens, click "Open the Misc Tools section"
  
• Then select "Open Uninstall Manager"
  
• Click on "Save List..." (generates uninstall_list.txt)
  
• Click Save, copy and paste the results in your next post.