Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

trojan.virtumonde/trojan.agent

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

trojan.virtumonde/trojan.agent

Unread postby poisnivy13 » May 1st, 2008, 4:45 pm

aloha all

i've been going through forum questions and can't find anything to help on this computer. it is a common computer and i cannot figure out what the source infection is, but found over 300 infections. i've gotten rid of everything except trojan.virtumonde and trojan.agent.

what i've tried: spyware doctor, registry mechanic (both paid versions), combo fix, cc cleaner, symantec, vundofix, virtumundobegone, malwarebytes anti-malware, spybot search & destroy, basically anything that seemed like it might work...

what happens - cannot get to any website that relates to anti-virus, takes me to a sex site. had to take computer off network and offline and have been running back and forth with a travel drive to try to download programs. very very slow and mostly they don't finish anything before they quit responding.

here is my hijackthis log (attached), if anyone has any suggestions i would love to hear from you!

many mahalos
melissa

hijack this:
Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:04:17 PM, on 4/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal



Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\MMDiag.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\MMDiag.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
E:\HJTInstall.exe
C:\WINDOWS\system32\Defrag.exe
C:\Program Files\Microsoft Windows OneCare Live\GtCC.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:/windows/homepage.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:/windows/homepage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {D92321BF-3D8F-4F66-8716-5E5F84D0533F} - (no file)
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [BMa3c35928] Rundll32.exe "C:\WINDOWS\system32\dtubjqgs.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: printcon.bat
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpg: C:\PROGRA~1\iestuff\PLUGINS\npqtplugin3.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/share ... insctl.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{62893D28-0F71-43DC-9500-4DA29213787F}: NameServer = 192.168.2.6
O18 - Protocol: qbpos - {662E7FAE-5C17-491C-AD9D-98C1F66CC6A0} - C:\WINDOWS\system32\QBPOSProtocol.dll
O20 - Winlogon Notify: fccddCrp - fccddCrp.dll (file missing)
O21 - SSODL: WebProxy - {66186F05-BBBB-4a39-864F-72D84615C679} - sockins32.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\WINDOWS\SYSTEM32\VundoFixSVC.exe


--

End of file - 7735 bytes
poisnivy13
Regular Member
 
Posts: 16
Joined: May 1st, 2008, 4:38 pm
Advertisement
Register to Remove

Re: trojan.virtumonde/trojan.agent

Unread postby Shaba » May 2nd, 2008, 12:24 pm

Hi poisnivy13

1. Download combofix from any of these links and save it to Desktop:
Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here

Post:

- a fresh HijackThis log
- combofix report
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: trojan.virtumonde/trojan.agent

Unread postby poisnivy13 » May 5th, 2008, 5:02 pm

thank you! will try it this afternoon and let ya know...

melissa
poisnivy13
Regular Member
 
Posts: 16
Joined: May 1st, 2008, 4:38 pm

Re: trojan.virtumonde/trojan.agent

Unread postby Shaba » May 6th, 2008, 9:56 am

Hi

OK, I'll be waiting :)
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: trojan.virtumonde/trojan.agent

Unread postby poisnivy13 » May 8th, 2008, 9:05 pm

so far i've run combofix, had nothing happen. went to the recovery console install, etc, followed instructions for when combofix doesn't work. i have no task manager right now (think its hijacked) so couldn't end any processes.

after recovery console i got combo fix to work but it has been stuck on stage 33 for about 2 hours now. i will let it run overnite and see what happens.

i'm seriously thinking about wiping everything off the computer and starting again. i will lose alot of stuff but i think at this point that i've spent too much time on this... if i wipe everything and reinstall will that also erase the viruses? please give me your opinon of that, as the other option i am considering is a quick drop from my second floor window...

thanks so much for your help!
melissa
poisnivy13
Regular Member
 
Posts: 16
Joined: May 1st, 2008, 4:38 pm

Re: trojan.virtumonde/trojan.agent

Unread postby Shaba » May 9th, 2008, 5:14 am

Hi

Try to run combofix next in safe mode, please :)
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: trojan.virtumonde/trojan.agent

Unread postby poisnivy13 » May 9th, 2008, 4:09 pm

aha! combofix ran all night without finishing. after rebooting into safe mode it took a couple tries but i finally got a completed scan. here is the log:

thank you for any help you can provide!!


ComboFix 08-05-08.1 - Captain Andy's 2008-05-09 9:41:49.1 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.113 [GMT -10:00]
Running from: C:\Documents and Settings\Captain Andy's\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\clbdll.dll
C:\WINDOWS\system32\clbinit.dll
C:\WINDOWS\system32\DLlRYcfe.ini
C:\WINDOWS\system32\drivers\clbdriver.sys
C:\WINDOWS\system32\iwiakkqk.ini
C:\WINDOWS\system32\jjiPYcdd.ini
C:\WINDOWS\system32\jjiPYcdd.ini2
C:\WINDOWS\system32\n3
C:\WINDOWS\system32\onvreyas.ini
C:\WINDOWS\system32\SrAGPXyb.ini
C:\WINDOWS\system32\SrAGPXyb.ini2
C:\WINDOWS\system32\xuilpyll.ini
.
---- Previous Run -------
.
C:\Program Files\ymante~1
C:\WINDOWS\cookies.ini
C:\WINDOWS\default.htm
C:\WINDOWS\mainms.vpi
C:\WINDOWS\megavid.cdt
C:\WINDOWS\muotr.so
C:\WINDOWS\pskt.ini
C:\WINDOWS\wintst32.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CLBDRIVER
-------\Legacy_MSSECURITY1.209.4


((((((((((((((((((((((((( Files Created from 2008-04-09 to 2008-05-09 )))))))))))))))))))))))))))))))
.

2008-05-08 04:00 . 2008-05-08 04:00 1,024 --ah----- C:\Documents and Settings\QBPOSDBSrvUser\NTUSER.DAT.COPY.TMP.LOG
2008-04-30 15:52 . 2003-11-19 13:48 61,555 --a------ C:\WINDOWS\system32\jpicpl32.cpl
2008-04-30 11:55 . 2008-04-30 11:55 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-30 09:57 . 2008-04-30 09:57 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-04-30 08:38 . 2008-05-01 12:14 <DIR> d-------- C:\VundoFix Backups
2008-04-30 08:29 . 2008-04-30 08:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-04-30 08:29 . 2008-04-28 12:49 159,112 --a------ C:\WINDOWS\system32\drivers\pctfw2.sys
2008-04-30 08:15 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-04-30 08:14 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-04-30 08:14 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-04-28 12:49 . 2008-04-28 12:49 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2008-04-28 08:27 . 2007-11-27 22:56 116,416 --a------ C:\WINDOWS\system32\drivers\msfwhlpr.sys
2008-04-28 08:27 . 2007-11-27 22:56 91,328 --a------ C:\WINDOWS\system32\drivers\msfwdrv.sys
2008-04-28 08:19 . 2008-04-28 08:27 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-04-28 08:19 . 2007-07-06 15:09 70,928 --a------ C:\WINDOWS\system32\drivers\MpFilter.sys
2008-04-28 08:18 . 2008-04-28 08:18 <DIR> d-------- C:\WINDOWS\system32\bits
2008-04-28 08:17 . 2007-03-29 02:56 409,600 --------- C:\WINDOWS\system32\dllcache\qmgr.dll
2008-04-28 08:17 . 2007-03-29 02:56 18,944 --------- C:\WINDOWS\system32\dllcache\qmgrprxy.dll
2008-04-28 08:17 . 2007-03-29 02:56 8,192 --------- C:\WINDOWS\system32\dllcache\bitsprx2.dll
2008-04-28 08:17 . 2007-03-29 02:56 7,168 --------- C:\WINDOWS\system32\dllcache\bitsprx4.dll
2008-04-28 08:17 . 2007-03-29 02:56 7,168 --------- C:\WINDOWS\system32\dllcache\bitsprx3.dll
2008-04-28 08:17 . 2007-03-29 02:56 7,168 --a------ C:\WINDOWS\system32\bitsprx4.dll
2008-04-28 08:06 . 2008-04-28 08:06 417 --ahs---- C:\WINDOWS\system32\gPYccMoq.ini
2008-04-27 15:16 . 2008-04-27 15:16 3,120 --a------ C:\WINDOWS\system32\PerfStringBackup.TMP
2008-04-27 15:00 . 2008-05-09 09:54 <DIR> d-------- C:\Program Files\Microsoft Windows OneCare Live
2008-04-27 15:00 . 2008-04-27 15:21 <DIR> d-------- C:\cc774ba8b9cf1549ae426e4815
2008-04-27 13:12 . 2008-04-27 13:12 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-27 13:12 . 2008-04-27 13:12 <DIR> d-------- C:\Documents and Settings\Captain Andy's\Application Data\Malwarebytes
2008-04-27 13:12 . 2008-04-27 13:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-27 12:59 . 2008-04-27 12:59 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-04-27 12:57 . 2004-08-04 12:00 566,784 --a------ C:\WINDOWS\system32\gpedit.dll
2008-04-27 12:56 . 2004-08-04 12:00 117,760 --a------ C:\WINDOWS\system32\fde.dll
2008-04-27 12:24 . 2008-04-28 09:19 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-27 12:24 . 2008-04-28 09:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-27 12:06 . 2008-04-27 12:06 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-27 11:50 . 2008-04-27 11:50 <DIR> d-------- C:\Program Files\CCleaner
2008-04-27 09:23 . 2008-05-09 09:50 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-04-27 09:23 . 2008-04-27 09:23 <DIR> d-------- C:\Documents and Settings\Captain Andy's\Application Data\PC Tools
2008-04-27 09:23 . 2008-05-09 09:57 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-27 09:23 . 2007-12-10 13:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-04-27 09:23 . 2007-12-10 13:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-04-27 09:23 . 2008-02-01 11:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-04-27 09:23 . 2007-12-10 13:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-04-27 08:02 . 2008-05-01 10:33 109,738 --a------ C:\WINDOWS\BMa3c35928.xml
2008-04-26 15:10 . 2008-04-26 15:10 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-04-26 13:29 . 2008-04-26 13:29 57,546 --a------ C:\WINDOWS\promogif3.gif
2008-04-26 13:29 . 2008-04-26 13:29 24,351 --a------ C:\WINDOWS\promogif1.gif
2008-04-26 13:29 . 2008-04-26 13:29 24,066 --a------ C:\WINDOWS\promogif2.gif
2008-04-26 13:28 . 2008-04-26 13:28 578 --a------ C:\WINDOWS\index.html
2008-04-26 13:27 . 2008-05-01 14:17 1,695 --a------ C:\WINDOWS\system32\clbcfg.dat
2008-04-26 12:39 . 2008-04-27 13:52 <DIR> d-------- C:\WINDOWS\system32\wTMP
2008-04-26 12:39 . 2008-04-28 12:03 <DIR> d--hs---- C:\WINDOWS\Q2FwdGFpbiBBbmR5J3M
2008-04-26 12:39 . 2008-04-27 11:17 <DIR> d-------- C:\Temp
2008-04-26 12:39 . 2004-08-04 01:00 4,224 --a------ C:\WINDOWS\system32\beep.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-09 19:53 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-04-27 21:27 146,432 ----a-w C:\WINDOWS\regedit.exe
2008-04-27 18:39 --------- d-----w C:\Program Files\Common Files\AOL
2008-04-27 18:39 --------- d-----w C:\Documents and Settings\Captain Andy's\Application Data\AOL
2008-04-27 18:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-04-27 18:38 --------- d-----w C:\Program Files\Common Files\aolshare
2008-04-27 18:36 --------- d-----w C:\Program Files\Yahoo!
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-15 09:07 18,432 ----a-w C:\WINDOWS\system32\dllcache\iedw.exe
2007-12-05 04:33 35,378,168 ----a-w C:\Program Files\Avery_Wizard_Holiday.exe
2007-10-24 19:59 1,951,432 ----a-w C:\Program Files\ppviewer.exe
2008-01-18 18:01 56 --sh--r C:\WINDOWS\system32\5B3F3EE646.sys
2008-01-18 18:01 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D92321BF-3D8F-4F66-8716-5E5F84D0533F}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-07-19 19:09 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-19 19:06 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-19 19:10 114688]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-12-31 07:02 26112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-12-31 07:02 98304]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-05 21:05 127035]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 06:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 06:44 81920]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-08 15:20 8192]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-09-08 15:20 110592]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 16:44 66680]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-03-12 15:18 124128]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-02-01 11:55 1103240]
"OneCareUI"="C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe" [2008-01-22 19:43 67112]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 13:48 32881]
"BMa3c35928"="C:\WINDOWS\system32\dtubjqgs.dll" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
printcon.bat [2006-08-07 18:12:33 49]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2005-10-17 17:36:00 811008]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"WebProxy"= {66186F05-BBBB-4a39-864F-72D84615C679} - sockins32.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccddCrp]
fccddCrp.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=

R1 pctfw2;pctfw2;C:\WINDOWS\system32\drivers\pctfw2.sys [2008-04-28 12:49]
S1 ql10800;ql10800;C:\WINDOWS\system32\drivers\ql10800.sys []
S3 MBAMCatchMe;MBAMCatchMe;C:\Program Files\Malwarebytes' Anti-Malware\catchme.sys [2008-04-07 20:17]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{66186F05-BBBB-4a39-864F-72D84615C679}]
rundll32 sockins32.dll,InitModule
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-09 09:57:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-05-09 10:02:33 - machine was rebooted [Captain Andy's]
ComboFix-quarantined-files.txt 2008-05-09 20:02:03

Pre-Run: 63,998,115,840 bytes free
Post-Run: 63,747,215,360 bytes free

193 --- E O F --- 2008-04-09 13:03:29
poisnivy13
Regular Member
 
Posts: 16
Joined: May 1st, 2008, 4:38 pm

Re: trojan.virtumonde/trojan.agent

Unread postby Shaba » May 10th, 2008, 4:52 am

Hi

Please post a fresh HijackThis as well :)
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: trojan.virtumonde/trojan.agent

Unread postby poisnivy13 » May 12th, 2008, 2:36 pm

finally got control of my task manager! yea!


new hijack this log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:21:37 AM, on 5/12/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal



Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Spyware Doctor\pctsAuxs.exe

C:\Program Files\Spyware Doctor\pctsSvc.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\Program Files\Spyware Doctor\pctsTray.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe

C:\Program Files\Microsoft Windows OneCare Live\winss.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe

C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe

C:\Program Files\MUSICMATCH\Musicmatch Jukebox\MMDiag.exe

C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe



R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: (no name) - {D92321BF-3D8F-4F66-8716-5E5F84D0533F} - (no file)

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe

O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"

O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: printcon.bat

O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .mpg: C:\PROGRA~1\iestuff\PLUGINS\npqtplugin3.dll

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/share ... insctl.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{62893D28-0F71-43DC-9500-4DA29213787F}: NameServer = 192.168.2.6

O18 - Protocol: qbpos - {662E7FAE-5C17-491C-AD9D-98C1F66CC6A0} - C:\WINDOWS\system32\QBPOSProtocol.dll

O20 - Winlogon Notify: fccddCrp - fccddCrp.dll (file missing)

O21 - SSODL: WebProxy - {66186F05-BBBB-4a39-864F-72D84615C679} - sockins32.dll (file missing)

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\WINDOWS\SYSTEM32\VundoFixSVC.exe



--

End of file - 7407 bytes



thank you!
poisnivy13
Regular Member
 
Posts: 16
Joined: May 1st, 2008, 4:38 pm

Re: trojan.virtumonde/trojan.agent

Unread postby Shaba » May 13th, 2008, 8:51 am

Hi

Please click this link-->Jotti

Copy/paste the first file on the list into the white Upload a file box and click Submit/Send (depends on which one you are using Jotti or VirusTotal).

C:\WINDOWS\system32\beep.sys

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: trojan.virtumonde/trojan.agent

Unread postby poisnivy13 » May 15th, 2008, 7:17 pm

i scanned C:\WINDOWS\system32\beep.sys, not sure if this is what you intended. or the first on the list of my hijackthis log?
anyway, here are results...



Scan taken on 15 May 2008 23:05:38 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

bottom of page:

Last file scanned at least one scanner reported something about: server.exe (MD5: 44ab2970e9f59a16e4177edee227eda1, size: 181137 bytes), detected by:

Scanner Malware name
A-Squared Backdoor.Win32.Shark.axz
AntiVir BDS/Shark.Gen.26
ArcaVir Riskware.Hacktool.Sslmim
Avast Win32:Shark-BR
AVG Antivirus BackDoor.Shark.F
BitDefender Backdoor.Shark.BS
ClamAV Trojan.Karsh-252
CPsecure BackDoor.W32.Shark.X
Dr.Web BackDoor.Shark
F-Prot Antivirus W32/Backdoor2.AOJE
F-Secure Anti-Virus Backdoor.Win32.Shark.axz
Fortinet W32/SHARK.BI!tr.bdr
Ikarus Backdoor.VB.Shark
Kaspersky Anti-Virus Backdoor.Win32.Shark.axz
NOD32 probably a variant of Win32/Genetik
Norman Virus Control W32/Smalldoor.BLUG
Panda Antivirus X
Sophos Antivirus Troj/Shark-C
VirusBuster Backdoor.Shark.PN
VBA32 Backdoor.Win32.Shark.axz



thanks!
melissa
poisnivy13
Regular Member
 
Posts: 16
Joined: May 1st, 2008, 4:38 pm

Re: trojan.virtumonde/trojan.agent

Unread postby Shaba » May 16th, 2008, 11:44 am

Hi

OK, it looks like to be clean.

Your copy of combofix is outdated so let's remove it and download a fresh copy next:

Now lets uninstall ComboFix:

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

After that:

1. Download combofix from any of these links and save it to Desktop:
Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here

Post:

- a fresh HijackThis log
- combofix report
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: trojan.virtumonde/trojan.agent

Unread postby poisnivy13 » May 16th, 2008, 4:21 pm

aloha!
things are running more smoothly! yea! if you find yourself on kauai make sure you let me know, i'll hook you up with some fun activities...

here's combofix log and hijackthis log:

ComboFix 08-05-15.3 - Captain Andy's 2008-05-16 10:13:26.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.54 [GMT -10:00]
Running from: C:\Documents and Settings\Captain Andy's\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\MSINET.oca

.
((((((((((((((((((((((((( Files Created from 2008-04-16 to 2008-05-16 )))))))))))))))))))))))))))))))
.

2008-05-16 03:05 . 2008-05-16 03:05 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-05-08 04:00 . 2008-05-08 04:00 1,024 --ah----- C:\Documents and Settings\QBPOSDBSrvUser\NTUSER.DAT.COPY.TMP.LOG
2008-04-30 15:52 . 2003-11-19 13:48 61,555 --a------ C:\WINDOWS\system32\jpicpl32.cpl
2008-04-30 11:55 . 2008-04-30 11:55 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-30 09:57 . 2008-04-30 09:57 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-04-30 08:38 . 2008-05-01 12:14 <DIR> d-------- C:\VundoFix Backups
2008-04-30 08:29 . 2008-04-30 08:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-04-30 08:29 . 2008-04-28 12:49 159,112 --a------ C:\WINDOWS\system32\drivers\pctfw2.sys
2008-04-30 08:15 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-04-30 08:14 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-04-30 08:14 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-04-28 12:49 . 2008-04-28 12:49 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2008-04-28 08:19 . 2008-05-16 09:19 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-04-28 08:18 . 2008-04-28 08:18 <DIR> d-------- C:\WINDOWS\system32\bits
2008-04-28 08:17 . 2007-03-29 02:56 409,600 --------- C:\WINDOWS\system32\dllcache\qmgr.dll
2008-04-28 08:17 . 2007-03-29 02:56 18,944 --------- C:\WINDOWS\system32\dllcache\qmgrprxy.dll
2008-04-28 08:17 . 2007-03-29 02:56 8,192 --------- C:\WINDOWS\system32\dllcache\bitsprx2.dll
2008-04-28 08:17 . 2007-03-29 02:56 7,168 --------- C:\WINDOWS\system32\dllcache\bitsprx4.dll
2008-04-28 08:17 . 2007-03-29 02:56 7,168 --------- C:\WINDOWS\system32\dllcache\bitsprx3.dll
2008-04-28 08:17 . 2007-03-29 02:56 7,168 --a------ C:\WINDOWS\system32\bitsprx4.dll
2008-04-28 08:06 . 2008-04-28 08:06 417 --ahs---- C:\WINDOWS\system32\gPYccMoq.ini
2008-04-27 15:16 . 2008-05-16 03:10 3,544 --a------ C:\WINDOWS\system32\PerfStringBackup.TMP
2008-04-27 15:00 . 2008-04-27 15:21 <DIR> d-------- C:\cc774ba8b9cf1549ae426e4815
2008-04-27 13:12 . 2008-04-27 13:12 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-27 13:12 . 2008-04-27 13:12 <DIR> d-------- C:\Documents and Settings\Captain Andy's\Application Data\Malwarebytes
2008-04-27 13:12 . 2008-04-27 13:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-27 12:59 . 2008-04-27 12:59 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-04-27 12:57 . 2004-08-04 12:00 566,784 --a------ C:\WINDOWS\system32\gpedit.dll
2008-04-27 12:56 . 2004-08-04 12:00 117,760 --a------ C:\WINDOWS\system32\fde.dll
2008-04-27 12:24 . 2008-04-28 09:19 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-27 12:24 . 2008-04-28 09:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-27 12:06 . 2008-04-27 12:06 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-27 11:50 . 2008-04-27 11:50 <DIR> d-------- C:\Program Files\CCleaner
2008-04-27 09:23 . 2008-05-09 14:55 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-04-27 09:23 . 2008-04-27 09:23 <DIR> d-------- C:\Documents and Settings\Captain Andy's\Application Data\PC Tools
2008-04-27 09:23 . 2008-05-16 10:06 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-27 09:23 . 2007-12-10 13:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-04-27 09:23 . 2007-12-10 13:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-04-27 09:23 . 2008-02-01 11:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-04-27 09:23 . 2007-12-10 13:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-04-27 08:02 . 2008-05-01 10:33 109,738 --a------ C:\WINDOWS\BMa3c35928.xml
2008-04-26 15:10 . 2008-04-26 15:10 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-04-26 13:29 . 2008-04-26 13:29 57,546 --a------ C:\WINDOWS\promogif3.gif
2008-04-26 13:29 . 2008-04-26 13:29 24,351 --a------ C:\WINDOWS\promogif1.gif
2008-04-26 13:29 . 2008-04-26 13:29 24,066 --a------ C:\WINDOWS\promogif2.gif
2008-04-26 13:28 . 2008-04-26 13:28 578 --a------ C:\WINDOWS\index.html
2008-04-26 13:27 . 2008-05-01 14:17 1,695 --a------ C:\WINDOWS\system32\clbcfg.dat
2008-04-26 12:39 . 2008-04-27 13:52 <DIR> d-------- C:\WINDOWS\system32\wTMP
2008-04-26 12:39 . 2008-04-28 12:03 <DIR> d--hs---- C:\WINDOWS\Q2FwdGFpbiBBbmR5J3M
2008-04-26 12:39 . 2008-04-27 11:17 <DIR> d-------- C:\Temp
2008-04-26 12:39 . 2004-08-04 01:00 4,224 --a------ C:\WINDOWS\system32\beep.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-16 20:06 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-04-27 21:27 146,432 ----a-w C:\WINDOWS\regedit.exe
2008-04-27 18:39 --------- d-----w C:\Program Files\Common Files\AOL
2008-04-27 18:39 --------- d-----w C:\Documents and Settings\Captain Andy's\Application Data\AOL
2008-04-27 18:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-04-27 18:38 --------- d-----w C:\Program Files\Common Files\aolshare
2008-04-27 18:36 --------- d-----w C:\Program Files\Yahoo!
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ------w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2007-12-05 04:33 35,378,168 ----a-w C:\Program Files\Avery_Wizard_Holiday.exe
2007-10-24 19:59 1,951,432 ----a-w C:\Program Files\ppviewer.exe
2008-01-18 18:01 56 --sh--r C:\WINDOWS\system32\5B3F3EE646.sys
2008-01-18 18:01 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D92321BF-3D8F-4F66-8716-5E5F84D0533F}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-07-19 19:09 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-19 19:06 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-19 19:10 114688]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-12-31 07:02 26112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-12-31 07:02 98304]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-05 21:05 127035]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 06:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 06:44 81920]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-08 15:20 8192]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-09-08 15:20 110592]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 16:44 66680]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-03-12 15:18 124128]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-02-01 11:55 1103240]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 13:48 32881]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
printcon.bat [2006-08-07 18:12:33 49]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2005-10-17 17:36:00 811008]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"WebProxy"= {66186F05-BBBB-4a39-864F-72D84615C679} - sockins32.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccddCrp]
fccddCrp.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=

R1 pctfw2;pctfw2;C:\WINDOWS\system32\drivers\pctfw2.sys [2008-04-28 12:49]
S1 ql10800;ql10800;C:\WINDOWS\system32\drivers\ql10800.sys []
S3 MBAMCatchMe;MBAMCatchMe;C:\Program Files\Malwarebytes' Anti-Malware\catchme.sys [2008-04-07 20:17]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{66186F05-BBBB-4a39-864F-72D84615C679}]
rundll32 sockins32.dll,InitModule
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-16 10:16:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-16 10:18:16
ComboFix-quarantined-files.txt 2008-05-16 20:18:11
ComboFix2.txt 2008-05-10 00:45:45
ComboFix3.txt 2008-05-09 20:02:37

Pre-Run: 63,416,594,432 bytes free
Post-Run: 63,447,171,072 bytes free

143 --- E O F --- 2008-05-16 13:15:44






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:19:07 AM, on 5/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.napali.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {D92321BF-3D8F-4F66-8716-5E5F84D0533F} - (no file)
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: printcon.bat
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpg: C:\PROGRA~1\iestuff\PLUGINS\npqtplugin3.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/share ... insctl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{62893D28-0F71-43DC-9500-4DA29213787F}: NameServer = 192.168.2.6
O18 - Protocol: qbpos - {662E7FAE-5C17-491C-AD9D-98C1F66CC6A0} - C:\WINDOWS\system32\QBPOSProtocol.dll
O20 - Winlogon Notify: fccddCrp - fccddCrp.dll (file missing)
O21 - SSODL: WebProxy - {66186F05-BBBB-4a39-864F-72D84615C679} - sockins32.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\WINDOWS\SYSTEM32\VundoFixSVC.exe

--
End of file - 6988 bytes
poisnivy13
Regular Member
 
Posts: 16
Joined: May 1st, 2008, 4:38 pm

Re: trojan.virtumonde/trojan.agent

Unread postby Shaba » May 16th, 2008, 10:20 pm

Hi

Open notepad and copy/paste the text in the codebox below into it:

Code: Select all
File::
C:\WINDOWS\system32\gPYccMoq.ini
C:\WINDOWS\BMa3c35928.xml
C:\WINDOWS\promogif3.gif
C:\WINDOWS\promogif1.gif
C:\WINDOWS\promogif2.gif
C:\WINDOWS\index.html
C:\WINDOWS\system32\clbcfg.dat

Folder::
C:\WINDOWS\system32\NtmsData
C:\WINDOWS\system32\wTMP
C:\WINDOWS\Q2FwdGFpbiBBbmR5J3M
C:\Temp

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"WebProxy"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccddCrp]

[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{66186F05-BBBB-4a39-864F-72D84615C679}]


Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: trojan.virtumonde/trojan.agent

Unread postby poisnivy13 » May 18th, 2008, 8:13 pm

aloha,

after running combofix it stopped at stage 39B and wouldn't go any further, task manager wouldn't open (clicked on it but wouldn't come up), had to do a hard reboot, all frozen.
second combofix stopped at end but wouldn't finish or provide a log, task manager wouldn't open, did a hard reboot.

third time, started up in safe mode and combofix ran properly. here are combofix log and hijackthis log:

ComboFix 08-05-15.3 - Captain Andy's 2008-05-18 13:44:13.5 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.109 [GMT -10:00]
Running from: C:\Documents and Settings\Captain Andy's\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Captain Andy's\Desktop\CFScript.txt

FILE ::
C:\WINDOWS\BMa3c35928.xml
C:\WINDOWS\index.html
C:\WINDOWS\promogif1.gif
C:\WINDOWS\promogif2.gif
C:\WINDOWS\promogif3.gif
C:\WINDOWS\system32\clbcfg.dat
C:\WINDOWS\system32\gPYccMoq.ini
C:\WINDOWS\system32\NtmsData :#:
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Temp
C:\WINDOWS\BMa3c35928.xml
C:\WINDOWS\index.html
C:\WINDOWS\promogif1.gif
C:\WINDOWS\promogif2.gif
C:\WINDOWS\promogif3.gif
C:\WINDOWS\Q2FwdGFpbiBBbmR5J3M
C:\WINDOWS\system32\clbcfg.dat
C:\WINDOWS\system32\gPYccMoq.ini
C:\WINDOWS\system32\wTMP

.
((((((((((((((((((((((((( Files Created from 2008-04-18 to 2008-05-18 )))))))))))))))))))))))))))))))
.

2008-05-16 03:05 . 2008-05-16 03:05 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-05-08 04:00 . 2008-05-08 04:00 1,024 --ah----- C:\Documents and Settings\QBPOSDBSrvUser\NTUSER.DAT.COPY.TMP.LOG
2008-04-30 15:52 . 2003-11-19 13:48 61,555 --a------ C:\WINDOWS\system32\jpicpl32.cpl
2008-04-30 11:55 . 2008-04-30 11:55 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-30 09:57 . 2008-04-30 09:57 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-04-30 08:38 . 2008-05-01 12:14 <DIR> d-------- C:\VundoFix Backups
2008-04-30 08:29 . 2008-04-30 08:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-04-30 08:29 . 2008-04-28 12:49 159,112 --a------ C:\WINDOWS\system32\drivers\pctfw2.sys
2008-04-30 08:15 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-04-30 08:14 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-04-30 08:14 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-04-28 12:49 . 2008-04-28 12:49 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2008-04-28 08:19 . 2008-05-16 09:19 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-04-28 08:18 . 2008-04-28 08:18 <DIR> d-------- C:\WINDOWS\system32\bits
2008-04-28 08:17 . 2007-03-29 02:56 409,600 --------- C:\WINDOWS\system32\dllcache\qmgr.dll
2008-04-28 08:17 . 2007-03-29 02:56 18,944 --------- C:\WINDOWS\system32\dllcache\qmgrprxy.dll
2008-04-28 08:17 . 2007-03-29 02:56 8,192 --------- C:\WINDOWS\system32\dllcache\bitsprx2.dll
2008-04-28 08:17 . 2007-03-29 02:56 7,168 --------- C:\WINDOWS\system32\dllcache\bitsprx4.dll
2008-04-28 08:17 . 2007-03-29 02:56 7,168 --------- C:\WINDOWS\system32\dllcache\bitsprx3.dll
2008-04-28 08:17 . 2007-03-29 02:56 7,168 --a------ C:\WINDOWS\system32\bitsprx4.dll
2008-04-27 15:16 . 2008-05-16 03:10 3,544 --a------ C:\WINDOWS\system32\PerfStringBackup.TMP
2008-04-27 15:00 . 2008-04-27 15:21 <DIR> d-------- C:\cc774ba8b9cf1549ae426e4815
2008-04-27 13:12 . 2008-04-27 13:12 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-27 13:12 . 2008-04-27 13:12 <DIR> d-------- C:\Documents and Settings\Captain Andy's\Application Data\Malwarebytes
2008-04-27 13:12 . 2008-04-27 13:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-27 12:59 . 2008-04-27 12:59 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-04-27 12:57 . 2004-08-04 12:00 566,784 --a------ C:\WINDOWS\system32\gpedit.dll
2008-04-27 12:56 . 2004-08-04 12:00 117,760 --a------ C:\WINDOWS\system32\fde.dll
2008-04-27 12:24 . 2008-04-28 09:19 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-27 12:24 . 2008-04-28 09:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-27 12:06 . 2008-04-27 12:06 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-27 11:50 . 2008-04-27 11:50 <DIR> d-------- C:\Program Files\CCleaner
2008-04-27 09:23 . 2008-05-16 11:05 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-04-27 09:23 . 2008-04-27 09:23 <DIR> d-------- C:\Documents and Settings\Captain Andy's\Application Data\PC Tools
2008-04-27 09:23 . 2008-05-18 13:37 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-27 09:23 . 2007-12-10 13:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-04-27 09:23 . 2007-12-10 13:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-04-27 09:23 . 2008-02-01 11:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-04-27 09:23 . 2007-12-10 13:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-04-26 15:10 . 2008-04-26 15:10 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-04-26 12:39 . 2004-08-04 01:00 4,224 --a------ C:\WINDOWS\system32\beep.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-18 23:35 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-04-27 21:27 146,432 ----a-w C:\WINDOWS\regedit.exe
2008-04-27 18:39 --------- d-----w C:\Program Files\Common Files\AOL
2008-04-27 18:39 --------- d-----w C:\Documents and Settings\Captain Andy's\Application Data\AOL
2008-04-27 18:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-04-27 18:38 --------- d-----w C:\Program Files\Common Files\aolshare
2008-04-27 18:36 --------- d-----w C:\Program Files\Yahoo!
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ------w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2007-12-05 04:33 35,378,168 ----a-w C:\Program Files\Avery_Wizard_Holiday.exe
2007-10-24 19:59 1,951,432 ----a-w C:\Program Files\ppviewer.exe
2008-01-18 18:01 56 --sh--r C:\WINDOWS\system32\5B3F3EE646.sys
2008-01-18 18:01 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-05-16_10.17.34.93 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-16 20:01:40 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-18 23:36:36 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D92321BF-3D8F-4F66-8716-5E5F84D0533F}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-07-19 19:09 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-19 19:06 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-19 19:10 114688]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-12-31 07:02 26112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-12-31 07:02 98304]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-05 21:05 127035]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 06:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 06:44 81920]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-08 15:20 8192]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-09-08 15:20 110592]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 16:44 66680]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-03-12 15:18 124128]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-02-01 11:55 1103240]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 13:48 32881]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
printcon.bat [2006-08-07 18:12:33 49]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2005-10-17 17:36:00 811008]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=

R1 pctfw2;pctfw2;C:\WINDOWS\system32\drivers\pctfw2.sys [2008-04-28 12:49]
S1 ql10800;ql10800;C:\WINDOWS\system32\drivers\ql10800.sys []
S3 MBAMCatchMe;MBAMCatchMe;C:\Program Files\Malwarebytes' Anti-Malware\catchme.sys [2008-04-07 20:17]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-18 13:50:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-18 13:52:52
ComboFix-quarantined-files.txt 2008-05-18 23:52:50
ComboFix2.txt 2008-05-16 20:18:17
ComboFix3.txt 2008-05-10 00:45:45
ComboFix4.txt 2008-05-09 20:02:37

Pre-Run: 63,727,382,528 bytes free
Post-Run: 63,716,921,344 bytes free

154 --- E O F --- 2008-05-16 13:15:44

hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:08:58 PM, on 5/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.napali.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {D92321BF-3D8F-4F66-8716-5E5F84D0533F} - (no file)
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: printcon.bat
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpg: C:\PROGRA~1\iestuff\PLUGINS\npqtplugin3.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/share ... insctl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{62893D28-0F71-43DC-9500-4DA29213787F}: NameServer = 192.168.2.6
O18 - Protocol: qbpos - {662E7FAE-5C17-491C-AD9D-98C1F66CC6A0} - C:\WINDOWS\system32\QBPOSProtocol.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\WINDOWS\SYSTEM32\VundoFixSVC.exe

--
End of file - 6861 bytes


thank you!
melissa
poisnivy13
Regular Member
 
Posts: 16
Joined: May 1st, 2008, 4:38 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: random/random and 55 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware