Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Virtumonde

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Virtumonde

Unread postby Humboldt12 » August 22nd, 2008, 5:28 am

Hi, my wife's computer has got virtumonde, at least according to PC Tools' Spyware Doctor. It reveals a list of files which it says it deletes, but it needs to reboot to complete removal. Virtumonde is obviously mutating during this process as it is still there when we rescan.

Would it work to just go through manually and delete all the files listed by Spyware Doctor, instead of allowing it to attempt to clean them?

We are not in a position to format the hard drive as my wife has (doh!) left her system disks in Japan.

Thanks.

Here is the Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:23:28, on 18/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
C:\Program Files\PC Tools AntiVirus\PCTAV.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Microsoft Reference\Microsoft Bookshelf 3.0\qshelf.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Logitech\QuickCam10\COCIManager.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live ?T?C?g?C?g ?w???p?[ - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\ja\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\ja\msntb.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [imjpmig] C:\Program Files\Common Files\Microsoft Shared\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dE0GVwEx] C:\PROGRA~1\uoosxptr\uvtsqoow.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Documents and Settings\nakadasachiko\?f?X?N?g?b?v\Winamp\winampa.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [A00F34F7EE2.exe] C:\DOCUME~1\NAKADA~1\LOCALS~1\Temp\_A00F34F7EE2.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')
O8 - Extra context menu item: &Lookup in Bookshelf - res://C:\Program Files\Microsoft Reference\Microsoft Bookshelf 3.0\bsdef.dll/#1001
O8 - Extra context menu item: Bookshelf‚ÅŒŸõ(&L) - res://C:\Program Files\Microsoft Reference\Microsoft Bookshelf 3.0\bsdef.dll/#1001
O8 - Extra context menu item: Microsoft Excel ‚ɃGƒNƒXƒ|[ƒg(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 1455382692
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {C7173F75-4426-4B86-B5F4-BA500BE66FE0} (ChainCast VMR Client Proxy) - http://sports.1242.com/chaincast/ccpm_0221.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O20 - Winlogon Notify: __c0052072 - C:\WINDOWS\system32\__c0052072.dat
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 7592 bytes
Humboldt12
Active Member
 
Posts: 11
Joined: August 22nd, 2008, 5:09 am
Advertisement
Register to Remove

Re: Virtumonde

Unread postby Axephilic » August 23rd, 2008, 3:39 pm

Hello Humboldt12,

Welcome to the Malware Removal Forums! My name is Adam and I will be assisting you with getting the malware off of your computer. Please observe the following points before we start:
  1. If at any point you don't understand something, please let me know and I will be glad to expain or go more into depth for you. :)
  2. I am still in training, so my responses may take more time than usual because all of my posts must be checked by an expert or teacher.
    Also, please remember, I am a volunteer and I have a personal life. I go to school full time, have a part time job, and I do sports. A lot of this takes a lot of time.
  3. Please keep all of your replys in this topic/thread and do not make a new topic/thread, thanks!
  4. Please stick with this, don't stop responding because the symptoms are gone, the infection could still be there. Keep replying to my posts until I give you the All Clean message. ;)
  5. If you don't reply within five days after my last instructions this topic will be closed. If you will not be able to reply within five days please tell me so the topic will not be closed.

Make an Uninstall List

Next, please make an uninstall list using HijackThis.
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.

Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply. Please also include a new HijackThis log.

Regards,
Adam
User avatar
Axephilic
Retired Graduate
 
Posts: 2180
Joined: June 18th, 2007, 1:10 pm
Location: Wisconsin, US

Re: Virtumonde

Unread postby Humboldt12 » August 24th, 2008, 8:47 am

Hi Adam, thanks for replying. I really appreciate your help.

I hope it doesn't make a difference, but I should probably warn you that the basic language of my wife's computer is Japanese.

Anyway, here is the uninstall list you asked for:

Abacast Version 1.25f1
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player ActiveX
Adobe Photoshop Album 2.0 Mini
Adobe Reader 8.1.2 - Japanese
Dell Modem-On-Hold
Dell Picture Studio - Dell Image Expert
Dell Solution Center
EndNote 8.0.1
F-CD?e?g?v???[?g?_?E?g???[?h?\?t?g
Google Updater
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Huffyuv AVI lossless video codec (Remove Only)
Intel(R) Extreme Graphics Driver Software
ISI ResearchSoft - Export Helper
Logicool(r) Camera ?h?ñ?C?o
Logitech Audio Echo Cancellation Component
Logitech QuickCam
Logitech Video Enumerator
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft .NET Framework 2.0 ?p?I Security Update (KB928365)
Microsoft 2YA~CANIT AU‹AYCT
Microsoft Bookshelf Basic Version 3.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Personal
Microsoft Outlook Plus! Version 2.0
Microsoft User-Mode Driver Framework Feature Pack 1.0
Modem Helper
MSN ?c?[???o?[
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
OCN?A‹AEsPC
ODN Signup Software
Paint Shop Pro 7
PC Tools AntiVirus4.0
PCTEL 2304WT V.92 MDC Modem Drivers
QuickTime
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Spyware Doctor 5.5
Step by Step Interactive Training ?p?Z?L?c???e?B?X?V?v???O?ñ?? (KB898458)
Step by Step Interactive Training ?p?Z?L?c???e?B?X?V?v???O?ñ?? (KB923723)
Synaptics TouchPad
UMVPLStandalone
VideoLAN VLC media player 0.8.1
Viewpoint Media Player (Remove Only)
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Internet Explorer 7 ?z?b?g?t?B?b?N?X (KB947864)
Windows Internet Explorer 7 ?Z?L?c???e?B?X?V (KB938127)
Windows Internet Explorer 7 ?Z?L?c???e?B?X?V (KB942615)
Windows Internet Explorer 7 ?Z?L?c???e?B?X?V (KB944533)
Windows Internet Explorer 7 ?Z?L?c???e?B?X?V (KB950759)
Windows Internet Explorer 7 ?Z?L?c???e?B?X?V (KB953838)
Windows Live ?T?C?g?C?g ?A?V?X?^?g?g
Windows Live installer
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player (KB911564) ?Z?L?c???e?B?aee?I?C?3?v???O?ñ??
Windows Media Player 10 (KB911565) ?Z?L?c???e?B?aee?I?C?3?v???O?ñ??
Windows Media Player 10 (KB917734) ?Z?L?c???e?B?aee?I?C?3?v???O?ñ??
Windows Media Player 11
Windows Media Player 11
Windows Media Player 11 (KB936782) ?Z?L?c???e?B?aee?I?C?3?v???O?ñ??
Windows Media Player 11 (KB939683) ?z?b?g?t?B?b?N?X
Windows Media Player 6.4 (KB925398) ?Z?L?c???e?B?aee?I?C?3?v???O?ñ??
Windows XP (KB941569) ?Z?L?c???e?B?aee?I?C?3?v???O?ñ??
Windows XP ?X?V (KB894391)
Windows XP ?X?V (KB896727)
Windows XP ?X?V (KB898461)
Windows XP ?X?V (KB900485)
Windows XP ?X?V (KB904942)
Windows XP ?X?V (KB908531)
Windows XP ?X?V (KB910437)
Windows XP ?X?V (KB911280)
Windows XP ?X?V (KB916595)
Windows XP ?X?V (KB920872)
Windows XP ?X?V (KB922582)
Windows XP ?X?V (KB927891)
Windows XP ?X?V (KB929338)
Windows XP ?X?V (KB930916)
Windows XP ?X?V (KB931836)
Windows XP ?X?V (KB932823-v3)
Windows XP ?X?V (KB933360)
Windows XP ?X?V (KB936357)
Windows XP ?X?V (KB938828)
Windows XP ?X?V (KB942763)
Windows XP ?X?V (KB942840)
Windows XP ?X?V (KB946627)
Windows XP ?X?V (KB951072-v2)
Windows XP ?z?b?g?t?B?b?N?X - KB834707
Windows XP ?z?b?g?t?B?b?N?X - KB867282
Windows XP ?z?b?g?t?B?b?N?X - KB873333
Windows XP ?z?b?g?t?B?b?N?X - KB873339
Windows XP ?z?b?g?t?B?b?N?X - KB885250
Windows XP ?z?b?g?t?B?b?N?X - KB885835
Windows XP ?z?b?g?t?B?b?N?X - KB885836
Windows XP ?z?b?g?t?B?b?N?X - KB885884
Windows XP ?z?b?g?t?B?b?N?X - KB886185
Windows XP ?z?b?g?t?B?b?N?X - KB886677
Windows XP ?z?b?g?t?B?b?N?X - KB887472
Windows XP ?z?b?g?t?B?b?N?X - KB887742
Windows XP ?z?b?g?t?B?b?N?X - KB888113
Windows XP ?z?b?g?t?B?b?N?X - KB888302
Windows XP ?z?b?g?t?B?b?N?X - KB890047
Windows XP ?z?b?g?t?B?b?N?X - KB890175
Windows XP ?z?b?g?t?B?b?N?X - KB890859
Windows XP ?z?b?g?t?B?b?N?X - KB890923
Windows XP ?z?b?g?t?B?b?N?X - KB891781
Windows XP ?z?b?g?t?B?b?N?X - KB893066
Windows XP ?z?b?g?t?B?b?N?X - KB893086
Windows XP ?z?b?g?t?B?b?N?X (KB914440)
Windows XP ?z?b?g?t?B?b?N?X (KB952287)
Windows XP ?Z?L?c???e?B?X?V (KB883939)
Windows XP ?Z?L?c???e?B?X?V (KB890046)
Windows XP ?Z?L?c???e?B?X?V (KB893756)
Windows XP ?Z?L?c???e?B?X?V (KB896358)
Windows XP ?Z?L?c???e?B?X?V (KB896422)
Windows XP ?Z?L?c???e?B?X?V (KB896423)
Windows XP ?Z?L?c???e?B?X?V (KB896424)
Windows XP ?Z?L?c???e?B?X?V (KB896428)
Windows XP ?Z?L?c???e?B?X?V (KB899587)
Windows XP ?Z?L?c???e?B?X?V (KB899588)
Windows XP ?Z?L?c???e?B?X?V (KB899591)
Windows XP ?Z?L?c???e?B?X?V (KB900725)
Windows XP ?Z?L?c???e?B?X?V (KB901017)
Windows XP ?Z?L?c???e?B?X?V (KB901190)
Windows XP ?Z?L?c???e?B?X?V (KB901214)
Windows XP ?Z?L?c???e?B?X?V (KB902400)
Windows XP ?Z?L?c???e?B?X?V (KB903235)
Windows XP ?Z?L?c???e?B?X?V (KB904706)
Windows XP ?Z?L?c???e?B?X?V (KB905414)
Windows XP ?Z?L?c???e?B?X?V (KB905749)
Windows XP ?Z?L?c???e?B?X?V (KB908519)
Windows XP ?Z?L?c???e?B?X?V (KB911562)
Windows XP ?Z?L?c???e?B?X?V (KB911567)
Windows XP ?Z?L?c???e?B?X?V (KB911927)
Windows XP ?Z?L?c???e?B?X?V (KB912812)
Windows XP ?Z?L?c???e?B?X?V (KB912919)
Windows XP ?Z?L?c???e?B?X?V (KB913446)
Windows XP ?Z?L?c???e?B?X?V (KB913580)
Windows XP ?Z?L?c???e?B?X?V (KB914388)
Windows XP ?Z?L?c???e?B?X?V (KB914389)
Windows XP ?Z?L?c???e?B?X?V (KB916281)
Windows XP ?Z?L?c???e?B?X?V (KB917159)
Windows XP ?Z?L?c???e?B?X?V (KB917344)
Windows XP ?Z?L?c???e?B?X?V (KB917422)
Windows XP ?Z?L?c???e?B?X?V (KB917953)
Windows XP ?Z?L?c???e?B?X?V (KB918118)
Windows XP ?Z?L?c???e?B?X?V (KB918439)
Windows XP ?Z?L?c???e?B?X?V (KB918899)
Windows XP ?Z?L?c???e?B?X?V (KB919007)
Windows XP ?Z?L?c???e?B?X?V (KB920213)
Windows XP ?Z?L?c???e?B?X?V (KB920214)
Windows XP ?Z?L?c???e?B?X?V (KB920670)
Windows XP ?Z?L?c???e?B?X?V (KB920683)
Windows XP ?Z?L?c???e?B?X?V (KB920685)
Windows XP ?Z?L?c???e?B?X?V (KB921398)
Windows XP ?Z?L?c???e?B?X?V (KB921503)
Windows XP ?Z?L?c???e?B?X?V (KB921883)
Windows XP ?Z?L?c???e?B?X?V (KB922616)
Windows XP ?Z?L?c???e?B?X?V (KB922760)
Windows XP ?Z?L?c???e?B?X?V (KB922819)
Windows XP ?Z?L?c???e?B?X?V (KB923191)
Windows XP ?Z?L?c???e?B?X?V (KB923414)
Windows XP ?Z?L?c???e?B?X?V (KB923694)
Windows XP ?Z?L?c???e?B?X?V (KB923980)
Windows XP ?Z?L?c???e?B?X?V (KB924191)
Windows XP ?Z?L?c???e?B?X?V (KB924270)
Windows XP ?Z?L?c???e?B?X?V (KB924496)
Windows XP ?Z?L?c???e?B?X?V (KB924667)
Windows XP ?Z?L?c???e?B?X?V (KB925454)
Windows XP ?Z?L?c???e?B?X?V (KB925486)
Windows XP ?Z?L?c???e?B?X?V (KB925902)
Windows XP ?Z?L?c???e?B?X?V (KB926255)
Windows XP ?Z?L?c???e?B?X?V (KB926436)
Windows XP ?Z?L?c???e?B?X?V (KB927779)
Windows XP ?Z?L?c???e?B?X?V (KB927802)
Windows XP ?Z?L?c???e?B?X?V (KB928090)
Windows XP ?Z?L?c???e?B?X?V (KB928255)
Windows XP ?Z?L?c???e?B?X?V (KB928843)
Windows XP ?Z?L?c???e?B?X?V (KB929123)
Windows XP ?Z?L?c???e?B?X?V (KB929969)
Windows XP ?Z?L?c???e?B?X?V (KB930178)
Windows XP ?Z?L?c???e?B?X?V (KB931261)
Windows XP ?Z?L?c???e?B?X?V (KB931768)
Windows XP ?Z?L?c???e?B?X?V (KB931784)
Windows XP ?Z?L?c???e?B?X?V (KB932168)
Windows XP ?Z?L?c???e?B?X?V (KB933566)
Windows XP ?Z?L?c???e?B?X?V (KB933729)
Windows XP ?Z?L?c???e?B?X?V (KB935839)
Windows XP ?Z?L?c???e?B?X?V (KB935840)
Windows XP ?Z?L?c???e?B?X?V (KB936021)
Windows XP ?Z?L?c???e?B?X?V (KB937143)
Windows XP ?Z?L?c???e?B?X?V (KB938127)
Windows XP ?Z?L?c???e?B?X?V (KB938829)
Windows XP ?Z?L?c???e?B?X?V (KB939653)
Windows XP ?Z?L?c???e?B?X?V (KB941202)
Windows XP ?Z?L?c???e?B?X?V (KB941568)
Windows XP ?Z?L?c???e?B?X?V (KB941644)
Windows XP ?Z?L?c???e?B?X?V (KB941693)
Windows XP ?Z?L?c???e?B?X?V (KB942615)
Windows XP ?Z?L?c???e?B?X?V (KB943055)
Windows XP ?Z?L?c???e?B?X?V (KB943460)
Windows XP ?Z?L?c???e?B?X?V (KB943485)
Windows XP ?Z?L?c???e?B?X?V (KB944533)
Windows XP ?Z?L?c???e?B?X?V (KB944653)
Windows XP ?Z?L?c???e?B?X?V (KB945553)
Windows XP ?Z?L?c???e?B?X?V (KB946026)
Windows XP ?Z?L?c???e?B?X?V (KB946648)
Windows XP ?Z?L?c???e?B?X?V (KB948590)
Windows XP ?Z?L?c???e?B?X?V (KB948881)
Windows XP ?Z?L?c???e?B?X?V (KB950749)
Windows XP ?Z?L?c???e?B?X?V (KB950760)
Windows XP ?Z?L?c???e?B?X?V (KB950762)
Windows XP ?Z?L?c???e?B?X?V (KB950974)
Windows XP ?Z?L?c???e?B?X?V (KB951066)
Windows XP ?Z?L?c???e?B?X?V (KB951376)
Windows XP ?Z?L?c???e?B?X?V (KB951376-v2)
Windows XP ?Z?L?c???e?B?X?V (KB951698)
Windows XP ?Z?L?c???e?B?X?V (KB951748)
Windows XP ?Z?L?c???e?B?X?V (KB952954)
Windows XP ?Z?L?c???e?B?X?V (KB953839)
Windows XP Service Pack 2


And here is the new HijackThis log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:28:45, on 24/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
C:\Program Files\PC Tools AntiVirus\PCTAV.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Microsoft Reference\Microsoft Bookshelf 3.0\qshelf.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Logitech\QuickCam10\COCIManager.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live ?T?C?g?C?g ?w???p?[ - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\ja\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\ja\msntb.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [imjpmig] C:\Program Files\Common Files\Microsoft Shared\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dE0GVwEx] C:\PROGRA~1\uoosxptr\uvtsqoow.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Documents and Settings\nakadasachiko\?f?X?N?g?b?v\Winamp\winampa.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [A00F34F7EE2.exe] C:\DOCUME~1\NAKADA~1\LOCALS~1\Temp\_A00F34F7EE2.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')
O8 - Extra context menu item: &Lookup in Bookshelf - res://C:\Program Files\Microsoft Reference\Microsoft Bookshelf 3.0\bsdef.dll/#1001
O8 - Extra context menu item: Bookshelf‚ÅŒŸõ(&L) - res://C:\Program Files\Microsoft Reference\Microsoft Bookshelf 3.0\bsdef.dll/#1001
O8 - Extra context menu item: Microsoft Excel ‚ɃGƒNƒXƒ|[ƒg(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 1455382692
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {C7173F75-4426-4B86-B5F4-BA500BE66FE0} (ChainCast VMR Client Proxy) - http://sports.1242.com/chaincast/ccpm_0221.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O20 - Winlogon Notify: __c0052072 - C:\WINDOWS\system32\__c0052072.dat
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 7625 bytes
Humboldt12
Active Member
 
Posts: 11
Joined: August 22nd, 2008, 5:09 am

Re: Virtumonde

Unread postby Axephilic » August 24th, 2008, 9:32 pm

Hello,

Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2
Link 3


**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.
    When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.


Regards,
Adam
User avatar
Axephilic
Retired Graduate
 
Posts: 2180
Joined: June 18th, 2007, 1:10 pm
Location: Wisconsin, US

Re: Virtumonde

Unread postby Humboldt12 » August 26th, 2008, 5:01 pm

Hi,

I've downloaded Combofix, but when trying to install the Windows Recovery Console, as it asks me to in the link you posted, PC Tools tells me about a high risk trojan trying to access one of my files.

Although the guide says to turn off spyware checkers for the running of Combofix, it says nothing about doing so for installing the Recovery Console, so I guess this is irregular. What do you suggest?

Thanks...
Humboldt12
Active Member
 
Posts: 11
Joined: August 22nd, 2008, 5:09 am

Re: Virtumonde

Unread postby Humboldt12 » August 26th, 2008, 5:02 pm

PS. I'm sorry, I've forgotten the name of the trojan, but it wasn't Virtumonde.
Humboldt12
Active Member
 
Posts: 11
Joined: August 22nd, 2008, 5:09 am

Re: Virtumonde

Unread postby Humboldt12 » August 26th, 2008, 8:38 pm

Sorry for posting in several replies like this.

The new threat is PWS.Bancos. According to Spyware Doctor, it is a password stealer, and also a trojan. It was in one of the files, pv.cfexe in the folder Combofix created after I tried to install the Windows Recovery Console.

I should point out that I did not download Combofix on my wife's computer, which is infected with Virtumonde, but copied it from my own, which is clean. My wife's computer has not been connected to the internet since my last Spyware Doctor scan, which did not pick up any PWS.Bancos infection, so it cannot have been downloaded by Virtumonde. I'm no expert, but the obvious conclusion seems to be that PWS.Bancos must have come with the Combofix, or with the Windows Recovery Console file. Can either of these have been contaminated?

Actually, this goes back to the circumstances surrounding the emergence of Virtumonde in the first place. It first appeared after my wife re-installed her Logitech camera, and downloaded and installed Skype, and then used it to contact Japan. Surely these are not acts one would generally expect to get serious spyware infections from.

Does any of this make any sense to you?
Humboldt12
Active Member
 
Posts: 11
Joined: August 22nd, 2008, 5:09 am

Re: Virtumonde

Unread postby Axephilic » August 26th, 2008, 11:23 pm

Hello, please disable your security applications before installing the Recovery Console. Then, continue following the instructions in my previous post.

Thank you for asking before continuing. :)

You can download all of the programs from your computer and transfer them. That is fine, just make sure you don't run them on your own machine. Especially ComboFix because there can be serious errors and it could even crash your system if used wrong. :) Good idea disconnecting the infected PC from the internet though. We will take care of the infections. :cheers:

Regards,
Adam
User avatar
Axephilic
Retired Graduate
 
Posts: 2180
Joined: June 18th, 2007, 1:10 pm
Location: Wisconsin, US

Re: Virtumonde

Unread postby Humboldt12 » August 28th, 2008, 9:52 pm

Ok Adam, I closed my eyes, put my fingers in my ears :bom: , and ran ComboFix... and it seemed to work ok! :)

Here is the Combofix log:

ComboFix 08-08-24.02 - nakadasachiko 2008-08-29 10:01:27.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.932.1.1041.18.65 [GMT 9:00]
Running from: C:\Documents and Settings\nakadasachiko\ƒfƒXƒNƒgƒbƒv\ComboFix.exe
Command switches used :: C:\Documents and Settings\nakadasachiko\ƒfƒXƒNƒgƒbƒv\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\nakadasachiko\Cookies\nakadasachiko@advertising[1].txt
C:\Documents and Settings\nakadasachiko\Cookies\nakadasachiko@hits.gureport.co[2].txt
C:\Documents and Settings\nakadasachiko\Cookies\nakadasachiko@metrics.adobe[1].txt
C:\Documents and Settings\nakadasachiko\Cookies\nakadasachiko@peach.bskyb[1].txt
C:\Documents and Settings\nakadasachiko\Cookies\nakadasachiko@revsci[1].txt
C:\Documents and Settings\nakadasachiko\Cookies\nakadasachiko@tsw0[1].txt
C:\Documents and Settings\nakadasachiko\Cookies\nakadasachiko@ww0.timeout[1].txt
C:\Documents and Settings\nakadasachiko\Cookies\nakadasachiko@www.leftlion.co[2].txt
C:\Documents and Settings\nakadasachiko\Cookies\nakadasachiko@www.reed.co[2].txt
C:\WINDOWS\system32\__c0052072.dat
C:\WINDOWS\system32\~.exe

.
((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-29 )))))))))))))))))))))))))))))))
.

2008-08-27 09:12 . 2008-08-27 09:12 304 --a------ C:\WINDOWS\SYSTEM32\ikhcore.cfg
2008-08-18 01:22 . 2008-08-18 01:22 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-16 18:58 . 2008-05-01 23:30 331,776 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msadce.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-29 01:17 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-29 01:16 --------- d-----w C:\Program Files\PC Tools AntiVirus
2008-08-29 00:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-08-17 09:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-08-17 09:55 --------- d-----w C:\Program Files\Hewlett-Packard
2008-08-16 18:45 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-16 18:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-08-16 16:13 --------- d-----w C:\Program Files\Spyware Doctor
2008-07-19 11:03 --------- d-----w C:\Program Files\XML
2008-07-19 10:49 --------- d-----w C:\Documents and Settings\nakadasachiko\Application Data\PC Tools
2008-07-19 10:48 --------- d-----w C:\Program Files\Google
2007-03-24 11:10 34,584 ----a-w C:\Documents and Settings\nakadasachiko\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 16:55 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinampAgent"="C:\Documents and Settings\nakadasachiko\??????\Winamp\winampa.exe" [?]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 16:55 208952]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 14:32 455168]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 14:32 455168]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2002-06-20 02:14 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2002-06-20 02:05 114688]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2002-08-01 14:43 126976]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2002-08-01 14:43 557056]
"imjpmig"="C:\Program Files\Common Files\Microsoft Shared\IME\IMJP\imjpmig.exe" [2003-09-03 12:33 192591]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2003-03-13 04:52 77824]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe" [2006-06-26 09:46 497200]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" [2006-06-26 10:34 614960]
"LVCOMSX"="C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe" [2006-06-26 10:33 243248]
"PCTAVApp"="C:\Program Files\PC Tools AntiVirus\PCTAV.exe" [2008-03-05 09:37 1238928]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-02-01 12:55 1103240]
"PCTVOICE"="pctspk.exe" [2002-10-11 00:39 163840 C:\WINDOWS\SYSTEM32\pctspk.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="ctfmon.exe" [2004-08-04 16:55 15360 C:\WINDOWS\SYSTEM32\ctfmon.exe]

C:\Documents and Settings\All Users\ƒXƒ^[ƒg ƒƒjƒ…[\ƒvƒƒOƒ‰ƒ€\ƒXƒ^[ƒgƒAƒbƒv\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
QuickShelf.lnk - C:\Program Files\Microsoft Reference\Microsoft Bookshelf 3.0\qshelf.exe [2000-12-20 19:06:16 36911]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.HFYU"= huffyuv.dll
"vidc.xvid"= xvid.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^ƒXƒ^[ƒg ƒƒjƒ…[^ƒvƒƒOƒ‰ƒ€^ƒXƒ^[ƒgƒAƒbƒv^Date Manager.lnk]
path=C:\Documents and Settings\All Users\ƒXƒ^[ƒg ƒƒjƒ…[\ƒvƒƒOƒ‰ƒ€\ƒXƒ^[ƒgƒAƒbƒv\Date Manager.lnk
backup=C:\WINDOWS\pss\Date Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^ƒXƒ^[ƒg ƒƒjƒ…[^ƒvƒƒOƒ‰ƒ€^ƒXƒ^[ƒgƒAƒbƒv^GStartup.lnk]
path=C:\Documents and Settings\All Users\ƒXƒ^[ƒg ƒƒjƒ…[\ƒvƒƒOƒ‰ƒ€\ƒXƒ^[ƒgƒAƒbƒv\GStartup.lnk
backup=C:\WINDOWS\pss\GStartup.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^ƒXƒ^[ƒg ƒƒjƒ…[^ƒvƒƒOƒ‰ƒ€^ƒXƒ^[ƒgƒAƒbƒv^PrecisionTime.lnk]
path=C:\Documents and Settings\All Users\ƒXƒ^[ƒg ƒƒjƒ…[\ƒvƒƒOƒ‰ƒ€\ƒXƒ^[ƒgƒAƒbƒv\PrecisionTime.lnk
backup=C:\WINDOWS\pss\PrecisionTime.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^ƒXƒ^[ƒg ƒƒjƒ…[^ƒvƒƒOƒ‰ƒ€^ƒXƒ^[ƒgƒAƒbƒv^TabUserW.exe.lnk]
path=C:\Documents and Settings\All Users\ƒXƒ^[ƒg ƒƒjƒ…[\ƒvƒƒOƒ‰ƒ€\ƒXƒ^[ƒgƒAƒbƒv\TabUserW.exe.lnk
backup=C:\WINDOWS\pss\TabUserW.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R0 hpt3xx;hpt3xx;C:\WINDOWS\system32\DRIVERS\hpt3xx.sys [2001-08-17 13:52]
R3 {A7E39B01-B403-11d4-BD18-00D0B7A1821E};AIM 3.0 Part 01 Codec Driver VCH-A;C:\WINDOWS\system32\drivers\Vch.sys [2002-06-21 18:44]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-updateMgr - C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKLM-Run-dE0GVwEx - C:\PROGRA~1\uoosxptr\uvtsqoow.exe
Notify-__c0052072 - C:\WINDOWS\system32\__c0052072.dat
MSConfigStartUp-atfnxh - C:\WINDOWS\System32\xvlxqk.exe
MSConfigStartUp-WINSTA~1 - C:\WINDOWS\System\WINSTA~1.EXE


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
O8 -: &Lookup in Bookshelf - C:\Program Files\Microsoft Reference\Microsoft Bookshelf 3.0\bsdef.dll/#1001
O8 -: Bookshelf‚ÅŒŸõ(&L) - C:\Program Files\Microsoft Reference\Microsoft Bookshelf 3.0\bsdef.dll/#1001
O8 -: Microsoft Excel ‚ɃGƒNƒXƒ|[ƒg(&X) - C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

O16 -: {C7173F75-4426-4B86-B5F4-BA500BE66FE0} - hxxp://sports.1242.com/chaincast/ccpm_0221.cab
C:\WINDOWS\Downloaded Program Files\ccpm_0221.inf
C:\WINDOWS\Downloaded Program Files\ccpm_0221.dll
C:\WINDOWS\Downloaded Program Files\ccpm_0221.exe
.
.
------- File Associations (Beta) -------
.
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-29 10:14:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\Documents and Settings\All Users\C:\Documents and Settings\All Users\C:\Documents and Settings\All Users\C:\Documents and Settings\All Users\C:\Documents and Settings\All Users\ 262144 bytes
C:\Documents and Settings\All Users\ 1024 bytes
C:\Documents and Settings\All Users\C:\Documents and Settings\All Users\C:\Documents and Settings\All Users\C:\Documents and Settings\All Users\
C:\Documents and Settings\nakadasachiko\C:\Documents and Settings\nakadasachiko\C:\Documents and Settings\nakadasachiko\C:\Documents and Settings\nakadasachiko\C:\Documents and Settings\nakadasachiko\C:\Documents and Settings\nakadasachiko\C:\Documents and Settings\nakadasachiko\C:\Documents and Settings\nakadasachiko\ 4718592 bytes
C:\Documents and Settings\nakadasachiko\ 176128 bytes
C:\Documents and Settings\nakadasachiko\ 278 bytes
C:\Documents and Settings\nakadasachiko\C:\Documents and Settings\nakadasachiko\C:\Documents and Settings\nakadasachiko\C:\Documents and Settings\nakadasachiko\C:\Documents and Settings\nakadasachiko\C:\Documents and Settings\nakadasachiko\C:\Documents and Settings\nakadasachiko\C:\Documents and Settings\nakadasachiko\

scan completed successfully
hidden files: 28

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcSrv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\WINDOWS\SYSTEM32\conime.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Logitech\QuickCam10\COCIManager.exe
.
**************************************************************************
.
Completion time: 2008-08-29 10:31:06 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-29 01:30:33

Pre-Run: 3,381,891,072 ƒoƒCƒg‚̋󂫗̈æ
Post-Run: 4,762,656,768 ƒoƒCƒg‚̋󂫗̈æ

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

172 --- E O F --- 2008-08-16 13:44:23

And here is the latest HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:35:16, on 29/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
C:\Program Files\Microsoft Reference\Microsoft Bookshelf 3.0\qshelf.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Logitech\QuickCam10\COCIManager.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live ?T?C?g?C?g ?w???p?[ - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\ja\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\ja\msntb.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [imjpmig] C:\Program Files\Common Files\Microsoft Shared\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Documents and Settings\nakadasachiko\?f?X?N?g?b?v\Winamp\winampa.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')
O8 - Extra context menu item: &Lookup in Bookshelf - res://C:\Program Files\Microsoft Reference\Microsoft Bookshelf 3.0\bsdef.dll/#1001
O8 - Extra context menu item: Bookshelf‚ÅŒŸõ(&L) - res://C:\Program Files\Microsoft Reference\Microsoft Bookshelf 3.0\bsdef.dll/#1001
O8 - Extra context menu item: Microsoft Excel ‚ɃGƒNƒXƒ|[ƒg(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 1455382692
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {C7173F75-4426-4B86-B5F4-BA500BE66FE0} (ChainCast VMR Client Proxy) - http://sports.1242.com/chaincast/ccpm_0221.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 7035 bytes
Humboldt12
Active Member
 
Posts: 11
Joined: August 22nd, 2008, 5:09 am

Re: Virtumonde

Unread postby Axephilic » August 29th, 2008, 3:06 pm

Hello,

Fix HijackThis lines

  • Run HijackThis!
  • Click on Do a System Scan only
  • Place a tick next to the following lines:

    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O16 - DPF: {C7173F75-4426-4B86-B5F4-BA500BE66FE0} (ChainCast VMR Client Proxy) - http://sports.1242.com/chaincast/ccpm_0221.cab
Close all open windows and click on Fix checked and when you get a popup window click on Yes.



1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

Code: Select all
File::
C:\WINDOWS\Downloaded Program Files\ccpm_0221.inf
C:\WINDOWS\Downloaded Program Files\ccpm_0221.dll
C:\WINDOWS\Downloaded Program Files\ccpm_0221.exe


Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Kaspersky Online Scanner
Please go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply.

In your next reply, please include:
  1. ComboFix log
  2. Kaspersky report
  3. A new HijackThis log
  4. How is your computer running now?
User avatar
Axephilic
Retired Graduate
 
Posts: 2180
Joined: June 18th, 2007, 1:10 pm
Location: Wisconsin, US

Re: Virtumonde

Unread postby Axephilic » September 1st, 2008, 1:56 pm

Hello,

THREE DAY BUMP!

It has been three days since my last post.
  • Do you still need help with this?
  • Do you need more time?
  • Are you having problems following my instructions?

If after 48 hours you have not replied to this thread, then it will have to be closed!

Regards,
Adam
User avatar
Axephilic
Retired Graduate
 
Posts: 2180
Joined: June 18th, 2007, 1:10 pm
Location: Wisconsin, US

Re: Virtumonde

Unread postby Humboldt12 » September 2nd, 2008, 11:30 am

Yes, sorry, I've been away for the weekend, and am busy with work. I'll have a go at following out your instructions tonight.

Yours,

Stephen
Humboldt12
Active Member
 
Posts: 11
Joined: August 22nd, 2008, 5:09 am

Re: Virtumonde

Unread postby Humboldt12 » September 3rd, 2008, 8:06 am

Hi,

A bit of a problem. Because my wife's computer's language is Japanese, Notebook is changing the backslashes in your code to yen signs. I think this is affecting Combofix's behaviour: when I drag the txt file, instead of Combofix just opening and doing its thing, Windows asks me if I want to open Combofix, which then seems to set off on a general scan.

I think I just need to change the regional language settings, but as the list of languages is itself in Japanese, I can't work out which of them is English. So I'll have to wait until my wife gets here at the weekend. Could you keep this topic open until then?

Cheers,

Stephen
Humboldt12
Active Member
 
Posts: 11
Joined: August 22nd, 2008, 5:09 am

Re: Virtumonde

Unread postby Axephilic » September 3rd, 2008, 3:58 pm

I'll make sure it stays open. :)

Regards,
Adam
User avatar
Axephilic
Retired Graduate
 
Posts: 2180
Joined: June 18th, 2007, 1:10 pm
Location: Wisconsin, US

Re: Virtumonde

Unread postby Humboldt12 » September 8th, 2008, 4:41 pm

Hi, are you still there...? Thanks for staying with me. :)

I finally got combofix to work. It didn't do what it was supposed to in Japanese, so I switched to English, where it tried to work properly but couldn't; in desperation, I switched back to Japanese, where it worked fine! I know computers are supposed to work on a rational principle, but sometimes I think it's just little mice and wheels in there.

The computer seems a bit better. Spyware Doctor is no longer picking up either the virtumonde or the PWS.Bancos. It does pick up a low-threat Trojan.Generic, which I've omitted to delete, in case it has anything to do with Combofix, etc. However, Kaspersky did pick up some stuff (including a porndialer), as you'll see below.

Cheers,

Stephen

Here's the Combofix log:

ComboFix 08-08-24.02 - nakadasachiko 2008-09-09 0:22:02.3 - NTFSx86
Running from: C:\Documents and Settings\nakadasachiko\ƒfƒXƒNƒgƒbƒv\ComboFix.exe
Command switches used :: C:\Documents and Settings\nakadasachiko\ƒfƒXƒNƒgƒbƒv\CFScript.txt
* Created a new restore point
.
- REDUCED FUNCTIONALITY MODE -

FILE ::
C:\WINDOWS\Downloaded Program Files\ccpm_0221.dll
C:\WINDOWS\Downloaded Program Files\ccpm_0221.exe
C:\WINDOWS\Downloaded Program Files\ccpm_0221.inf
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Downloaded Program Files\ccpm_0221.exe

.
((((((((((((((((((((((((( Files Created from 2008-08-08 to 2008-09-08 )))))))))))))))))))))))))))))))
.

2008-08-29 10:32 . 2008-09-09 00:15 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-08-29 10:32 . 2008-08-29 10:32 1,409 --a------ C:\WINDOWS\QTFont.for
2008-08-27 09:12 . 2008-08-27 09:12 304 --a------ C:\WINDOWS\SYSTEM32\ikhcore.cfg
2008-08-18 01:22 . 2008-08-18 01:22 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-16 18:58 . 2008-05-01 23:30 331,776 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msadce.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-08 15:17 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-08 15:16 --------- d-----w C:\Program Files\PC Tools AntiVirus
2008-09-08 15:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-08-17 09:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-08-17 09:55 --------- d-----w C:\Program Files\Hewlett-Packard
2008-08-16 18:45 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-16 18:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-08-16 16:13 --------- d-----w C:\Program Files\Spyware Doctor
2008-07-19 11:03 --------- d-----w C:\Program Files\XML
2008-07-19 10:49 --------- d-----w C:\Documents and Settings\nakadasachiko\Application Data\PC Tools
2008-07-19 10:48 --------- d-----w C:\Program Files\Google
2008-07-07 20:30 253,952 ----a-w C:\WINDOWS\SYSTEM32\es.dll
2008-07-07 20:30 253,952 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\es.dll
2008-06-24 16:22 74,240 ----a-w C:\WINDOWS\SYSTEM32\mscms.dll
2008-06-24 16:22 74,240 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mscms.dll
2008-06-24 01:14 3,592,192 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2008-06-23 09:22 70,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2008-06-23 09:22 625,664 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2008-06-23 09:20 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2008-06-21 05:23 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2008-06-20 17:39 243,200 ----a-w C:\WINDOWS\SYSTEM32\mswsock.dll
2008-06-20 17:39 243,200 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mswsock.dll
2008-06-20 17:39 148,992 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip.sys
2008-06-20 10:44 138,368 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip6.sys
2008-06-14 17:57 270,464 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys
2007-03-24 11:10 34,584 ----a-w C:\Documents and Settings\nakadasachiko\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2008-08-29_10.28.50.51 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-08 18:20:29 145,936 ----a-w C:\WINDOWS\SYSTEM32\FNTCACHE.DAT
+ 2008-09-08 15:14:49 145,936 ----a-w C:\WINDOWS\SYSTEM32\FNTCACHE.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 16:55 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 16:55 208952]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 14:32 455168]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 14:32 455168]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2002-06-20 02:14 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2002-06-20 02:05 114688]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2002-08-01 14:43 126976]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2002-08-01 14:43 557056]
"imjpmig"="C:\Program Files\Common Files\Microsoft Shared\IME\IMJP\imjpmig.exe" [2003-09-03 12:33 192591]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2003-03-13 04:52 77824]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe" [2006-06-26 09:46 497200]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" [2006-06-26 10:34 614960]
"LVCOMSX"="C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe" [2006-06-26 10:33 243248]
"PCTAVApp"="C:\Program Files\PC Tools AntiVirus\PCTAV.exe" [2008-03-05 09:37 1238928]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-02-01 12:55 1103240]
"PCTVOICE"="pctspk.exe" [2002-10-11 00:39 163840 C:\WINDOWS\SYSTEM32\pctspk.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 16:55 15360]

C:\Documents and Settings\All Users\ƒXƒ^[ƒg ƒƒjƒ…[\ƒvƒƒOƒ‰ƒ€\ƒXƒ^[ƒgƒAƒbƒv\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
QuickShelf.lnk - C:\Program Files\Microsoft Reference\Microsoft Bookshelf 3.0\qshelf.exe [2000-12-20 19:06:16 36911]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.HFYU"= huffyuv.dll
"vidc.xvid"= xvid.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^ƒXƒ^[ƒg ƒƒjƒ…[^ƒvƒƒOƒ‰ƒ€^ƒXƒ^[ƒgƒAƒbƒv^Date Manager.lnk]
path=C:\Documents and Settings\All Users\ƒXƒ^[ƒg ƒƒjƒ…[\ƒvƒƒOƒ‰ƒ€\ƒXƒ^[ƒgƒAƒbƒv\Date Manager.lnk
backup=C:\WINDOWS\pss\Date Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^ƒXƒ^[ƒg ƒƒjƒ…[^ƒvƒƒOƒ‰ƒ€^ƒXƒ^[ƒgƒAƒbƒv^GStartup.lnk]
path=C:\Documents and Settings\All Users\ƒXƒ^[ƒg ƒƒjƒ…[\ƒvƒƒOƒ‰ƒ€\ƒXƒ^[ƒgƒAƒbƒv\GStartup.lnk
backup=C:\WINDOWS\pss\GStartup.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^ƒXƒ^[ƒg ƒƒjƒ…[^ƒvƒƒOƒ‰ƒ€^ƒXƒ^[ƒgƒAƒbƒv^PrecisionTime.lnk]
path=C:\Documents and Settings\All Users\ƒXƒ^[ƒg ƒƒjƒ…[\ƒvƒƒOƒ‰ƒ€\ƒXƒ^[ƒgƒAƒbƒv\PrecisionTime.lnk
backup=C:\WINDOWS\pss\PrecisionTime.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^ƒXƒ^[ƒg ƒƒjƒ…[^ƒvƒƒOƒ‰ƒ€^ƒXƒ^[ƒgƒAƒbƒv^TabUserW.exe.lnk]
path=C:\Documents and Settings\All Users\ƒXƒ^[ƒg ƒƒjƒ…[\ƒvƒƒOƒ‰ƒ€\ƒXƒ^[ƒgƒAƒbƒv\TabUserW.exe.lnk
backup=C:\WINDOWS\pss\TabUserW.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R0 hpt3xx;hpt3xx;C:\WINDOWS\system32\DRIVERS\hpt3xx.sys [2001-08-17 13:52]
R3 {A7E39B01-B403-11d4-BD18-00D0B7A1821E};AIM 3.0 Part 01 Codec Driver VCH-A;C:\WINDOWS\system32\drivers\Vch.sys [2002-06-21 18:44]

*Newly Created Service* - CATCHME
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-WinampAgent - C:\Documents and Settings\nakadasachiko\ƒfƒXƒNƒgƒbƒv\Winamp\winampa.exe



**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-09 00:24:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-09-09 0:30:51
ComboFix-quarantined-files.txt 2008-09-08 15:30:38
ComboFix2.txt 2008-08-29 01:31:10

Pre-Run: 4,853,239,808 ƒoƒCƒg‚̋󂫗̈æ
Post-Run: 4,842,582,016 ƒoƒCƒg‚̋󂫗̈æ

140 --- E O F --- 2008-08-16 13:44:23


Here's the Kaspersky report:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, September 9, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, September 08, 2008 11:05:32
Records in database: 1201939
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\

Scan statistics:
Files scanned: 50056
Threat name: 3
Infected objects: 4
Suspicious objects: 0
Duration of the scan: 01:54:18


File name / Threat name / Threats count
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\__c0052072.dat.vir Infected: Trojan-Downloader.Win32.Agent.abtf 1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\~.exe.vir Infected: Trojan-Dropper.Win32.Agent.vue 1
C:\System Volume Information\_restore{D4CE0C74-ADB4-40A4-9F61-8656A0B63879}\RP613\A0092240.exe Infected: Trojan-Dropper.Win32.Agent.vue 1
C:\WINDOWS\Downloaded Program Files\gbn163.exe Infected: not-a-virus:Porn-Dialer.Win32.Juicy 1

The selected area was scanned.


And here's the latest HijackThis log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 05:06:15, on 09/09/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Microsoft Reference\Microsoft Bookshelf 3.0\qshelf.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Logitech\QuickCam10\COCIManager.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live ?T?C?g?C?g ?w???p?[ - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\ja\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\ja\msntb.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [imjpmig] C:\Program Files\Common Files\Microsoft Shared\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Lookup in Bookshelf - res://C:\Program Files\Microsoft Reference\Microsoft Bookshelf 3.0\bsdef.dll/#1001
O8 - Extra context menu item: Bookshelf‚ÅŒŸõ(&L) - res://C:\Program Files\Microsoft Reference\Microsoft Bookshelf 3.0\bsdef.dll/#1001
O8 - Extra context menu item: Microsoft Excel ‚ɃGƒNƒXƒ|[ƒg(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun ? Java ????? - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 1455382692
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL ... 586-jc.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 7675 bytes
Humboldt12
Active Member
 
Posts: 11
Joined: August 22nd, 2008, 5:09 am
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 87 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware