Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

cannot remove Virtumonde trojan from my PC

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

cannot remove Virtumonde trojan from my PC

Unread postby tattybaws » September 30th, 2008, 12:15 pm

Have tried Spybot S&D but it keeps coming back.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:10:52, on 30/09/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
F:\Program Files\Virgin Broadband\PCguard\fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CmWatch.exe
F:\Program Files\Virgin Broadband\PCguard\Rps.exe
F:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
F:\Program Files\comodo\Firewall\cmdagent.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\WINDOWS\system32\atwtusb.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Documents and Settings\Thomas\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
C:\Documents and Settings\Thomas\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/broadband
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINDOWS\system32\HDBHO.dll
O2 - BHO: (no name) - {35EB9C91-1CA6-11d5-8B2B-00C04F779127} - (no file)
O2 - BHO: (no name) - {477EAF90-13EE-4EB8-B926-5811846F1CDB} - C:\WINDOWS\system32\khfGxurP.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.1852\swg.dll
O2 - BHO: {372df9a8-8f7a-014a-cd14-860be663688b} - {b886366e-b068-41dc-a410-a7f88a9fd273} - C:\WINDOWS\system32\xzdzoq.dll
O4 - HKLM\..\Run: [CmCardRun] C:\WINDOWS\system32\CmWatch.exe
O4 - HKLM\..\Run: [PCguard] "F:\Program Files\Virgin Broadband\PCguard\Rps.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "F:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Download All Files by HiDownload - C:\PROGRA~1\HIDOWN~1\HDGetAll.htm
O8 - Extra context menu item: Download by HiDownload - C:\PROGRA~1\HIDOWN~1\HDGet.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\PROGRA~1\HIDOWN~1\hidownload.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsup ... SupCtl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 2703643000
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsup ... mAData.cab
O20 - AppInit_DLLs: xzdzoq.dll
O20 - Winlogon Notify: vtUkjKbx - vtUkjKbx.dll (file missing)
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - F:\Program Files\comodo\Firewall\cmdagent.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - F:\Program Files\Virgin Broadband\PCguard\fws.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Sony SCSI Helper Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\Fsk\SonySCSIHelperService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Unknown owner - (no file)
O23 - Service: WTService - Unknown owner - C:\WINDOWS\system32\atwtusb.exe

--
End of file - 8553 bytes
tattybaws
Active Member
 
Posts: 8
Joined: September 30th, 2008, 6:31 am
Advertisement
Register to Remove

Re: cannot remove Virtumonde trojan from my PC

Unread postby Scotty » October 1st, 2008, 4:09 am

Hi! Welcome to the forums.
My name is Scotty. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research.
Please be patient.

Please make a uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here in a reply.
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Re: cannot remove Virtumonde trojan from my PC

Unread postby tattybaws » October 1st, 2008, 12:12 pm

Absolute Sound Recorder version 3.5.9
ACDSee for PENTAX
Acronis True Image Home
Add/Remove Cleaner (v2.3)
Adobe Acrobat eBook Reader
Adobe Flash Player 9 ActiveX
Adobe Flash Player Plugin
Adobe Reader 8.1.1
Advanced Port Scanner v1.3
Animated Knots
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
ATI HYDRAVISION
ATI Parental Control & Encoder
ATI Problem Report Wizard
AutoCAD 2008 - English
Autodesk DWF Viewer 7
AVIVO Codecs
BOClean
Camtasia Studio 5
CloneCD
C-Media USB Mass Storage Driver
COMODO Firewall Pro
CONNECT Auto Update
CONNECT Player
CONNECT Player Language Pack
Copy Utility
Corel Paint Shop Pro Photo X2
CreateInstall
dBpowerAMP Music Converter
DivX Web Player
DriverGuide Toolkit
DVD Decrypter (Remove Only)
DVD Region+CSS Free 5.82
DVD Shrink 3.2
dvdSanta 4.00
E-Book Reader v4.11
EPSON Photo Print
EPSON PhotoQuicker3.2
EPSON Printer Software
EPSON Smart Panel
EPSON TWAIN 5
Free Notes & Office Ink
GnuPG For Windows
Google Earth
Google Gears
Google Updater
GRAFIKABLETT MD 85637
Guitar Pro 5.0
HiDownload
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
Honda Marine v4.00
Hotfix for Windows XP (KB952287)
InFlac 1.1.1
InfraRecorder
Ipswitch WS_FTP Professional 2006
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 6
Jasc Paint Shop Pro 9
Jasc Paint Shop Pro 9 GDI+ Patch
Jasc Paint Shop Pro 9.01 Patch
Macromedia Flash Player 8
Macromedia Shockwave Player
MagicDisc 2.6.93
Memory-Map OS Edition 2004
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Data Access Components KB870669
Microsoft DirectX Transform optional components
Microsoft Office Professional Edition 2003
Microsoft Office XP Professional with FrontPage
Microsoft Plus! for Windows XP
Microsoft Visual C++ 2005 Redistributable
Moleskinsoft File Sync 1.1
Motion Director
Mozilla Firefox (3.0.3)
Mozilla Thunderbird (2.0.0.17)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
Nero 8
neroxml
Network Play System (Patching)
OpenMG Secure Module 4.3.00
PCI Audio Applications
PCI Audio Driver
PDF Manual NW-A10003000
PeerGuardian 2.0
Power AMR MP3 WAV WMA M4A AC3 Audio Converter 1.6
Power Presenter RE
PowerDVD
PowerISO
QuickTime
Registry Mechanic 7.0
RTLSetup
ScanToWeb
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Media Encoder (KB954156)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Shockwave
Skype 2.5
Spybot - Search & Destroy
Spyware Doctor 6.0
Starry Night Deluxe
StreamigStar - Audio Converter 1.2
SureThing CD Labeler - Stomper Edition 32 bit
SymmTime
The Munros V1.1
U.S. Robotics iBand
U.S. Robotics Wireless USB Adapter
UltraEdit-32
Unreal II
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Update for Windows XP (KB951072-v2)
USB Vibration Joystick
VCRedistSetup
Ventrilo Client
VideoLAN VLC media player 0.8.6d
Virgin Broadband advisor 1.5.10
Virgin Broadband PCguard
Virtual Sailor
VirtuaWin v3.2
Warhammer Online: Age of Reckoning
Whisper 32
Winamp
Winamp Remote
Windows Genuine Advantage v1.3.0254.0
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 2
WinPcap 4.0.2
WinRAR archiver
WinZip
Wireshark 1.0.3
Xilisoft DVD Creator
Xvid 1.1.3 final uninstall
Yahoo! Music Jukebox
tattybaws
Active Member
 
Posts: 8
Joined: September 30th, 2008, 6:31 am

Re: cannot remove Virtumonde trojan from my PC

Unread postby Scotty » October 1st, 2008, 5:30 pm

Hi

If you already have Combofix, please delete this copy and download it again as it's being updated regularly.

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix


Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once Recovery Console is installed, you should see a blue screen prompt like the one below:

Image

Click Yes to allow Combofix to continue scanning for malware.

When done, a log will be produced. Please post that log and a new HijackThis log in your next reply.


1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.



In your next reply post:
ComboFix.txt
New HijackThis log taken after the above scan has run
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

combofix

Unread postby tattybaws » October 3rd, 2008, 4:26 pm

ComboFix 08-10-02.04 - Thomas 2008-10-03 15:38:06.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.602 [GMT 1:00]
Running from: C:\Documents and Settings\Thomas\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Thomas\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Thomas\Application Data\.#
C:\Documents and Settings\Thomas\Application Data\.#\MBX@A10@3741A8.###
C:\Documents and Settings\Thomas\Application Data\.#\MBX@A10@3741D8.###
C:\Documents and Settings\Thomas\Application Data\.#\MBX@A10@374208.###
C:\update.exe
C:\WINDOWS\BMf75a68a4.txt
C:\WINDOWS\BMf75a68a4.xml
C:\WINDOWS\system32\bvvgmopa.dll
C:\WINDOWS\system32\lbiemyyk.dll
C:\WINDOWS\system32\liiswg.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nugclwhb.dll
C:\WINDOWS\system32\tsvdaacl.dll
C:\WINDOWS\system32\winitn.dll
C:\WINDOWS\system32\wixbbgql.dll
C:\WINDOWS\system32\xzdzoq.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MCHINJDRV
-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2008-09-03 to 2008-10-03 )))))))))))))))))))))))))))))))
.

2008-09-30 19:36 . 2008-09-30 19:36 <DIR> d-------- C:\Program Files\Advanced Port Scanner
2008-09-30 17:09 . 2008-09-30 17:09 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-30 17:06 . 2008-07-18 22:07 270,880 --a------ C:\WINDOWS\system32\mucltui.dll
2008-09-30 17:06 . 2008-07-18 22:07 29,728 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-09-29 18:14 . 2008-09-29 18:14 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-09-29 08:57 . 2008-09-29 09:11 <DIR> d-------- C:\Program Files\MioNet
2008-09-28 18:53 . 2008-09-28 18:53 963,648 --ahs---- C:\WINDOWS\system32\qykymefd.ini
2008-09-28 10:14 . 2008-09-28 10:53 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-28 10:14 . 2008-09-29 08:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-28 10:07 . 2008-09-28 10:45 <DIR> d-------- C:\VundoFix Backups
2008-09-27 21:42 . 2008-09-27 21:42 <DIR> d-------- C:\Program Files\Moleskinsoft File Sync 1.1
2008-09-27 16:14 . 2008-09-29 09:11 <DIR> d-------- C:\Documents and Settings\Thomas\Application Data\MioNet
2008-09-25 19:18 . 2008-09-25 19:18 <DIR> d-------- C:\Documents and Settings\Thomas\Application Data\Wireshark
2008-09-25 19:17 . 2008-09-25 19:17 <DIR> d-------- C:\Program Files\WinPcap
2008-09-25 19:16 . 2008-09-25 19:18 <DIR> d-------- C:\Program Files\Wireshark
2008-09-25 19:15 . 2008-09-29 13:49 965,193 ---hs---- C:\WINDOWS\system32\riuhvnsp.ini
2008-09-25 19:08 . 2008-09-29 07:42 743,967 --ahs---- C:\WINDOWS\system32\PruxGfhk.ini2
2008-09-25 19:08 . 2008-09-29 07:42 743,967 --ahs---- C:\WINDOWS\system32\PruxGfhk.ini
2008-09-25 17:47 . 2008-05-30 14:11 3,850,760 --a------ C:\WINDOWS\system32\D3DX9_38.dll
2008-09-25 17:47 . 2008-05-30 14:11 1,491,992 --a------ C:\WINDOWS\system32\D3DCompiler_38.dll
2008-09-25 17:47 . 2008-05-30 14:19 507,400 --a------ C:\WINDOWS\system32\XAudio2_1.dll
2008-09-25 17:47 . 2008-05-30 14:11 467,984 --a------ C:\WINDOWS\system32\d3dx10_38.dll
2008-09-25 17:47 . 2008-05-30 14:18 238,088 --a------ C:\WINDOWS\system32\xactengine3_1.dll
2008-09-25 17:47 . 2008-05-30 14:17 65,032 --a------ C:\WINDOWS\system32\XAPOFX1_0.dll
2008-09-25 17:47 . 2008-05-30 14:17 25,608 --a------ C:\WINDOWS\system32\X3DAudio1_4.dll
2008-09-25 17:44 . 2008-09-25 17:44 <DIR> d-------- C:\WINDOWS\Logs
2008-09-24 17:49 . 2008-10-01 17:13 <DIR> d-------- C:\Warhammer Online - Age of Reckoning
2008-09-22 18:29 . 2008-09-22 18:29 <DIR> d-------- C:\Maps
2008-09-22 18:28 . 2008-09-22 18:28 <DIR> d-------- C:\Program Files\Memory-Map
2008-09-15 20:20 . 2008-09-15 20:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TechSmith
2008-09-15 20:19 . 2008-09-15 20:19 <DIR> d-------- C:\Program Files\Common Files\TechSmith Shared
2008-09-15 18:51 . 2008-09-15 18:51 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-09-15 18:50 . 2008-09-15 18:50 <DIR> d-------- C:\Program Files\Virtual Sailor
2008-09-15 18:43 . 2008-09-15 20:20 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2008-09-15 18:41 . 2008-09-15 18:41 <DIR> d-------- C:\Program Files\TechSmith
2008-09-14 20:13 . 2008-09-15 18:50 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2008-09-14 20:13 . 2008-09-15 18:50 <DIR> d-------- C:\Program Files\AVSMedia
2008-09-14 20:13 . 2003-05-21 23:50 82,944 --a------ C:\WINDOWS\system32\vct3216.acm
2008-09-14 20:13 . 2004-02-04 21:11 81,920 --a------ C:\WINDOWS\system32\AC3ACM.acm
2008-09-14 20:13 . 2003-05-21 23:50 38,912 --a------ C:\WINDOWS\system32\alf2cd.acm
2008-09-14 20:13 . 2000-03-14 20:55 13,239 --a------ C:\WINDOWS\system32\Scg726.acm
2008-09-12 17:11 . 2008-09-15 18:51 <DIR> d-------- C:\Program Files\WinSCP
2008-09-11 20:48 . 2008-09-11 20:48 <DIR> d-------- C:\Program Files\Grog LLC
2008-09-11 20:47 . 2008-09-11 20:47 <DIR> d-------- C:\Documents and Settings\Thomas\Application Data\Grog LLC
2008-09-10 18:42 . 2008-09-15 18:52 <DIR> d-------- C:\Program Files\MagicDVDCopier
2008-09-10 18:28 . 2008-09-15 18:52 <DIR> d-------- C:\Program Files\MagicDVDRipper
2008-09-04 21:41 . 2008-09-28 08:19 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-09-04 21:41 . 2008-09-04 21:41 <DIR> d-------- C:\Documents and Settings\Thomas\Application Data\PC Tools
2008-09-04 21:41 . 2008-06-10 21:22 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-09-04 21:41 . 2008-06-02 15:19 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-09-04 21:41 . 2008-06-02 15:19 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-09-04 21:41 . 2008-06-02 15:19 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-09-04 21:26 . 2008-09-27 20:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-09-03 19:19 . 2008-09-03 19:19 24 --a------ C:\WINDOWS\ZoneLib-DisplayNames.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-03 14:21 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-10-01 16:58 --------- d-----w C:\Program Files\Common Files\Command Software
2008-09-29 12:36 --------- d-----w C:\Program Files\PeerGuardian2
2008-09-29 12:34 --------- d-----w C:\Documents and Settings\Thomas\Application Data\uTorrent
2008-09-28 09:14 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-27 14:38 --------- d-----w C:\Documents and Settings\LocalService\Application Data\VMware
2008-09-27 14:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\VMware
2008-09-24 19:08 35,296 ----a-w C:\WINDOWS\system32\drivers\Dvd43.sys
2008-09-23 09:27 --------- d-----w C:\Program Files\Microsoft Games
2008-09-18 16:53 --------- d-----w C:\Documents and Settings\Thomas\Application Data\dvdcss
2008-09-15 19:25 --------- d-----w C:\Documents and Settings\Thomas\Application Data\U3
2008-09-15 17:53 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-15 17:50 --------- d-----w C:\Program Files\Apple Software Update
2008-09-14 18:56 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-09-13 06:19 --------- d-----w C:\Documents and Settings\Thomas\Application Data\VMware
2008-09-08 19:09 --------- d-----w C:\Program Files\dvdSanta
2008-09-04 20:26 --------- d-----w C:\Program Files\Google
2008-09-04 17:24 --------- d-----w C:\Program Files\Common Files\PestPatrol
2008-09-03 18:19 --------- d-----w C:\Documents and Settings\Thomas\Application Data\Skype
2008-09-02 18:10 0 ----a-w C:\StarCodec_ver1.5897.0.exe
2008-09-02 18:09 0 ----a-w C:\MediaTube_ver1.1573.0.exe
2008-09-01 16:49 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-09-01 16:42 --------- d-----w C:\Program Files\AutoCAD 2006
2008-09-01 16:15 --------- d-----w C:\Documents and Settings\Thomas\Application Data\Autodesk
2008-09-01 16:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Autodesk
2008-08-28 17:09 --------- d-----w C:\Program Files\HiDownload
2008-08-10 09:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Corel
2005-09-11 08:44 90 ------w C:\Program Files\firebird.log
2002-07-26 16:02 153,088 ----a-w C:\Program Files\UNWISE.EXE
2001-11-23 04:08 712,704 ------w C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
2007-12-14 10:10 88 --sha-r C:\WINDOWS\system32\93EDC7971E.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CmCardRun"="C:\WINDOWS\system32\CmWatch.exe" [2003-09-16 229376]
"PCguard"="F:\Program Files\Virgin Broadband\PCguard\Rps.exe" [2007-01-24 275960]
"COMODO Firewall Pro"="F:\Program Files\Comodo\Firewall\CPF.exe" [2007-04-09 1115728]
"Broadbandadvisor.exe"="C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2007-01-24 2037240]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= "C:\PROGRA~1\DVDREG~1\DVDShell.dll" [2004-10-09 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=xzdzoq.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv31"= C:\WINDOWS\system32\ir32_32.dll
"vidc.iv32"= C:\WINDOWS\system32\ir32_32.dll
"vidc.yv12"= yv12vfw.dll
"VIDC.CSCD"= camcodec.dll
"VIDC.I420"= i420vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CONNECTAUTrayApp.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SymmTime.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SymmTime.lnk
backup=C:\WINDOWS\pss\SymmTime.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ZoneAlarm Pro.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^Thomas^Start Menu^Programs^Startup^BadApple.lnk]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mm_server
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ntl Netguard
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecoverFromReboot
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ulead AutoDetector

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
--a------ 2007-10-30 20:07 140568 C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
--a------ 2007-10-30 20:11 909208 C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 20:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-07-10 09:47 116040 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--------- 2003-06-05 13:35 335872 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Camera Detector]
--------- 2003-06-17 15:43 208896 C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
--------- 2005-05-19 14:47 57344 C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CONNECTScheduler]
--------- 2005-11-15 03:54 69632 C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTScheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
--a------ 2007-08-16 13:00 531272 C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--------- 2005-12-10 15:57 133016 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVD43]
--------- 2005-03-29 03:36 359424 C:\PROGRA~1\DVDREG~1\DVDRegionFree.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-09-03 19:28 133104 C:\Documents and Settings\Thomas\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-06-02 11:13 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 17:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
--a------ 2007-12-03 14:21 2213160 C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 14:57 153136 C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Orb]
--a------ 2008-01-07 21:02 495616 C:\Program Files\Winamp Remote\bin\OrbTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PinnacleDriverCheck]
--a------ 2004-03-10 17:26 406016 C:\WINDOWS\system32\PSDrvCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2006-05-20 11:13 188416 f:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--------- 2003-10-31 19:42 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
--------- 2006-10-13 18:20 20058152 C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--------- 2006-11-09 16:07 49263 C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
--a------ 2007-10-30 20:06 2595616 C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USBToolTip]
--------- 2004-04-23 12:00 192512 C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2008-01-15 23:54 37376 f:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
--------- 2002-09-17 09:55 1622016 C:\WINDOWS\mixer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WinVNC4"=2 (0x2)
"iPodService"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1700:TCP"= 1700:TCP:MioNet Remote Drive Access 0
"1701:TCP"= 1701:TCP:MioNet Remote Drive Access 1
"1702:TCP"= 1702:TCP:MioNet Remote Drive Access 2
"1703:TCP"= 1703:TCP:MioNet Remote Drive Access 3
"1704:TCP"= 1704:TCP:MioNet Remote Drive Access 4
"1705:TCP"= 1705:TCP:MioNet Remote Drive Access 5
"1706:TCP"= 1706:TCP:MioNet Remote Drive Access 6
"1707:TCP"= 1707:TCP:MioNet Remote Drive Access 7
"1708:TCP"= 1708:TCP:MioNet Remote Drive Access 8
"1709:TCP"= 1709:TCP:MioNet Remote Drive Access 9
"1641:TCP"= 1641:TCP:MioNet Remote Drive Verification
"1647:TCP"= 1647:TCP:MioNet Storage Device Configuration
"5432:UDP"= 5432:UDP:MioNet Storage Device Discovery

R0 tdrpman;Acronis Try&Decide and Restore Points filter;C:\WINDOWS\system32\DRIVERS\tdrpman.sys [2008-06-30 368544]
R2 devdpl;devdpl;C:\WINDOWS\system32\DRIVERS\devdpl.sys [2003-03-05 7168]
R2 litdpl;litdpl;C:\WINDOWS\system32\DRIVERS\litdpl.sys [2003-03-05 4736]
R2 NwSapAgent;SAP Agent;C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
R2 SBKUPNT;SBKUPNT;C:\WINDOWS\system32\Drivers\SBKUPNT.SYS [2001-07-13 14976]
R2 WTService;WTService;C:\WINDOWS\system32\atwtusb.exe [2007-05-29 360096]
R3 Dvd43;Dvd43;C:\WINDOWS\system32\DRIVERS\Dvd43.sys [2008-09-24 35296]
S3 jgameenp;jgameenp;C:\DOCUME~1\Thomas\LOCALS~1\Temp\jgameenp.sys [ ]
S3 mclusb;Freecom USB for Digital Audio Device Driver;C:\WINDOWS\system32\Drivers\mclusb.sys [2002-08-21 22900]
S3 RSC4_A02;U.S. Robotics Wireless USB Adapter Driver;C:\WINDOWS\system32\DRIVERS\RSC4USB.sys [2004-08-11 380160]
S3 UMSSSTOR;C-Media Storage;C:\WINDOWS\system32\DRIVERS\UMSS.SYS [2004-07-13 48512]
S4 TryAndDecideService;Acronis Try And Decide Service;C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe [2007-10-30 492720]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\START.EXE
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

BHO-{477EAF90-13EE-4EB8-B926-5811846F1CDB} - C:\WINDOWS\system32\khfGxurP.dll
BHO-{b886366e-b068-41dc-a410-a7f88a9fd273} - C:\WINDOWS\system32\xzdzoq.dll
Notify-vtUkjKbx - vtUkjKbx.dll
Notify-WgaLogon - (no file)
MSConfigStartUp-MacrokeyManager - WTMKM.exe
MSConfigStartUp-PRISMSVR - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Thomas\Application Data\Mozilla\Firefox\Profiles\default.a2x\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.mininova.org/
FF -: plugin - C:\Documents and Settings\Thomas\Local Settings\Application Data\Google\Update\1.2.131.11\npGoogleOneClick5.dll
FF -: plugin - C:\Program Files\Google\Google Updater\2.3.1334.1308\npCIDetect13.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_10\bin\NPJava11.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_10\bin\NPJava12.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_10\bin\NPJava13.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_10\bin\NPJava14.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_10\bin\NPJava32.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_10\bin\NPJPI150_10.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_10\bin\NPOJI610.dll
.
.
------- File Associations -------
.
txtfile=C:\WINDOWS\NOTEPAD.EXE %1
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-03 15:54:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> ?:\WINDOWS\System32\CSCDLL.dll
.
------------------------ Other Running Processes ------------------------
.
F:\Program Files\Virgin Broadband\PCguard\fws.exe
C:\Program Files\Comodo\CBOClean\BOCore.exe
F:\Program Files\comodo\Firewall\cmdagent.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-10-03 16:06:52 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-03 15:06:48

Pre-Run: 48,558,784,512 bytes free
Post-Run: 48,449,220,608 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=AlwaysOff

329 --- E O F --- 2008-10-01 16:15:07
tattybaws
Active Member
 
Posts: 8
Joined: September 30th, 2008, 6:31 am

Hijack This output

Unread postby tattybaws » October 3rd, 2008, 4:26 pm

Absolute Sound Recorder version 3.5.9
ACDSee for PENTAX
Acronis True Image Home
Add/Remove Cleaner (v2.3)
Adobe Acrobat eBook Reader
Adobe Flash Player 9 ActiveX
Adobe Flash Player Plugin
Adobe Reader 8.1.1
Advanced Port Scanner v1.3
Animated Knots
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
ATI HYDRAVISION
ATI Parental Control & Encoder
ATI Problem Report Wizard
AutoCAD 2008 - English
Autodesk DWF Viewer 7
AVIVO Codecs
BOClean
Camtasia Studio 5
CloneCD
C-Media USB Mass Storage Driver
COMODO Firewall Pro
CONNECT Auto Update
CONNECT Player
CONNECT Player Language Pack
Copy Utility
Corel Paint Shop Pro Photo X2
CreateInstall
dBpowerAMP Music Converter
DivX Web Player
DriverGuide Toolkit
DVD Decrypter (Remove Only)
DVD Region+CSS Free 5.82
DVD Shrink 3.2
dvdSanta 4.00
E-Book Reader v4.11
EPSON Photo Print
EPSON PhotoQuicker3.2
EPSON Printer Software
EPSON Smart Panel
EPSON TWAIN 5
Free Notes & Office Ink
GnuPG For Windows
Google Earth
Google Gears
Google Updater
GRAFIKABLETT MD 85637
Guitar Pro 5.0
HiDownload
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
Honda Marine v4.00
Hotfix for Windows XP (KB952287)
InFlac 1.1.1
InfraRecorder
Ipswitch WS_FTP Professional 2006
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 6
Jasc Paint Shop Pro 9
Jasc Paint Shop Pro 9 GDI+ Patch
Jasc Paint Shop Pro 9.01 Patch
Macromedia Flash Player 8
Macromedia Shockwave Player
MagicDisc 2.6.93
Memory-Map OS Edition 2004
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Data Access Components KB870669
Microsoft DirectX Transform optional components
Microsoft Office Professional Edition 2003
Microsoft Office XP Professional with FrontPage
Microsoft Plus! for Windows XP
Microsoft Visual C++ 2005 Redistributable
Moleskinsoft File Sync 1.1
Motion Director
Mozilla Firefox (3.0.3)
Mozilla Thunderbird (2.0.0.17)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
Nero 8
neroxml
Network Play System (Patching)
OpenMG Secure Module 4.3.00
PCI Audio Applications
PCI Audio Driver
PDF Manual NW-A10003000
PeerGuardian 2.0
Power AMR MP3 WAV WMA M4A AC3 Audio Converter 1.6
Power Presenter RE
PowerDVD
PowerISO
QuickTime
Registry Mechanic 7.0
RTLSetup
ScanToWeb
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Media Encoder (KB954156)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Shockwave
Skype 2.5
Spybot - Search & Destroy
Spyware Doctor 6.0
Starry Night Deluxe
StreamigStar - Audio Converter 1.2
SureThing CD Labeler - Stomper Edition 32 bit
SymmTime
The Munros V1.1
U.S. Robotics iBand
U.S. Robotics Wireless USB Adapter
UltraEdit-32
Unreal II
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Update for Windows XP (KB951072-v2)
USB Vibration Joystick
VCRedistSetup
Ventrilo Client
VideoLAN VLC media player 0.8.6d
Virgin Broadband advisor 1.5.10
Virgin Broadband PCguard
Virtual Sailor
VirtuaWin v3.2
Warhammer Online: Age of Reckoning
Whisper 32
Winamp
Winamp Remote
Windows Genuine Advantage v1.3.0254.0
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 2
WinPcap 4.0.2
WinRAR archiver
WinZip
Wireshark 1.0.3
Xilisoft DVD Creator
Xvid 1.1.3 final uninstall
Yahoo! Music Jukebox
tattybaws
Active Member
 
Posts: 8
Joined: September 30th, 2008, 6:31 am

Re: cannot remove Virtumonde trojan from my PC

Unread postby Scotty » October 3rd, 2008, 6:09 pm

Hi

You posted an Uninstall List instead of a HijackThis log.
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Re: cannot remove Virtumonde trojan from my PC

Unread postby tattybaws » October 4th, 2008, 3:55 am

Sorry about that.

Here is what I think you want. If not can you tell me the menu options you want me to select in "HijackThis"

Thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:53:05, on 04/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
F:\Program Files\Virgin Broadband\PCguard\fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Comodo\CBOClean\BOCORE.exe
F:\Program Files\comodo\Firewall\cmdagent.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\atwtusb.exe
C:\WINDOWS\system32\CmWatch.exe
F:\Program Files\Virgin Broadband\PCguard\Rps.exe
F:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/broadband
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINDOWS\system32\HDBHO.dll
O2 - BHO: (no name) - {35EB9C91-1CA6-11d5-8B2B-00C04F779127} - (no file)
O2 - BHO: (no name) - {477EAF90-13EE-4EB8-B926-5811846F1CDB} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.1852\swg.dll
O2 - BHO: (no name) - {b886366e-b068-41dc-a410-a7f88a9fd273} - (no file)
O4 - HKLM\..\Run: [CmCardRun] C:\WINDOWS\system32\CmWatch.exe
O4 - HKLM\..\Run: [PCguard] "F:\Program Files\Virgin Broadband\PCguard\Rps.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "F:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Download All Files by HiDownload - C:\PROGRA~1\HIDOWN~1\HDGetAll.htm
O8 - Extra context menu item: Download by HiDownload - C:\PROGRA~1\HIDOWN~1\HDGet.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\PROGRA~1\HIDOWN~1\hidownload.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsup ... SupCtl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 2703643000
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsup ... mAData.cab
O20 - AppInit_DLLs: xzdzoq.dll
O20 - Winlogon Notify: vtUkjKbx - C:\WINDOWS\
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - F:\Program Files\comodo\Firewall\cmdagent.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - F:\Program Files\Virgin Broadband\PCguard\fws.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Sony SCSI Helper Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\Fsk\SonySCSIHelperService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Unknown owner - (no file)
O23 - Service: WTService - Unknown owner - C:\WINDOWS\system32\atwtusb.exe

--
End of file - 7506 bytes
tattybaws
Active Member
 
Posts: 8
Joined: September 30th, 2008, 6:31 am

Re: cannot remove Virtumonde trojan from my PC

Unread postby Scotty » October 6th, 2008, 6:56 pm

Hi

Remember to disconnect from the Internet before carrying out the next instruction, and to save the following script before you do.You must
also manually disable your anti-virus and anti-spyware programs. See the link below for instructions on doing this.

http://www.bleepingcomputer.com/forums/topic114351.html

Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the code box by highlighting all the text with your mouse and pressing Ctrl+C

Code: Select all
File::
C:\WINDOWS\system32\qykymefd.ini
C:\WINDOWS\system32\riuhvnsp.ini
 
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

Driver::
jgameenp 


Go to the Notepad window and click Edit > Paste
Then click File > Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop

Image


Refering to the picture above, drag CFScript into ComboFix.exe


Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Post that log back here.

In your next reply post:
ComboFix.txt
MBAM log
New HijackThis log taken after the above scan has run
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Re: cannot remove Virtumonde trojan from my PC

Unread postby tattybaws » October 8th, 2008, 1:36 pm

HijackThis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:25:11, on 08/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
F:\Program Files\Virgin Broadband\PCguard\fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
F:\Program Files\comodo\Firewall\cmdagent.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\atwtusb.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\CmWatch.exe
F:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\UltraEdit\uedit32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/broadband
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {35EB9C91-1CA6-11d5-8B2B-00C04F779127} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.1852\swg.dll
O4 - HKLM\..\Run: [CmCardRun] C:\WINDOWS\system32\CmWatch.exe
O4 - HKLM\..\Run: [PCguard] "F:\Program Files\Virgin Broadband\PCguard\Rps.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "F:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Download All Files by HiDownload - C:\PROGRA~1\HIDOWN~1\HDGetAll.htm
O8 - Extra context menu item: Download by HiDownload - C:\PROGRA~1\HIDOWN~1\HDGet.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\PROGRA~1\HIDOWN~1\hidownload.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsup ... SupCtl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 2703643000
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsup ... mAData.cab
O20 - Winlogon Notify: vtUkjKbx - C:\WINDOWS\
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - F:\Program Files\comodo\Firewall\cmdagent.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - F:\Program Files\Virgin Broadband\PCguard\fws.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Sony SCSI Helper Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\Fsk\SonySCSIHelperService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Unknown owner - (no file)
O23 - Service: WTService - Unknown owner - C:\WINDOWS\system32\atwtusb.exe

--
End of file - 7077 bytes
tattybaws
Active Member
 
Posts: 8
Joined: September 30th, 2008, 6:31 am

Re: cannot remove Virtumonde trojan from my PC

Unread postby tattybaws » October 8th, 2008, 1:36 pm

Malwarebytes' Anti-Malware 1.28
Database version: 1240
Windows 5.1.2600 Service Pack 2

08/10/2008 18:23:10
mbam-log-2008-10-08 (18-23-10).txt

Scan type: Full Scan (C:\|F:\|)
Objects scanned: 190521
Time elapsed: 53 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 39

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02dca195-602b-4b1f-83ff-381b7e804bdb} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{02dca195-602b-4b1f-83ff-381b7e804bdb} (Trojan.BHO.H) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\HDBHO.dll (Trojan.BHO.H) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\bvvgmopa.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\lbiemyyk.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\liiswg.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\nugclwhb.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\tsvdaacl.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\wixbbgql.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\xzdzoq.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8FE38CD3-B424-4889-9E22-6361671BAABB}\RP962\A0308834.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8FE38CD3-B424-4889-9E22-6361671BAABB}\RP990\A0320110.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8FE38CD3-B424-4889-9E22-6361671BAABB}\RP990\A0320111.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8FE38CD3-B424-4889-9E22-6361671BAABB}\RP990\A0320112.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8FE38CD3-B424-4889-9E22-6361671BAABB}\RP990\A0320113.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8FE38CD3-B424-4889-9E22-6361671BAABB}\RP990\A0320114.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8FE38CD3-B424-4889-9E22-6361671BAABB}\RP990\A0320115.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8FE38CD3-B424-4889-9E22-6361671BAABB}\RP990\A0320116.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8FE38CD3-B424-4889-9E22-6361671BAABB}\RP990\A0320117.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8FE38CD3-B424-4889-9E22-6361671BAABB}\RP990\A0320138.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8FE38CD3-B424-4889-9E22-6361671BAABB}\RP990\A0320147.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8FE38CD3-B424-4889-9E22-6361671BAABB}\RP990\A0320150.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8FE38CD3-B424-4889-9E22-6361671BAABB}\RP992\A0320432.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8FE38CD3-B424-4889-9E22-6361671BAABB}\RP992\A0320434.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8FE38CD3-B424-4889-9E22-6361671BAABB}\RP997\A0321253.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8FE38CD3-B424-4889-9E22-6361671BAABB}\RP997\A0321254.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8FE38CD3-B424-4889-9E22-6361671BAABB}\RP997\A0321255.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8FE38CD3-B424-4889-9E22-6361671BAABB}\RP997\A0321256.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8FE38CD3-B424-4889-9E22-6361671BAABB}\RP997\A0321257.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8FE38CD3-B424-4889-9E22-6361671BAABB}\RP997\A0321258.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8FE38CD3-B424-4889-9E22-6361671BAABB}\RP997\A0321259.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\VundoFix Backups\bosdrtcw.dll.bad (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\VundoFix Backups\bpkgxoqx.dll.bad (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\VundoFix Backups\cxwegxvm.dll.bad (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\VundoFix Backups\dthgaxeb.dll.bad (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\VundoFix Backups\qlglvsdk.dll.bad (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\VundoFix Backups\snandqcv.dll.bad (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\VundoFix Backups\sphacfpe.dll.bad (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\VundoFix Backups\ukchguse.dll.bad (Trojan.Vundo) -> Quarantined and deleted successfully.
F:\System Volume Information\_restore{8FE38CD3-B424-4889-9E22-6361671BAABB}\RP933\A0301220.exe (Trojan.Agent) -> Quarantined and deleted successfully.
F:\System Volume Information\_restore{8FE38CD3-B424-4889-9E22-6361671BAABB}\RP933\A0301335.EXE (Trojan.Agent) -> Quarantined and deleted successfully.
tattybaws
Active Member
 
Posts: 8
Joined: September 30th, 2008, 6:31 am

Re: cannot remove Virtumonde trojan from my PC

Unread postby tattybaws » October 8th, 2008, 1:37 pm

ComboFix 08-10-02.04 - Thomas 2008-10-07 18:28:39.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.622 [GMT 1:00]
Running from: C:\Documents and Settings\Thomas\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Thomas\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\qykymefd.ini
C:\WINDOWS\system32\riuhvnsp.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ddcAtrpM.dll
C:\WINDOWS\system32\qykymefd.ini
C:\WINDOWS\system32\riuhvnsp.ini
C:\WINDOWS\system32\xxyxXQGy.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_JGAMEENP
-------\Service_jgameenp


((((((((((((((((((((((((( Files Created from 2008-09-07 to 2008-10-07 )))))))))))))))))))))))))))))))
.

2008-10-07 18:25 . 2008-10-07 18:25 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-07 18:25 . 2008-10-07 18:25 <DIR> d-------- C:\Documents and Settings\Thomas\Application Data\Malwarebytes
2008-10-07 18:25 . 2008-10-07 18:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-07 18:25 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-07 18:25 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-30 19:36 . 2008-09-30 19:36 <DIR> d-------- C:\Program Files\Advanced Port Scanner
2008-09-30 17:09 . 2008-09-30 17:09 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-30 17:06 . 2008-07-18 22:07 270,880 --a------ C:\WINDOWS\system32\mucltui.dll
2008-09-30 17:06 . 2008-07-18 22:07 29,728 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-09-29 18:14 . 2008-09-29 18:14 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-09-29 08:57 . 2008-09-29 09:11 <DIR> d-------- C:\Program Files\MioNet
2008-09-28 10:14 . 2008-09-28 10:53 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-28 10:14 . 2008-09-29 08:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-28 10:07 . 2008-09-28 10:45 <DIR> d-------- C:\VundoFix Backups
2008-09-27 21:42 . 2008-09-27 21:42 <DIR> d-------- C:\Program Files\Moleskinsoft File Sync 1.1
2008-09-27 16:14 . 2008-09-29 09:11 <DIR> d-------- C:\Documents and Settings\Thomas\Application Data\MioNet
2008-09-25 19:18 . 2008-09-25 19:18 <DIR> d-------- C:\Documents and Settings\Thomas\Application Data\Wireshark
2008-09-25 19:17 . 2008-09-25 19:17 <DIR> d-------- C:\Program Files\WinPcap
2008-09-25 19:16 . 2008-09-25 19:18 <DIR> d-------- C:\Program Files\Wireshark
2008-09-25 19:08 . 2008-09-29 07:42 743,967 --ahs---- C:\WINDOWS\system32\PruxGfhk.ini2
2008-09-25 19:08 . 2008-09-29 07:42 743,967 --ahs---- C:\WINDOWS\system32\PruxGfhk.ini
2008-09-25 17:47 . 2008-05-30 14:11 3,850,760 --a------ C:\WINDOWS\system32\D3DX9_38.dll
2008-09-25 17:47 . 2008-05-30 14:11 1,491,992 --a------ C:\WINDOWS\system32\D3DCompiler_38.dll
2008-09-25 17:47 . 2008-05-30 14:19 507,400 --a------ C:\WINDOWS\system32\XAudio2_1.dll
2008-09-25 17:47 . 2008-05-30 14:11 467,984 --a------ C:\WINDOWS\system32\d3dx10_38.dll
2008-09-25 17:47 . 2008-05-30 14:18 238,088 --a------ C:\WINDOWS\system32\xactengine3_1.dll
2008-09-25 17:47 . 2008-05-30 14:17 65,032 --a------ C:\WINDOWS\system32\XAPOFX1_0.dll
2008-09-25 17:47 . 2008-05-30 14:17 25,608 --a------ C:\WINDOWS\system32\X3DAudio1_4.dll
2008-09-25 17:44 . 2008-09-25 17:44 <DIR> d-------- C:\WINDOWS\Logs
2008-09-24 17:49 . 2008-10-03 21:31 <DIR> d-------- C:\Warhammer Online - Age of Reckoning
2008-09-22 18:29 . 2008-09-22 18:29 <DIR> d-------- C:\Maps
2008-09-22 18:28 . 2008-09-22 18:28 <DIR> d-------- C:\Program Files\Memory-Map
2008-09-15 20:20 . 2008-09-15 20:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TechSmith
2008-09-15 20:19 . 2008-09-15 20:19 <DIR> d-------- C:\Program Files\Common Files\TechSmith Shared
2008-09-15 18:51 . 2008-09-15 18:51 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-09-15 18:43 . 2008-09-15 20:20 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2008-09-15 18:41 . 2008-09-15 18:41 <DIR> d-------- C:\Program Files\TechSmith
2008-09-14 20:13 . 2008-09-15 18:50 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2008-09-14 20:13 . 2008-09-15 18:50 <DIR> d-------- C:\Program Files\AVSMedia
2008-09-14 20:13 . 2003-05-21 23:50 82,944 --a------ C:\WINDOWS\system32\vct3216.acm
2008-09-14 20:13 . 2004-02-04 21:11 81,920 --a------ C:\WINDOWS\system32\AC3ACM.acm
2008-09-14 20:13 . 2003-05-21 23:50 38,912 --a------ C:\WINDOWS\system32\alf2cd.acm
2008-09-14 20:13 . 2000-03-14 20:55 13,239 --a------ C:\WINDOWS\system32\Scg726.acm
2008-09-12 17:11 . 2008-10-05 18:45 <DIR> d-------- C:\Program Files\WinSCP
2008-09-11 20:48 . 2008-09-11 20:48 <DIR> d-------- C:\Program Files\Grog LLC
2008-09-11 20:47 . 2008-09-11 20:47 <DIR> d-------- C:\Documents and Settings\Thomas\Application Data\Grog LLC
2008-09-10 18:42 . 2008-09-15 18:52 <DIR> d-------- C:\Program Files\MagicDVDCopier
2008-09-10 18:28 . 2008-09-15 18:52 <DIR> d-------- C:\Program Files\MagicDVDRipper

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-07 17:15 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-10-06 17:48 35,296 ----a-w C:\WINDOWS\system32\drivers\Dvd43.sys
2008-10-04 16:51 --------- d-----w C:\Program Files\dvdSanta
2008-10-01 16:58 --------- d-----w C:\Program Files\Common Files\Command Software
2008-09-29 12:36 --------- d-----w C:\Program Files\PeerGuardian2
2008-09-29 12:34 --------- d-----w C:\Documents and Settings\Thomas\Application Data\uTorrent
2008-09-28 09:14 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-28 07:19 --------- d-----w C:\Program Files\Spyware Doctor
2008-09-27 19:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-09-27 14:38 --------- d-----w C:\Documents and Settings\LocalService\Application Data\VMware
2008-09-27 14:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\VMware
2008-09-23 09:27 --------- d-----w C:\Program Files\Microsoft Games
2008-09-18 16:53 --------- d-----w C:\Documents and Settings\Thomas\Application Data\dvdcss
2008-09-15 19:25 --------- d-----w C:\Documents and Settings\Thomas\Application Data\U3
2008-09-15 17:53 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-15 17:50 --------- d-----w C:\Program Files\Apple Software Update
2008-09-14 18:56 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-09-13 06:19 --------- d-----w C:\Documents and Settings\Thomas\Application Data\VMware
2008-09-04 20:41 --------- d-----w C:\Documents and Settings\Thomas\Application Data\PC Tools
2008-09-04 20:26 --------- d-----w C:\Program Files\Google
2008-09-04 17:24 --------- d-----w C:\Program Files\Common Files\PestPatrol
2008-09-03 18:19 --------- d-----w C:\Documents and Settings\Thomas\Application Data\Skype
2008-09-02 18:10 0 ----a-w C:\StarCodec_ver1.5897.0.exe
2008-09-02 18:09 0 ----a-w C:\MediaTube_ver1.1573.0.exe
2008-09-01 16:49 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-09-01 16:42 --------- d-----w C:\Program Files\AutoCAD 2006
2008-09-01 16:15 --------- d-----w C:\Documents and Settings\Thomas\Application Data\Autodesk
2008-09-01 16:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Autodesk
2008-08-28 17:09 --------- d-----w C:\Program Files\HiDownload
2008-08-10 09:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Corel
2005-09-11 08:44 90 ------w C:\Program Files\firebird.log
2002-07-26 16:02 153,088 ----a-w C:\Program Files\UNWISE.EXE
2001-11-23 04:08 712,704 ------w C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
2007-12-14 10:10 88 --sha-r C:\WINDOWS\system32\93EDC7971E.sys
.

((((((((((((((((((((((((((((( snapshot@2008-10-03_16.06.20.42 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-10-01 16:14:29 5,008 ----a-w C:\WINDOWS\system32\d3d9caps.dat
+ 2008-10-05 18:11:50 5,008 ----a-w C:\WINDOWS\system32\d3d9caps.dat
- 2008-09-27 14:43:06 73,844 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-10-04 15:12:27 73,844 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-09-27 14:43:06 466,736 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-10-04 15:12:27 466,736 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CmCardRun"="C:\WINDOWS\system32\CmWatch.exe" [2003-09-16 229376]
"PCguard"="F:\Program Files\Virgin Broadband\PCguard\Rps.exe" [2007-01-24 275960]
"COMODO Firewall Pro"="F:\Program Files\Comodo\Firewall\CPF.exe" [2007-04-09 1115728]
"Broadbandadvisor.exe"="C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2007-01-24 2037240]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= "C:\PROGRA~1\DVDREG~1\DVDShell.dll" [2004-10-09 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtUkjKbx]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WgaLogon]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv31"= C:\WINDOWS\system32\ir32_32.dll
"vidc.iv32"= C:\WINDOWS\system32\ir32_32.dll
"vidc.yv12"= yv12vfw.dll
"VIDC.CSCD"= camcodec.dll
"VIDC.I420"= i420vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CONNECTAUTrayApp.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SymmTime.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SymmTime.lnk
backup=C:\WINDOWS\pss\SymmTime.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ZoneAlarm Pro.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^Thomas^Start Menu^Programs^Startup^BadApple.lnk]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mm_server
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ntl Netguard
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecoverFromReboot
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ulead AutoDetector

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
--a------ 2007-10-30 20:07 140568 C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
--a------ 2007-10-30 20:11 909208 C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 20:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-07-10 09:47 116040 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--------- 2003-06-05 13:35 335872 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Camera Detector]
--------- 2003-06-17 15:43 208896 C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
--------- 2005-05-19 14:47 57344 C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CONNECTScheduler]
--------- 2005-11-15 03:54 69632 C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTScheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
--a------ 2007-08-16 13:00 531272 C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--------- 2005-12-10 15:57 133016 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVD43]
--------- 2005-03-29 03:36 359424 C:\PROGRA~1\DVDREG~1\DVDRegionFree.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-09-03 19:28 133104 C:\Documents and Settings\Thomas\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-06-02 11:13 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 17:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
--a------ 2007-12-03 14:21 2213160 C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 14:57 153136 C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Orb]
--a------ 2008-01-07 21:02 495616 C:\Program Files\Winamp Remote\bin\OrbTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PinnacleDriverCheck]
--a------ 2004-03-10 17:26 406016 C:\WINDOWS\system32\PSDrvCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2006-05-20 11:13 188416 f:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--------- 2003-10-31 19:42 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
--------- 2006-10-13 18:20 20058152 C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--------- 2006-11-09 16:07 49263 C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
--a------ 2007-10-30 20:06 2595616 C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USBToolTip]
--------- 2004-04-23 12:00 192512 C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2008-01-15 23:54 37376 f:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
--------- 2002-09-17 09:55 1622016 C:\WINDOWS\mixer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WinVNC4"=2 (0x2)
"iPodService"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1700:TCP"= 1700:TCP:MioNet Remote Drive Access 0
"1701:TCP"= 1701:TCP:MioNet Remote Drive Access 1
"1702:TCP"= 1702:TCP:MioNet Remote Drive Access 2
"1703:TCP"= 1703:TCP:MioNet Remote Drive Access 3
"1704:TCP"= 1704:TCP:MioNet Remote Drive Access 4
"1705:TCP"= 1705:TCP:MioNet Remote Drive Access 5
"1706:TCP"= 1706:TCP:MioNet Remote Drive Access 6
"1707:TCP"= 1707:TCP:MioNet Remote Drive Access 7
"1708:TCP"= 1708:TCP:MioNet Remote Drive Access 8
"1709:TCP"= 1709:TCP:MioNet Remote Drive Access 9
"1641:TCP"= 1641:TCP:MioNet Remote Drive Verification
"1647:TCP"= 1647:TCP:MioNet Storage Device Configuration
"5432:UDP"= 5432:UDP:MioNet Storage Device Discovery

R0 tdrpman;Acronis Try&Decide and Restore Points filter;C:\WINDOWS\system32\DRIVERS\tdrpman.sys [2008-06-30 368544]
R2 devdpl;devdpl;C:\WINDOWS\system32\DRIVERS\devdpl.sys [2003-03-05 7168]
R2 litdpl;litdpl;C:\WINDOWS\system32\DRIVERS\litdpl.sys [2003-03-05 4736]
R2 NwSapAgent;SAP Agent;C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
R2 SBKUPNT;SBKUPNT;C:\WINDOWS\system32\Drivers\SBKUPNT.SYS [2001-07-13 14976]
R2 WTService;WTService;C:\WINDOWS\system32\atwtusb.exe [2007-05-29 360096]
R3 Dvd43;Dvd43;C:\WINDOWS\system32\DRIVERS\Dvd43.sys [2008-10-06 35296]
S3 mclusb;Freecom USB for Digital Audio Device Driver;C:\WINDOWS\system32\Drivers\mclusb.sys [2002-08-21 22900]
S3 RSC4_A02;U.S. Robotics Wireless USB Adapter Driver;C:\WINDOWS\system32\DRIVERS\RSC4USB.sys [2004-08-11 380160]
S3 UMSSSTOR;C-Media Storage;C:\WINDOWS\system32\DRIVERS\UMSS.SYS [2004-07-13 48512]
S4 TryAndDecideService;Acronis Try And Decide Service;C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe [2007-10-30 492720]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\START.EXE
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

BHO-{477EAF90-13EE-4EB8-B926-5811846F1CDB} - (no file)
BHO-{80F1B0D1-9425-4197-8B12-3FA84C28F7F7} - (no file)
BHO-{b886366e-b068-41dc-a410-a7f88a9fd273} - (no file)
Notify-ddcAtrpM - (no file)



**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-07 19:21:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\DOCUME~1\Thomas\LOCALS~1\Temp\RpT3.tmp

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
F:\Program Files\Virgin Broadband\PCguard\fws.exe
C:\Program Files\Comodo\CBOClean\BOCore.exe
F:\Program Files\comodo\Firewall\cmdagent.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\ComboFix\pv.cfexe
.
**************************************************************************
.
Completion time: 2008-10-07 19:33:23 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-07 18:33:19
ComboFix2.txt 2008-10-03 15:06:53

Pre-Run: 50,377,142,272 bytes free
Post-Run: 50,382,843,904 bytes free

295 --- E O F --- 2008-10-07 17:01:52
tattybaws
Active Member
 
Posts: 8
Joined: September 30th, 2008, 6:31 am

Re: cannot remove Virtumonde trojan from my PC

Unread postby Scotty » October 14th, 2008, 6:24 am

Hi
More apologies. Ive had no internet all week.

Remember to disconnect from the Internet before carrying out the next instruction, and to save the following script before you do.You must
also manually disable your anti-virus and anti-spyware programs. See the link below for instructions on doing this.

http://www.bleepingcomputer.com/forums/topic114351.html

Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the code box by highlighting all the text with your mouse and pressing Ctrl+C

Code: Select all
File::
C:\DOCUME~1\Thomas\LOCALS~1\Temp\RpT3.tmp

Folder::
C:\VundoFix Backups
C:\Program Files\WinPcap

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtUkjKbx] 
 


Go to the Notepad window and click Edit > Paste
Then click File > Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop

Image


Refering to the picture above, drag CFScript into ComboFix.exe

In your next reply post:
ComboFix.txt
New HijackThis log taken after the above scan has run
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Re: cannot remove Virtumonde trojan from my PC

Unread postby NonSuch » October 23rd, 2008, 11:14 am

Due to lack of activity, this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27302
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 21 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware