Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

can't get rid of trojan.virtumonde please help

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: can't get rid of trojan.virtumonde please help

Unread postby Metnut » July 20th, 2009, 1:50 pm

Here is info.txt

info.txt logfile of random's system information tool 1.06 2009-07-20 13:48:29

======Uninstall list======

-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
AC3Filter (remove only)-->C:\Program Files\AC3Filter\uninstall.exe
Ad-Aware SE Personal-->MsiExec.exe /I{101F2C64-5735-4B32-9E52-4CB85E5D8C93}
Adobe Download Manager 2.0 (Remove Only)-->"C:\Program Files\Common Files\Adobe\ESD\uninst.exe"
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 9.1-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A91000000001}
AOL Instant Messenger-->C:\Program Files\AIM\uninstll.exe -LOG= C:\Program Files\AIM\install.log -OEM=
Apple Mobile Device Support-->MsiExec.exe /I{B5C209B1-8DDB-4642-A573-375B951514CB}
Apple Software Update-->MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
ATI - Software Uninstall Utility-->C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Control Panel-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver-->rundll32 C:\WINDOWS\System32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Blocktrix 1.00-->C:\Program Files\Blocktrix\uninst.exe
Broadcom Gigabit Integrated Controller-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{BE6890C7-31EF-478C-812E-1E2899ABFCA9} /l1033
CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"
C-Major Audio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}\setup.exe" -l0x9 -remove -removeonly
Conexant D480 MDC V.9x Modem-->C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_8086&DEV_24x6&SUBSYS_542214F1\HXFSETUP.EXE -U -Idel5422k.inf
Critical Update for Windows Media Player 11 (KB959772)-->"C:\WINDOWS\$NtUninstallKB959772_WM11$\spuninst\spuninst.exe"
Dell ResourceCD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe"
Dell Wireless WLAN Card-->"C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwlu00.exe" verbose /rootkey="Software\Broadcom\802.11\UninstallInfo" /rootdir="C:\Program Files\Dell\Dell Wireless WLAN Card"
DivX Media Codec 4.2.1-->C:\WINDOWS\system32\uninstdivx.exe
DivX Player-->C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player-->C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
DivX-->C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
FLV Player 2.0 (build 25)-->C:\Program Files\FLV Player\uninst.exe
Full Tilt Poker-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D4C9692E-4EFA-4DA0-8B7F-9439466D9E31}\setup.exe" -l0x9 -removeonly
GSpot Codec Information Appliance-->C:\Program Files\GSpot\Uninstall.exe
HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall
Holdem Manager-->MsiExec.exe /I{42DE940E-8037-4266-9FBF-5A3AEDA39E96}
Hotfix for Windows Internet Explorer 7 (KB947864)-->"C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Format SDK (KB902344)-->"C:\WINDOWS\$NtUninstallKB902344$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Hotspot Shield 1.10-->C:\Program Files\Hotspot Shield\Uninstall.exe
InterActual Player-->C:\Program Files\InterActual\InterActual Player\inuninst.exe
InterVideo WinDVD-->"C:\Program Files\InstallShield Installation Information\{98E8A2EF-4EAE-43B8-A172-74842B764777}\setup.exe" REMOVEALL
iTunes-->MsiExec.exe /I{18388EF8-E0A3-442B-8BFE-E2F1B3D05C91}
Java(TM) 6 Update 14-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216014FF}
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 1-->MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
Microsoft .NET Framework 3.0-->c:\WINDOWS\Microsoft.NET\Framework\v3.0\Microsoft .NET Framework 3.0\setup.exe
Microsoft .NET Framework 3.0-->MsiExec.exe /X{15095BF3-A3D7-4DDF-B193-3A496881E003}
Microsoft Base Smart Card Cryptographic Service Provider Package-->"C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Mozilla Firefox (3.0.11)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 6 Service Pack 2 (KB954459)-->MsiExec.exe /I{1A528690-6A2D-4BC5-B143-8C4AE8D19D96}
O2Micro Smartcard Driver-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{E1547FCE-F5DD-4D77-8C71-13B6A2B8F527} /l1033
PokerStars.net-->C:\Program Files\PokerStars.NET\Uninstall.EXE /u:"PokerStars.net"
PokerStars-->"C:\Program Files\PokerStars\PokerStarsUninstall.exe" /u:PokerStars
PostgreSQL 8.3-->MsiExec.exe /I{B823632F-3B72-4514-8861-B961CE263224}
PrimoPDF-->"C:\WINDOWS\PrimoPDF4\uninstall.exe" "/U:C:\Program Files\activePDF\PrimoPDF\Uninstall\uninstallPrimoPDF4.xml"
QuickTime-->MsiExec.exe /I{E0D51394-1D45-460A-B62D-383BC4F8B335}
RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Securexam Student-->"C:\Documents and Settings\All Users\Application Data\{5A4179C0-3F8D-49C3-810D-881C5BC3DED9}\SecurexamStudentInstaller.exe" REMOVE=TRUE MODIFY=FALSE
Securexam Student-->C:\Documents and Settings\All Users\Application Data\{5A4179C0-3F8D-49C3-810D-881C5BC3DED9}\SecurexamStudentInstaller.exe
Securexam Student-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C2BE55EC-8569-11D4-AADE-52544CC9E028}\Setup.exe" UNINSTALL
Security Update for Windows Internet Explorer 7 (KB928090)-->"C:\WINDOWS\ie7updates\KB928090-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB931768)-->"C:\WINDOWS\ie7updates\KB931768-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB933566)-->"C:\WINDOWS\ie7updates\KB933566-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB937143)-->"C:\WINDOWS\ie7updates\KB937143-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB939653)-->"C:\WINDOWS\ie7updates\KB939653-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB942615)-->"C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB944533)-->"C:\WINDOWS\ie7updates\KB944533-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB960714)-->"C:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB961260)-->"C:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB963027)-->"C:\WINDOWS\ie7updates\KB963027-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB969897)-->"C:\WINDOWS\ie7updates\KB969897-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 9 (KB911565)-->"C:\WINDOWS\$NtUninstallKB911565$\spuninst\spuninst.exe"
Security Update for Windows Media Player 9 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP9$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464-v2)-->"C:\WINDOWS\$NtUninstallKB938464-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961371)-->"C:\WINDOWS\$NtUninstallKB961371$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969898)-->"C:\WINDOWS\$NtUninstallKB969898$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971633)-->"C:\WINDOWS\$NtUninstallKB971633$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973346)-->"C:\WINDOWS\$NtUninstallKB973346$\spuninst\spuninst.exe"
SigmaTel AC97 Audio Drivers-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7959721D-8268-4565-9E0E-C41A9F4848A9}\setup.exe" -l0x9 -nodialog -uninstall
Smart Defrag 1.10-->"C:\Program Files\IObit\IObit SmartDefrag\unins000.exe"
SnG Power Tools v1.19b-->"C:\Program Files\Advantage Analysis\SnG Power Tools\unins000.exe"
SofTest-->MsiExec.exe /X{C430FD9C-FFDC-484F-ABF4-870101AE4C70}
Spybot - Search & Destroy 1.4-->MsiExec.exe /I{B8893BFE-D0EB-44A5-A2CE-4840AA0F5CA6}
Spyware Doctor 6.0-->C:\Program Files\Spyware Doctor\unins000.exe /LOG
Take Charge 2.1-->MsiExec.exe /I{AAB04B68-2596-4C2B-B237-D66BBC9B732D}
TetriNet2-->C:\Program Files\TetriNet2\uninstall.exe
Tourney Manager-->MsiExec.exe /I{33FF2328-8CE0-425E-AEDC-BEF9AED09153}
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Viewpoint Manager (Remove Only)-->C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgrInstaller.exe /u /k
Viewpoint Media Player-->C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Web Update Wizard (Redistributable) 4.0-->C:\WINDOWS\system32\wuwuninst.exe
Winamp (remove only)-->"C:\Program Files\Winamp\UninstWA.exe"
Windows Communication Foundation-->MsiExec.exe /X{491DD792-AD81-429C-9EB4-86DD3D22E333}
Windows Imaging Component-->"C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows Presentation Foundation-->MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows Workflow Foundation-->MsiExec.exe /I{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"

======Security center information======

AV: Spyware Doctor with AntiVirus (disabled)

======System event log======

Computer Name: JOHN-XYJV14Y551
Event Code: 4
Message: Broadcom 570x Gigabit Integrated Controller: The network link is down. Check to make sure the network cable is properly connected.

Record Number: 52
Source Name: b57w2k
Time Written: 20090710010740.000000-240
Event Type: warning
User:

Computer Name: JOHN-XYJV14Y551
Event Code: 7034
Message: The PC Tools Security Service service terminated unexpectedly. It has done this 1 time(s).

Record Number: 42
Source Name: Service Control Manager
Time Written: 20090710010246.000000-240
Event Type: error
User:

Computer Name: JOHN-XYJV14Y551
Event Code: 7000
Message: The Viewpoint Manager Service service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.


Record Number: 8
Source Name: Service Control Manager
Time Written: 20090709034427.000000-240
Event Type: error
User:

Computer Name: JOHN-XYJV14Y551
Event Code: 7009
Message: Timeout (30000 milliseconds) waiting for the Viewpoint Manager Service service to connect.

Record Number: 7
Source Name: Service Control Manager
Time Written: 20090709034427.000000-240
Event Type: error
User:

Computer Name: JOHN-XYJV14Y551
Event Code: 4
Message: Broadcom 570x Gigabit Integrated Controller: The network link is down. Check to make sure the network cable is properly connected.

Record Number: 5
Source Name: b57w2k
Time Written: 20090709034312.000000-240
Event Type: warning
User:

=====Application event log=====

Computer Name: JOHN-XYJV14Y551
Event Code: 20
Message:
Record Number: 70419
Source Name: Google Update
Time Written: 20090711004005.000000-240
Event Type: error
User: JOHN-XYJV14Y551\John

Computer Name: JOHN-XYJV14Y551
Event Code: 20
Message:
Record Number: 70418
Source Name: Google Update
Time Written: 20090710234005.000000-240
Event Type: error
User: JOHN-XYJV14Y551\John

Computer Name: JOHN-XYJV14Y551
Event Code: 1517
Message: Windows saved user JOHN-XYJV14Y551\John registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 70403
Source Name: Userenv
Time Written: 20090710195356.000000-240
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: JOHN-XYJV14Y551
Event Code: 1517
Message: Windows saved user JOHN-XYJV14Y551\John registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 70391
Source Name: Userenv
Time Written: 20090710194101.000000-240
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: JOHN-XYJV14Y551
Event Code: 1517
Message: Windows saved user JOHN-XYJV14Y551\John registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 70377
Source Name: Userenv
Time Written: 20090710185707.000000-240
Event Type: warning
User: NT AUTHORITY\SYSTEM

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\QuickTime\QTSystem
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 9 Stepping 5, GenuineIntel
"PROCESSOR_REVISION"=0905
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"FP_NO_HOST_CHECK"=NO
"CLASSPATH"=.;C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip

-----------------EOF-----------------
Metnut
Regular Member
 
Posts: 15
Joined: July 10th, 2009, 1:07 pm
Advertisement
Register to Remove

Re: can't get rid of trojan.virtumonde please help

Unread postby Wingman » July 21st, 2009, 3:48 pm

Hello Metnut,
Good job updating those programs... If you are not going to be using Spybot, then you should uninstall it... at your earliest convenience. ;)

Please perform the following steps:
Read the instructions carefully, before executing and perform the following steps in the order given.
lf, you have any questions about or problems with, executing these instructions, <STOP> do not proceed, post back with the question or problem.

Step 1.
Registry Search
Go to Start > Run...
  1. Copy and paste the following line into the box... then press <Enter>.
    regedit /e "%userprofile%\desktop\reglook.txt" "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32"
    A file named reglook.txt will appear on your desktop.
  2. Please post the contents of that file in your next reply.


Step 2.
Rooter
Please download Rooter.exe... Copyrighted © by... Eric_71. Save it to your desktop.
SCAN
  1. Double-click on Rooter.exe icon on your desktop, to execute.
    If you recieve the "Open File" security warning, press Run. The Rooter interface will appear, with a variety of options displayed.
  2. To run the Scan... press the Scan...button.
  3. Notepad will open with a file created called "Rooter#.txt" ... located at %systemdrive%\Rooter$\Rooter#.txt. (# is the number assigned to the report)
    The location of the report file is shown in the bottom display window.
  4. Press the Close button, to close the Rooter window.
Please copy and paste the contents of Rooter#.txt in you next reply.

Step 3.
GMER
Please download GMER by GMER. An alternate download site.
  1. Unzip it to a folder on your desktop.
  2. Double click on gmer.exe to execute.
    If asked, allow the gmer.sys driver load.
  3. If you get a warning prompt about rootkit activity ... asking if you want to run Scan, click OK.
  4. If you don't get a warning then...
    • Click the Rootkit/Malware tab at the top of the GMER window.
    • Click the Scan button.
  5. Once the scan has finished... click Copy. ... Do not close the GMER window yet...
  6. Open Notepad and paste what you copied. Ctrl+V
  7. Select "Save As" in Notepad...saving the file to your desktop as "gmerroot.txt"... then close Notepad.

    In the GMER window...
  8. Click on the >>> tab at the top of the GMER window.
    This displays the rest of the "selection" tabs for you.
  9. Click on the Autostart tab.
  10. Click on Scan button.
  11. Once the scan has finished... click Copy.
  12. Open Notepad (again) and paste what you copied. Ctrl+V
  13. Select "Save As" in Notepad...saving the file to your desktop as "gmerauto.txt"
  14. Copy and paste the contents of the files gmerroot.txt and gmerauto.txt in you next reply.

Step 4.
Please include in your next reply:
  1. Any problem executing the instructions?
  2. Rooter log
  3. GMER gmerroot.txt and gmerauto.txt file contents
  4. How is the computer behaving?
Thanks,
Wingman
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14108
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA

Re: can't get rid of trojan.virtumonde please help

Unread postby Metnut » July 22nd, 2009, 12:51 pm

Before we go on, I realize this thread is getting quite long and I certainly appreciate all the time that you must be putting into this. Much thanks.

Computer is still appearing to be running fine.

Here is reglook.txt

Reglook.txt

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"midimapper"="midimap.dll"
"msacm.imaadpcm"="imaadp32.acm"
"msacm.msadpcm"="msadp32.acm"
"msacm.msg711"="msg711.acm"
"msacm.msgsm610"="msgsm32.acm"
"msacm.trspch"="tssoft32.acm"
"vidc.cvid"="iccvid.dll"
"vidc.I420"="msh263.drv"
"vidc.iv31"="ir32_32.dll"
"vidc.iv32"="ir32_32.dll"
"vidc.iyuv"="iyuv_32.dll"
"vidc.mrle"="msrle32.dll"
"vidc.msvc"="msvidc32.dll"
"vidc.uyvy"="msyuv.dll"
"vidc.yuy2"="msyuv.dll"
"vidc.yvu9"="tsbyuv.dll"
"vidc.yvyu"="msyuv.dll"
"wavemapper"="msacm32.drv"
"msacm.msg723"="msg723.acm"
"vidc.M263"="msh263.drv"
"vidc.M261"="msh261.drv"
"msacm.msaudio1"="msaud32.acm"
"msacm.sl_anet"="sl_anet.acm"
"msacm.l3acm"="C:\\WINDOWS\\system32\\l3codeca.acm"
"vidc.iv41"="ir41_32.ax"
"msacm.iac2"="iac25_32.ax"
"vidc.iv50"="ir50_32.dll"
"wave"="wdmaud.drv"
"midi"="wdmaud.drv"
"mixer"="wdmaud.drv"
"vidc.DIVX"="DivX.dll"
"vidc.yv12"="DivX.dll"
"wave1"="wdmaud.drv"
"midi1"="wdmaud.drv"
"mixer1"="wdmaud.drv"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server\RDP]
"wave"="rdpsnd.dll"
"MaxBandwidth"=dword:000056b9
"wavemapper"="msacm32.drv"
"EnableMP3Codec"=dword:00000001
"midimapper"="midimap.dll"
"mixer"="rdpsnd.dll"




Here is Rooter_1.txt

Rooter_1.txt


Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows XP . (5.1.2600) Service Pack 3
[32_bits] - x86 Family 6 Model 9 Stepping 5, GenuineIntel
.
[wscsvc] (Security Center) RUNNING (state:4)
[SharedAccess] RUNNING (state:4)
Windows Firewall -> Disabled !
.
Internet Explorer 7.0.5730.11
.
C:\ [Fixed-NTFS] .. ( Total:37 Go - Free:5 Go )
D:\ [CD_Rom]
.
Scan : 16:41.21
Path : C:\Documents and Settings\John\Desktop\Rooter.exe
User : John ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
______ System (4)
______ \SystemRoot\System32\smss.exe (916)
______ \??\C:\WINDOWS\system32\csrss.exe (996)
______ \??\C:\WINDOWS\system32\winlogon.exe (1020)
______ C:\WINDOWS\system32\services.exe (1064)
______ C:\WINDOWS\system32\lsass.exe (1076)
______ C:\WINDOWS\System32\Ati2evxx.exe (1228)
______ C:\WINDOWS\system32\svchost.exe (1244)
______ C:\WINDOWS\system32\svchost.exe (1332)
______ C:\WINDOWS\System32\svchost.exe (1372)
______ C:\WINDOWS\System32\svchost.exe (1436)
______ C:\WINDOWS\system32\svchost.exe (1572)
______ C:\WINDOWS\System32\WLTRYSVC.EXE (1836)
______ C:\WINDOWS\System32\bcmwltry.exe (1848)
______ C:\WINDOWS\system32\spoolsv.exe (1896)
______ C:\WINDOWS\System32\SCardSvr.exe (1956)
______ C:\WINDOWS\System32\svchost.exe (448)
______ C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (512)
______ C:\Program Files\Hotspot Shield\bin\openvpnas.exe (560)
______ C:\Program Files\Java\jre6\bin\jqs.exe (584)
______ C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (600)
______ C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe (668)
______ C:\Program Files\Spyware Doctor\pctsAuxs.exe (708)
______ C:\Program Files\Software Secure, Inc\SSIRuntimeService\SSIRuntimeService.exe (812)
______ C:\Program Files\PostgreSQL\8.3\bin\postgres.exe (832)
______ C:\WINDOWS\system32\ssisvr32.exe (964)
______ C:\Program Files\Viewpoint\Common\ViewpointService.exe (120)
______ C:\WINDOWS\system32\WebUpdateSvc4.exe (1272)
______ C:\Program Files\PostgreSQL\8.3\bin\postgres.exe (1604)
______ C:\Program Files\PostgreSQL\8.3\bin\postgres.exe (1696)
______ C:\Program Files\PostgreSQL\8.3\bin\postgres.exe (1708)
______ C:\Program Files\PostgreSQL\8.3\bin\postgres.exe (1716)
______ C:\Program Files\PostgreSQL\8.3\bin\postgres.exe (1724)
______ C:\WINDOWS\System32\alg.exe (2032)
______ C:\WINDOWS\System32\svchost.exe (1632)
______ C:\WINDOWS\system32\wscntfy.exe (944)
______ C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe (2092)
______ C:\WINDOWS\system32\Ati2evxx.exe (2364)
______ C:\WINDOWS\Explorer.EXE (2472)
______ C:\WINDOWS\system32\wuauclt.exe (2736)
______ C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe (2828)
______ C:\Program Files\iTunes\iTunesHelper.exe (2844)
______ C:\WINDOWS\system32\WLTRAY.exe (2852)
______ C:\Program Files\Common Files\Real\Update_OB\realsched.exe (2860)
______ C:\Program Files\Java\jre6\bin\jusched.exe (2876)
______ C:\WINDOWS\system32\ctfmon.exe (2892)
______ C:\Program Files\iPod\bin\iPodService.exe (3264)
______ C:\Program Files\Mozilla Firefox\firefox.exe (3156)
______ C:\Documents and Settings\John\Desktop\Rooter.exe (3796)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 --[ MBR ]-- (Start_Offset:32256 | Length:39999504384)
.
----------------------\\ Scheduled Tasks
.
C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
C:\WINDOWS\Tasks\desktop.ini
C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1708537768-507921405-854245398-1003Core.job
C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1708537768-507921405-854245398-1003UA.job
C:\WINDOWS\Tasks\SA.DAT
C:\WINDOWS\Tasks\WGASetup.job
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
----------------------\\ Scan completed at 16:41.38
.
C:\Rooter$\Rooter_1.txt - (21/07/2009 | 16:41.38)





Here is gmerroot.txt

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-22 12:29:08
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xF8542514]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xF8531282]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xF8531474]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xF8542D00]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xF8542FB8]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xF85413FA]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xF8543422]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xF85427D8]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0xF8530F32]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs TfFsMon.sys (ThreatFire Filesystem Monitor/PC Tools)
AttachedDevice \Driver\Tcpip \Device\Ip pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)
AttachedDevice \Driver\Tcpip \Device\Tcp pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)
AttachedDevice \Driver\Tcpip \Device\Udp pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)
AttachedDevice \Driver\Tcpip \Device\RawIp pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)

---- EOF - GMER 1.0.15 ----




Here is gmerauto.txt

GMER 1.0.15.14972 - http://www.gmer.net
Autostart scan 2009-07-22 12:44:13
Windows 5.1.2600 Service Pack 3


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>>
AtiExtEvent@DLLName = Ati2evxx.dll
dimsntfy@DLLName = %SystemRoot%\System32\dimsntfy.dll
WgaLogon@DLLName = WgaLogon.dll

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
Apple Mobile Device@ = "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"
Ati HotKey Poller@ = %SystemRoot%\System32\Ati2evxx.exe
HotspotShieldService@ = C:\Program Files\Hotspot Shield\bin\openvpnas.exe
JavaQuickStarterService@ = "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf"
MDM@ = "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"
pgsql-8.3@ = "C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe" runservice -w -N "pgsql-8.3" -D "C:\Program Files\PostgreSQL\8.3\data\"
SCardSvr@ = %SystemRoot%\System32\SCardSvr.exe
ScsiPort@ = %SystemRoot%\system32\drivers\scsiport.sys
sdAuxService@ = C:\Program Files\Spyware Doctor\pctsAuxs.exe
SSIRuntimeService@ = "C:\Program Files\Software Secure, Inc\SSIRuntimeService\SSIRuntimeService.exe"
SSISvr32@ = C:\WINDOWS\system32\ssisvr32.exe
Viewpoint Manager Service@ = "C:\Program Files\Viewpoint\Common\ViewpointService.exe"
WebUpdate4@ = C:\WINDOWS\system32\WebUpdateSvc4.exe
wltrysvc@ = %SystemRoot%\System32\WLTRYSVC.EXE %SystemRoot%\System32\bcmwltry.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@ATIModeChangeAti2mdxx.exe = Ati2mdxx.exe
@ATIPTAC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe = C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
@QuickTime Task"C:\Program Files\QuickTime\qttask.exe" -atboottime = "C:\Program Files\QuickTime\qttask.exe" -atboottime
@iTunesHelper"C:\Program Files\iTunes\iTunesHelper.exe" = "C:\Program Files\iTunes\iTunesHelper.exe"
@Broadcom Wireless Manager UIC:\WINDOWS\system32\WLTRAY.exe = C:\WINDOWS\system32\WLTRAY.exe
@TkBellExe"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
@Adobe Reader Speed Launcher"C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" = "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
@SunJavaUpdateSched"C:\Program Files\Java\jre6\bin\jusched.exe" = "C:\Program Files\Java\jre6\bin\jusched.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@MSMSGS"C:\Program Files\Messenger\msmsgs.exe" /background = "C:\Program Files\Messenger\msmsgs.exe" /background
@ctfmon.exeC:\WINDOWS\system32\ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
@Google Update"C:\Documents and Settings\John\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c = "C:\Documents and Settings\John\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad@WPDShServiceObj = C:\WINDOWS\system32\WPDShServiceObj.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Display Panning CPL Extension*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{30D02401-6A81-11d0-8274-00C04FD5AE38} /*IE Search Band*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{32683183-48a0-441b-a342-7c2a440a9478} /*Media Band*/(null) =
@{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} /*Shell DocObject Viewer*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FBF23B40-E3F0-101B-8488-00AA003E56F8} /*InternetShortcut*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{3C374A40-BAE4-11CF-BF7D-00AA006946EE} /*Microsoft Url History Service*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FF393560-C2A7-11CF-BFF4-444553540000} /*History*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{7BD29E00-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{7BD29E01-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{CFBFAE00-17A6-11D0-99CB-00C04FD64497} /*Microsoft Url Search Hook*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{3DC7A020-0ACD-11CF-A9BB-00AA004AE837} /*The Internet*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{871C5380-42A0-1069-A2EA-08002B30309D} /*Internet Name Space*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/C:\WINDOWS\system32\twext.dll = C:\WINDOWS\system32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/C:\WINDOWS\system32\twext.dll = C:\WINDOWS\system32\twext.dll
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\WINDOWS\system32\extmgr.dll = C:\WINDOWS\system32\extmgr.dll
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Web Folders*/C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{00020D75-0000-0000-C000-000000000046} /*Microsoft Office Outlook Desktop Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Office Outlook Custom Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Program Files\Microsoft Office\OFFICE11\msohev.dll = C:\Program Files\Microsoft Office\OFFICE11\msohev.dll
@{e82a2d71-5b2f-43a0-97b8-81be15854de8} /*ShellLink for Application References*/c:\WINDOWS\system32\dfshim.dll = c:\WINDOWS\system32\dfshim.dll
@{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} /*Shell Icon Handler for Application References*/c:\WINDOWS\system32\dfshim.dll = c:\WINDOWS\system32\dfshim.dll
@{45670FA8-ED97-4F44-BC93-305082590BFB} /*Microsoft.XPS.Shell.Metadata.1*/%SystemRoot%\System32\XPSSHHDR.DLL = %SystemRoot%\System32\XPSSHHDR.DLL
@{44121072-A222-48f2-A58A-6D9AD51EBBE9} /*Microsoft.XPS.Shell.Thumbnail.1*/%SystemRoot%\System32\XPSSHHDR.DLL = %SystemRoot%\System32\XPSSHHDR.DLL
@{35786D3C-B075-49b9-88DD-029876E11C01} /*Portable Devices*/%SystemRoot%\system32\wpdshext.dll = %SystemRoot%\system32\wpdshext.dll
@{D6791A63-E7E2-4fee-BF52-5DED8E86E9B8} /*Portable Devices Menu*/%SystemRoot%\system32\wpdshext.dll = %SystemRoot%\system32\wpdshext.dll
@{07C45BB1-4A8C-4642-A1F5-237E7215FF66} /*IE Microsoft BrowserBand*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{1C1EDB47-CE22-4bbb-B608-77B48F83C823} /*IE Fade Task*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{205D7A97-F16D-4691-86EF-F3075DCCA57D} /*IE Menu Desk Bar*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{3028902F-6374-48b2-8DC6-9725E775B926} /*IE AutoComplete*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{43886CD5-6529-41c4-A707-7B3C92C05E68} /*IE Navigation Bar*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{44C76ECD-F7FA-411c-9929-1B77BA77F524} /*IE Menu Site*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{4B78D326-D922-44f9-AF2A-07805C2A3560} /*IE Menu Band*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{6038EF75-ABFC-4e59-AB6F-12D397F6568D} /*IE Microsoft History AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{6B4ECC4F-16D1-4474-94AB-5A763F2A54AE} /*IE Tracking Shell Menu*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{6CF48EF8-44CD-45d2-8832-A16EA016311B} /*IE IShellFolderBand*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{73CFD649-CD48-4fd8-A272-2070EA56526B} /*IE BandProxy*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{98FF6D4B-6387-4b0a-8FBD-C5C4BB17B4F8} /*IE MRU AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{9A096BB5-9DC3-4D1C-8526-C3CBF991EA4E} /*IE RSS Feeder Folder*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{9D958C62-3954-4b44-8FAB-C4670C1DB4C2} /*IE Microsoft Shell Folder AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{B31C5FAE-961F-415b-BAF0-E697A5178B94} /*IE Microsoft Multiple AutoComplete List Container*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{BC476F4C-D9D7-4100-8D4E-E043F6DEC409} /*Microsoft Browser Architecture*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{BFAD62EE-9D54-4b2a-BF3B-76F90697BD2A} /*IE Shell Rebar BandSite*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{E6EE9AAC-F76B-4947-8260-A9F136138E11} /*IE Shell Band Site Menu*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{F2CF5485-4E02-4f68-819C-B92DE9277049} /*&Links*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{F83DAC1C-9BB9-4f2b-B619-09819DA81B0E} /*IE Registry Tree Options Utility*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} /*IE User Assist*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FDE7673D-2E19-4145-8376-BBD58C4BC7BA} /*IE Custom MRU AutoCompleted List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} /*iTunes*/C:\Program Files\iTunes\iTunesMiniPlayer.dll = C:\Program Files\iTunes\iTunesMiniPlayer.dll
@{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} /*Shell Extensions for RealOne Player*/C:\Program Files\Real\RealPlayer\rpshell.dll = C:\Program Files\Real\RealPlayer\rpshell.dll
@{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/(null) =

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\MBAMShlExt@{57CE581A-0CB6-4266-9CA0-19364C90A0B3} = C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{18DF081C-E8AD-4283-A596-FA578C2EBDC3}C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll = C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
@{3049C3E9-B461-4BC5-8870-4C09146192CA}C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll = C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
@{53707962-6F74-2D53-2644-206D7942484F}C:\Program Files\Spybot - Search & Destroy\SDHelper.dll = C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
@{DBC80044-A445-435b-BC74-9C25C1C588A9}C:\Program Files\Java\jre6\bin\jp2ssv.dll = C:\Program Files\Java\jre6\bin\jp2ssv.dll
@{E7E6F031-17CE-4C07-BC86-EABFE594F69C}C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll = C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
@{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}C:\Program Files\Hotspot Shield\hssie\HssIE.dll = C:\Program Files\Hotspot Shield\hssie\HssIE.dll

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft.com/fwlink/?LinkId=69157
@Start Pagehttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft.com/fwlink/?LinkId=69157
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.google.com/ = http://www.google.com/
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Filter\text/xml@CLSID = C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\System32\itss.dll
mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\System32\itss.dll
ms-itss@CLSID = C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
mso-offdap@CLSID = C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
mso-offdap11@CLSID = C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll
wia@CLSID = C:\WINDOWS\System32\wiascr.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\ >>>
000000000001@PackedCatalogItem = C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll
000000000002@PackedCatalogItem = C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll
000000000003@PackedCatalogItem = C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000019@PackedCatalogItem = C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll

---- EOF - GMER 1.0.15 ----
Metnut
Regular Member
 
Posts: 15
Joined: July 10th, 2009, 1:07 pm

Re: can't get rid of trojan.virtumonde please help

Unread postby Metnut » July 22nd, 2009, 4:20 pm

It looks like the computer might be shot now. I rebooted it today and i get a blue screen and cannot get to windows. It says that a problem has been detected and windows has been shut down to prevent damage to my computer. Toward the top of the screen it says "UNMOUNTABLE_BOOT_VOLUME". I have tried safe mode with networking, last known good configuration and microsoft recovery console and get the same blue screen each time. This stinks.
Metnut
Regular Member
 
Posts: 15
Joined: July 10th, 2009, 1:07 pm

Re: can't get rid of trojan.virtumonde please help

Unread postby Metnut » July 23rd, 2009, 12:44 am

I'm really sorry to bump my thread again but I used my XP disk and was able to fix the unmountable boot volume problem. Now we can get back to removing malware. Sorry again for the panic after you've been so great.
Metnut
Regular Member
 
Posts: 15
Joined: July 10th, 2009, 1:07 pm

Re: can't get rid of trojan.virtumonde please help

Unread postby Wingman » July 23rd, 2009, 1:53 pm

Hello Metnut,
Great... you got that resolved. Bet you feel better now. ;)
There's no need to apologize... how else would I know you have a problem and/or that it was resolved ... so good job.

Please perform the following steps:
Read the instructions carefully, before executing and perform the following steps in the order given.
lf, you have any questions about or problems with, executing these instructions, <STOP> do not proceed, post back with the question or problem.

Step 1.
Check Hard Disk For Errors
  1. Press Start... then select Run
  2. Copy/paste the following command into the box... then press OK:
    Code: Select all
    cmd  /c  chkdsk  c:  |find  /v  "percent"  >> "%userprofile%\desktop\checkhd.txt"
    A blank command window will open on your desktop, then close in a few minutes. This is normal.
    A file and icon named "checkhd.txt" should appear on your Desktop.
  3. Please post the contents of the checkhd.txt file, in yur next reply

Step 2.
Delete Files - Folders
We need to perform some manual clean up.
  1. Right click on the Start...button.
  2. Select Explore...from the menu.
  3. Navigate to and find the following folder: if found, delete it.
    Some may not be present after previous cleaning steps
    Code: Select all
    C:\Program Files\BitTorrent    <==== delete this entire folder  
  4. Please post back with the results of these actions, in your next reply.

Step 3.
Please include in your next reply:
  1. Any problem executing the instructions?
  2. checkhd.txt file contents
  3. Folder deleted?
  4. How is the computer behaving?
Thanks,
Wingman
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14108
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA

Re: can't get rid of trojan.virtumonde please help

Unread postby Metnut » July 25th, 2009, 12:53 am

Computer is running normal. The bitorrent file was there and i deleted it.

Here is Checkhd.txt

The type of the file system is NTFS.

WARNING! F parameter not specified.
Running CHKDSK in read-only mode.

CHKDSK is verifying files (stage 1 of 3)...
CHKDSK is verifying indexes (stage 2 of 3)...
CHKDSK is recovering lost files.
CHKDSK is verifying security descriptors (stage 3 of 3)...
Correcting errors in the master file table's (MFT) BITMAP attribute.


Correcting errors in the Volume Bitmap.
Windows found problems with the file system.
Run CHKDSK with the /F (fix) option to correct these.



39062015 KB total disk space.
33548108 KB in 63103 files.
20264 KB in 6979 indexes.
4 KB in bad sectors.
154151 KB in use by the system.
65536 KB occupied by the log file.
5339488 KB available on disk.

4096 bytes in each allocation unit.
9765503 total allocation units on disk.
1334872 allocation units available on disk.
Metnut
Regular Member
 
Posts: 15
Joined: July 10th, 2009, 1:07 pm

Re: can't get rid of trojan.virtumonde please help

Unread postby Wingman » July 25th, 2009, 10:02 pm

Hello Metnut,
Well, the CHKDSK run shows there are errors on the hard drive that should be corrected. So we'll need to run the CHKDSK command again
and try to fix them.

Step 1.
Fix Hard Disk Errors
  1. Press Start... then select Run
  2. Copy/paste the following command into the box... then press OK:
    Code: Select all
    chkdsk c: /f 
  3. It will probably result in a message indicating that it can't perform the action and do you want it to run
    after a reboot... reply Yes
  4. If your computer doesn't automatically reboot... do so manually so the CHKDSK can run.
    This will take a while, so be patient.

    Run CHKDSK again
  5. Once the CHKDSK finishes and Windows starts...
  6. Press Start... then select Run
  7. Copy/paste the following command into the box... then press OK:
    1. Press Start... then select Run
    2. Copy/paste the following command into the box... then press OK:
      Code: Select all
      cmd /c chkdsk c: |find  /v  "percent"  >> "%userprofile%\desktop\checkhd1.txt"
      A blank command window will open on your desktop, then close in a few minutes. This is normal.
      A file and icon named "checkhd1.txt" should appear on your Desktop.
    3. Please post the contents of the checkhd1.txt file, in yur next reply

    Step 2.
    RegSearch ... by Bobbi Flekman © 2005-2007 ... Written by F. Staal
    1. Please download regsearch.zip and save it to your desktop.
    2. Right click on regsearch.zip and select Extract All....
      If you have a 3rd party "unzipping" program...(WinRar, Winzip, etc) ... use that to extract files to your desktop, go to step 6.
    3. Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard.
    4. Click on the Browse button. Click on Desktop. Then click OK.
    5. Once done, check the Show extracted files box and click Finish.
    6. Double click on regsearch.exe to run it.
    7. Copy and paste the following text (one at a time, on separate lines) into the "Enter search strings (case independent) and click OK..." section (red highlighted area in the screenshot below).
      Code: Select all
      tikpcops.sys
      ihihx.sys
      uiaymrw.sys

      Image

    8. Make sure all the check boxes in the "Search" section are checked (blue outlined section in the screenshot above).
    9. Click OK.
    10. When done, a text file will be created and automatically opened called: "RegSearch.txt".
      File can be found on your desktop or whatever folder RegSearch was extracted to originally.
    Please copy and paste the contents of RegSearch.txt in your next reply.

    Step 3.
    Please include in your next reply:
    1. Any problem executing the instructions?
    2. checkhd1.txt file contents
    3. RegSearch.txt file contents
    4. How is the computer behaving?
Thanks,
Wingman
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14108
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA

Re: can't get rid of trojan.virtumonde please help

Unread postby Metnut » July 27th, 2009, 1:16 am

No changes in computer behavior but the results of checkhd1 don't look too promising. Maybe I did something wrong.

Here is checkhd1.txt

The type of the file system is NTFS.

WARNING! F parameter not specified.
Running CHKDSK in read-only mode.

CHKDSK is verifying files (stage 1 of 3)...
CHKDSK is verifying indexes (stage 2 of 3)...
Deleting index entry PGSTAT~1.ST~ in index $I30 of file 39444.

Errors found. CHKDSK cannot continue in read-only mode.


Here is Regsearch.txt

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.6.0

; Results at 7/27/2009 1:13:37 AM for strings:
; 'tikpcops.sys'
; 'ihihx.sys'
; 'uiaymrw.sys'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\heihypck]
; Contents of value:
; system32\drivers\tikpcops.sys
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,\
72,00,69,00,76,00,65,00,72,00,73,00,5c,00,74,00,69,00,6b,00,70,00,63,00,6f,\
00,70,00,73,00,2e,00,73,00,79,00,73,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\orif]
; Contents of value:
; system32\drivers\ihihx.sys
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,\
72,00,69,00,76,00,65,00,72,00,73,00,5c,00,69,00,68,00,69,00,68,00,78,00,2e,\
00,73,00,79,00,73,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\xienm]
; Contents of value:
; system32\drivers\uiaymrw.sys
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,\
72,00,69,00,76,00,65,00,72,00,73,00,5c,00,75,00,69,00,61,00,79,00,6d,00,72,\
00,77,00,2e,00,73,00,79,00,73,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\heihypck]
; Contents of value:
; system32\drivers\tikpcops.sys
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,\
72,00,69,00,76,00,65,00,72,00,73,00,5c,00,74,00,69,00,6b,00,70,00,63,00,6f,\
00,70,00,73,00,2e,00,73,00,79,00,73,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\orif]
; Contents of value:
; system32\drivers\ihihx.sys
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,\
72,00,69,00,76,00,65,00,72,00,73,00,5c,00,69,00,68,00,69,00,68,00,78,00,2e,\
00,73,00,79,00,73,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\xienm]
; Contents of value:
; system32\drivers\uiaymrw.sys
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,\
72,00,69,00,76,00,65,00,72,00,73,00,5c,00,75,00,69,00,61,00,79,00,6d,00,72,\
00,77,00,2e,00,73,00,79,00,73,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\heihypck]
; Contents of value:
; system32\drivers\tikpcops.sys
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,\
72,00,69,00,76,00,65,00,72,00,73,00,5c,00,74,00,69,00,6b,00,70,00,63,00,6f,\
00,70,00,73,00,2e,00,73,00,79,00,73,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\orif]
; Contents of value:
; system32\drivers\ihihx.sys
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,\
72,00,69,00,76,00,65,00,72,00,73,00,5c,00,69,00,68,00,69,00,68,00,78,00,2e,\
00,73,00,79,00,73,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xienm]
; Contents of value:
; system32\drivers\uiaymrw.sys
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,\
72,00,69,00,76,00,65,00,72,00,73,00,5c,00,75,00,69,00,61,00,79,00,6d,00,72,\
00,77,00,2e,00,73,00,79,00,73,00,00,00

[HKEY_USERS\S-1-5-21-1708537768-507921405-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU]
"d"="cmd /c dir C:\\*.* /L /A /B /S|Find \"tikpcops.sys\" >> \"%userprofile%\\desktop\\look.txt\"\\1"
"e"="cmd /c dir C:\\*.* /L /A /B /S|Find \"ihihx.sys\" >> \"%userprofile%\\desktop\\look.txt\"\\1"
"f"="cmd /c dir C:\\*.* /L /A /B /S|Find \"uiaymrw.sys\" >> \"%userprofile%\\desktop\\look.txt\"\\1"

; End Of The Log...
Metnut
Regular Member
 
Posts: 15
Joined: July 10th, 2009, 1:07 pm

Re: can't get rid of trojan.virtumonde please help

Unread postby Wingman » July 27th, 2009, 5:26 pm

Hello Metnut,

Let's see if we can find... what the (1st) CHKDSK /F run showed us.
It's not a bad idea to begin backing up any important personal data... music, pictures, documents, movies, etc... in case there are problems with the hard drive that can not be fixed.

We'll also remove some registry entries that were left from the trojan infection.

Please perform the following steps:
Read the instructions carefully, before executing and perform the following steps in the order given.
lf, you have any questions about or problems with, executing these instructions, <STOP> do not proceed, post back with the question or problem.

Step 1.
VEW - Vino's Event Viewer
Please download VEW.exe... by Vino Rosso. Save it to your desktop.
  1. Double click on VEW.exe to start the program. If you recieve an "Open File" security warning, press Run.
  2. In the "Select log to query" section check:
    • Application
    • System
  3. In the "Select type to list" section check:
    • Error
    • Information
    • Warning
  4. In the "Number or dates of events" section check:
    • Number of events... then enter the number 20 in the entry box.
  5. Press the Run button.
    When the process completes, it only takes a few seconds...
  6. Notepad will open with a report file named: VEW.txt... located on %SystemDrive%\VEW.txt ... usually C:\VEW.txt.
  7. Please copy and paste the contents of the VEW.txt file, in your next reply.

Step 2.
ERUNT - Emergency Recovery Utility NT
Modifying the Registry can create unforeseen problems, so it's always wise to create a backup before doing so.
This is a free program that allows you to keep a complete backup of your registry and restore it when needed.

ERUNT utility program
Download:

  1. Please download ERUNT...by Lars Hederer. Save it to your desktop.
  2. Double-click erunt-setup-exe to run the install process
  3. Install ERUNT by following the prompts.
  4. Use the default install settings... say "NO" to the section that asks you to add ERUNT to the Start-Up folder. You can enable this option later if you wish.
  5. Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
  6. Choose a location for the backup. Note: the default location is C:\WINDOWS\ERDNT which is acceptable.
  7. Make sure that at least the first two check boxes are selected.
  8. Click on OK... then click on "YES" to create the folder.
Run:
This will create a full backup of your registry... ERUNT can be used to restore the registry from this backup, if needed.
  1. Please navigate to Start >> All Programs >> ERUNT.
  2. Click on OK within the pop-up menu.
  3. In the next menu under C:\WINDOWS\ERDNT\DD-MM-YYYY under Backup options make sure both the following are selected:
    • System registry.
    • Current user registry.
  4. Next click on OK... then at the prompt, reply "Yes".
    After a short duration the Registry backup is complete! pop-up message will appear.
  5. Now click on "OK". A registry backup has now been created.
< STOP > If you did not successfully complete this step. < STOP > Do not continue with any other steps, post back and let me know!

Step 3.
OTM
You should still have this on your desktop... if not , the download link is provided. No need to download again, if you still have it.
  1. Please download OTM.exe...by Old Timer. Save it to your desktop.
  2. Double click on OTM.exe to run it.
    If you receive the "Open File - Security Warning", please press Run.
  3. Please copy and paste the text in the Code box below, into OTM (1).
    Warning: Do not type it out... errors could damage your machine.
    Code: Select all
    :Reg
    [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\heihypck]
    
    [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\orif]
    
    [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\xienm]
    
    [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\heihypck]
    
    [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\orif]
    
    [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\xienm]
    
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\heihypck]
    
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\orif]
    
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xienm]
    
    :Commands
    [EmptyTemp]
    [Reboot]
    

    Please refer to this image to use OTM.exe

    Image
  4. Click on MoveIt! (2)
  5. The end results of the processing will be in 2 places:
    • The Results window on the right side of the OTM screen.
    • A log (text) file created in "C:\_OTM\MovedFiles\mmddyyyy_hhmmss.log"
  6. Copy all the text from the Results window... Open Notepad, paste the OTM results into the Notepad file, save it on your desktop.
  7. Click Exit (3) when done.
  8. Please paste the entire content from the OTM (Results) window (Notepad file) or the OTM log file, in your next reply.
NOTE: If your computer did not automatically reboot... please reboot it (normally) now!

Step 4.
Please include in your next reply:
  1. Any problem executing the instructions?
  2. VEW.txt file contents
  3. OTM results
  4. How is the computer behaving?
Thanks,
Wingman
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14108
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA

Re: can't get rid of trojan.virtumonde please help

Unread postby Wingman » July 31st, 2009, 8:08 am

3 Day Bump
Hi... Metnut,
It has been 3 or more days since my last post to you.
  • Do you still need help with this problem?
  • Do you need more time?
  • Are you having problems understanding or following my instructions?
Just let me know what's going on otherwise...
If, after 48 hrs., you have not replied to this thread... it will be closed!
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14108
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA

Re: can't get rid of trojan.virtumonde please help

Unread postby askey127 » August 2nd, 2009, 2:37 pm

Due to Lack of Response this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: random/random and 39 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware