Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Virtumonde still infecting computer

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Virtumonde still infecting computer

Unread postby Prille » November 10th, 2007, 1:46 am

Hi there-

I'm LitomoSilver's friend, the one he's been helping the last few days. He told me to register here for more help since he can't help me, so I did. Please help me get rid of the problems plaguing my baby. Thanks!


ComboFix 07-11-07.3 - April 2007-11-09 23:32:04.3 - NTFSx86
Running from: C:\Documents and Settings\April\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-10-10 to 2007-11-10 )))))))))))))))))))))))))))))))
.

2007-11-07 04:52 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel
2007-11-07 03:56 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-07 02:11 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-07 02:11 <DIR> d-------- C:\Documents and Settings\April\Application Data\SUPERAntiSpyware.com
2007-11-07 02:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-07 01:25 <DIR> d-------- C:\VundoFix Backups
2007-11-06 22:08 <DIR> d-------- C:\Program Files\Atomic Clock Sync
2007-11-06 20:20 <DIR> d-------- C:\Documents and Settings\April\Application Data\Comodo
2007-11-06 20:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Comodo
2007-11-06 20:13 <DIR> d-------- C:\Program Files\Comodo
2007-11-06 16:24 87,104 --a------ C:\WINDOWS\system32\vkeehahi.dll
2007-11-06 16:09 145,984 --a------ C:\WINDOWS\system32\qoenmeaq.dll
2007-11-05 07:29 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-11-05 06:13 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-05 06:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-05 06:10 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-05 04:53 <DIR> d-------- C:\Program Files\CCleaner
2007-11-05 04:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-05 04:21 <DIR> d-------- C:\Program Files\Alwil Software
2007-11-05 04:21 801,144 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-11-05 04:21 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-11-05 04:21 94,416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-11-05 04:21 92,848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-11-05 04:21 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-11-05 04:21 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-11-05 04:21 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-11-05 04:00 <DIR> d-------- C:\Program Files\TUGZip
2007-11-05 04:00 156,160 --a------ C:\WINDOWS\system32\unrar3.dll
2007-11-05 04:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2007-11-05 02:57 <DIR> d-------- C:\Program Files\TeamViewer3
2007-11-05 02:57 <DIR> d-------- C:\Documents and Settings\April\Application Data\TeamViewer
2007-11-05 02:56 <DIR> d-------- C:\Documents and Settings\April\temp
2007-10-29 18:42 <DIR> d---s---- C:\Documents and Settings\April\UserData
2007-10-28 04:17 <DIR> d-------- C:\Documents and Settings\April\Application Data\McAfee
2007-10-18 19:20 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-10-18 19:20 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2007-10-18 16:30 <DIR> d-------- C:\Program Files\Microsoft Works
2007-10-18 16:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-10-18 15:37 <DIR> d-------- C:\Documents and Settings\April\Application Data\U3
2007-10-18 15:37 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2007-10-15 17:12 <DIR> d-------- C:\Documents and Settings\April\Application Data\iShell
2007-10-15 17:12 86,016 --a------ C:\WINDOWS\unvise32qt.exe
2007-10-15 17:11 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2007-10-15 17:11 <DIR> d-------- C:\Program Files\QuickTime
2007-10-15 17:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\QuickTime
2007-10-13 02:05 <DIR> d-------- C:\Restoration
2007-10-13 02:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\scar5
2007-10-13 01:50 <DIR> d-------- C:\Program Files\scar5
2007-10-13 01:50 <DIR> d-------- C:\Documents and Settings\April\Application Data\scar5

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-07 04:16 --------- d-----w C:\Program Files\MSN Messenger
2007-11-05 14:20 --------- d-----w C:\Program Files\McAfee
2007-11-05 14:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2007-11-01 19:26 --------- d-----w C:\Program Files\Java
2007-10-18 21:41 --------- d-----w C:\Documents and Settings\April\Application Data\DivX
2007-10-06 09:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-09-30 23:45 --------- d-----w C:\Documents and Settings\April\Application Data\Viewpoint
2007-09-30 23:35 --------- d-----w C:\Program Files\DivX
2007-09-28 08:07 --------- d-----w C:\Program Files\Veoh Networks
2007-09-19 02:50 --------- d-----w C:\Documents and Settings\April\Application Data\AdobeUM
2007-09-19 02:49 --------- d-----w C:\Program Files\Common Files\Adobe
2007-09-18 22:28 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-09-18 22:26 --------- d-----w C:\Program Files\Microsoft.NET
2007-09-18 19:54 --------- d-----w C:\Program Files\Viewpoint
2007-09-18 05:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-09-18 05:21 --------- d-----w C:\Program Files\Yahoo!
2007-09-18 04:50 --------- d-----w C:\Program Files\MSXML 4.0
2007-09-18 04:20 --------- d-----w C:\Documents and Settings\April\Application Data\Talkback
2007-09-18 04:17 --------- d-----w C:\Program Files\AOD
2007-09-18 04:17 --------- d-----w C:\Program Files\AIM
2007-09-18 04:17 --------- d-----w C:\Documents and Settings\April\Application Data\Aim
2007-09-18 04:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-09-18 02:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com Personal Firewall
2007-09-18 01:08 --------- d-----w C:\Documents and Settings\LocalService\Application Data\McAfee.com Personal Firewall
2007-09-18 01:04 --------- d-----w C:\Documents and Settings\April\Application Data\McAfee.com Personal Firewall
2007-09-18 00:58 --------- d-----w C:\Program Files\Canon
2007-09-18 00:51 --------- d-----w C:\Program Files\CyberLink
2007-09-18 00:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Dell
2007-09-18 00:47 28,352 ----a-w C:\WINDOWS\system32\drivers\MxlW2k.sys
2007-09-18 00:46 --------- d-----w C:\Program Files\MUSICMATCH
2007-09-18 00:46 --------- d-----w C:\Program Files\Dell
2007-09-18 00:45 --------- d-----w C:\Program Files\Jasc Software Inc
2007-09-18 00:43 --------- d-----w C:\Program Files\Dell Computer
2007-09-18 00:43 --------- d-----w C:\Documents and Settings\April\Application Data\Jasc Software Inc
2007-09-18 00:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2007-09-18 00:06 --------- d-----w C:\Program Files\Common Files\AOL
2007-09-18 00:01 --------- d-----w C:\Documents and Settings\April\Application Data\ATI
2007-09-17 23:59 --------- d-----w C:\Program Files\Modem Helper
2007-09-17 23:55 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-09-17 23:55 --------- d-----w C:\Program Files\ATI Technologies
2007-09-17 23:54 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\Intel
2007-09-17 23:54 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Intel
2007-09-17 23:54 --------- d-----w C:\Documents and Settings\Default User\Application Data\Intel
2007-09-17 23:54 --------- d-----w C:\Documents and Settings\April\Application Data\Intel
2007-09-17 23:53 319,488 ----a-w C:\WINDOWS\system32\AegisI5Installer.exe
2007-09-17 23:53 21,425 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2007-09-17 23:53 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\Intel
2007-09-17 23:53 --------- d-----w C:\Program Files\Intel
2007-09-17 23:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intel
2007-09-17 23:51 --------- d-----w C:\Program Files\Synaptics
2007-09-17 23:51 --------- d-----w C:\Program Files\CONEXANT
2007-09-17 23:50 --------- d-----w C:\Program Files\DIFX
2007-09-17 23:47 --------- d-----w C:\Program Files\SigmaTel
2007-09-17 23:45 --------- d-----w C:\Program Files\Common Files\Java
2007-09-17 23:30 5 ----a-w C:\WINDOWS\system32\drivers\DELL_XPS_MM061 .MRK
2007-09-17 23:30 5 ----a-w C:\WINDOWS\system32\drivers\1028_DELL_XPS_MM061 .MRK
2007-09-17 22:51 --------- d-----w C:\Program Files\RGB
2007-09-17 22:49 --------- d-----w C:\Program Files\GemMaster
2007-09-17 22:49 --------- d-----w C:\Program Files\EnglishOtto
2007-09-17 22:38 --------- d-----w C:\Program Files\microsoft frontpage
2007-09-17 22:31 --------- d-----w C:\Program Files\Windows Plus
2007-09-17 18:23 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-09-17 18:23 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-09-17 18:22 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-09-17 18:22 739,840 ----a-w C:\WINDOWS\system32\DivX.dll
2007-09-11 23:14 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 00:26 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-08-21 00:26 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-08-15 22:33 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-08-15 22:33 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-08-15 22:33 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-08-15 22:33 129,784 ----a-w C:\WINDOWS\system32\pxafs.dll
2007-08-15 22:33 120,056 ----a-w C:\WINDOWS\system32\pxcpyi64.exe
2007-08-15 22:33 118,520 ----a-w C:\WINDOWS\system32\pxinsi64.exe
2007-08-15 22:33 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-08-15 22:31 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-08-15 22:31 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-08-15 22:31 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-08-15 22:31 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-08-15 22:31 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-08-15 22:31 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-08-15 22:30 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
.

((((((((((((((((((((((((((((( snapshot@2007-11-07_ 4.06.25.10 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-08-07 19:37:56 53,248 ----a-w C:\WINDOWS\system32\Macromed\Common\SwSupport.dll
+ 2007-08-07 23:20:44 182,248 ----a-w C:\WINDOWS\system32\Macromed\Director\SwDir.dll
+ 2007-08-07 19:35:56 585,728 ----a-w C:\WINDOWS\system32\Macromed\Shockwave 10\Control.dll
+ 2007-08-07 19:19:40 1,490,944 ----a-w C:\WINDOWS\system32\Macromed\Shockwave 10\dirapi.dll
+ 2007-08-07 19:36:32 24,576 ----a-w C:\WINDOWS\system32\Macromed\Shockwave 10\DynaPlayer.dll
+ 2007-08-07 19:17:24 606,208 ----a-w C:\WINDOWS\system32\Macromed\Shockwave 10\iml32.dll
+ 2007-08-07 19:35:22 339,968 ----a-w C:\WINDOWS\system32\Macromed\Shockwave 10\Plugin.dll
+ 2007-08-07 19:35:32 483,328 ----a-w C:\WINDOWS\system32\Macromed\Shockwave 10\PluginPing.dll
+ 2007-08-07 19:28:38 180,224 ----a-w C:\WINDOWS\system32\Macromed\Shockwave 10\Proj.dll
+ 2007-08-07 23:20:28 391,144 ----a-w C:\WINDOWS\system32\Macromed\Shockwave 10\SwHelper_1020023.exe
+ 2007-08-07 19:37:56 77,824 ----a-w C:\WINDOWS\system32\Macromed\Shockwave 10\SwInit.exe
+ 2007-08-07 19:35:18 86,016 ----a-w C:\WINDOWS\system32\Macromed\Shockwave 10\SwMenu.dll
+ 2007-08-07 19:37:58 98,304 ----a-w C:\WINDOWS\system32\Macromed\Shockwave 10\SwOnce.dll
+ 1999-06-25 16:55:30 149,504 ----a-w C:\WINDOWS\system32\Macromed\Shockwave 10\UNWISE.EXE
- 2007-11-07 09:11:55 62,746 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-11-10 00:24:35 62,746 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-11-07 09:11:55 401,632 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-11-10 00:24:35 401,632 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-11-10 00:20:16 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_784.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6C004C76-2E94-44C7-937F-3ADDCA578768}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{82677742-4718-416F-A782-B377884ECDDD}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B2D3027B-A59A-48AE-9463-D2546977B1FB}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F2A5CA1D-7B85-44FD-B624-85A8B24274F8}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 12:56]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 11:48]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 17:04]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 16:58]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 16:41]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2006-08-03 17:51]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 19:15]
"mmtask"="c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2004-04-20 12:24]
"PDVDDXSrv"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 16:23]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 05:06]
"a0b9bd3e"="C:\WINDOWS\system32\vkeehahi.dll" [2007-11-06 16:24]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-11-06 20:13]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [2007-10-17 00:29]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqqqqo]
ssqqqqo.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-09 23:33:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-09 23:34:01
C:\ComboFix2.txt ... 2007-11-07 05:21
C:\ComboFix3.txt ... 2007-11-07 04:06
.
--- E O F ---
Prille
Active Member
 
Posts: 6
Joined: November 10th, 2007, 1:28 am
Advertisement
Register to Remove

Unread postby Prille » November 10th, 2007, 1:49 am

Here's the HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 11:48:15 PM, on 11/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\April\My Documents\GhalerionScript4.0\mirc.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\April\Desktop\Reiko files\Reiko.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {6C004C76-2E94-44C7-937F-3ADDCA578768} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {82677742-4718-416F-A782-B377884ECDDD} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {B2D3027B-A59A-48AE-9463-D2546977B1FB} - (no file)
O2 - BHO: (no name) - {F2A5CA1D-7B85-44FD-B624-85A8B24274F8} - (no file)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [a0b9bd3e] rundll32.exe "C:\WINDOWS\system32\vkeehahi.dll",b
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ssqqqqo - ssqqqqo.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
Prille
Active Member
 
Posts: 6
Joined: November 10th, 2007, 1:28 am

Unread postby chryssi2001 » November 10th, 2007, 4:23 am

Hello Prille, and Welcome to MWR. :)

I will be assisting you with your malware issues.
Please be patient as I need some time to review your Hijackthis log and Combofix report and i will post back recommendations for repairs.

As I am still a trainee, everything that I post to you, must be checked by an Admin or Moderator. Thus, there may be a tiny bit of a delay between posts, but it shouldn't be too long.

  • Whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • Continue to respond to this thread until I give you the All Clean! If you have any question or you're stuck in there please reply it to me. I will try my best to help you!
  • Please bookmark or favourite this page. In case you need it as reference or etc.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Virtumonde still infecting computer

Unread postby chryssi2001 » November 13th, 2007, 3:11 pm

Hello Prille i apologise for the delay,

I am familiar with your topic where LitomoSilver posted reports on your behalf. :)
Try to follow the steps below, if you are not sure for something, just ask.
These are multiple steps, take your time to do them and post back what i ask.

C:\Documents and Settings\April\Desktop\Reiko files

If i understand right, are those files you exchanged with LitomoSilver when creating the reports and you need them to contact him?
------------------------------------------------------
Upload a File to Jotti

Please visit http://virusscan.jotti.org/
Click on Browse... and navigate to the following file: C:\Documents and Settings\April\Desktop\Reiko files\Reiko.exe

Click Open and submit the file and wait for the results.
Please let me know the results.
------------------------------------------------------
Disable Spybot's TeaTimer. This is a two step process.

Spybot S&D's tea timer normally provides real-time protection from spyware, however it may interfere with what we need to do. We will disable it until the machine is clean when it can be re-enabled.

First step:
  • Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  • If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident
Second step, For Either Version :
  • Open Spybot S&D
  • Click Mode, choose Advanced Mode
  • Go To the bottom of the Vertical Panel on the Left, Click Tools
  • then, also in left panel, click Resident shows a red/white shield.
  • If your firewall raises a question, say OK
  • In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
  • OK any prompts.
  • Use File, Exit to terminate Spybot
  • Reboot your machine for the changes to take effect.
Don't forget to re-enable it, when your computer is clean by reversing the above steps.
------------------------------------------------------
Disable SUPERAntiSpyware until the computer is clean
  • Right-click on the shortcut from the system tray
  • Choose View Control Center (preferences/options)
  • On the General and Startup tab, uncheck Start SUPERAntispyware when Windows starts.
  • Click Close to exit.
Don't forget to re-enable it, when your computer is clean by reversing the above steps.
------------------------------------------------------
COMBOFIX-Do

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    File::
    C:\WINDOWS\system32\vkeehahi.dll
    C:\WINDOWS\system32\qoenmeaq.dll
    C:\WINDOWS\system32\bhxbktsl.dll
    C:\WINDOWS\system32\rhqkegfr.exe

    Folder::
    C:\VundoFix Backups

    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6C004C76-2E94-44C7-937F-3ADDCA578768}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{82677742-4718-416F-A782-B377884ECDDD}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B2D3027B-A59A-48AE-9463-D2546977B1FB}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F2A5CA1D-7B85-44FD-B624-85A8B24274F8}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "a0b9bd3e"=-
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqqqqo]
    [-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{6C004C76-2E94-44C7-937F-3ADDCA578768}]
    [-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{82677742-4718-416F-A782-B377884ECDDD}]
    [-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{B2D3027B-A59A-48AE-9463-D2546977B1FB}]
    [-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{F2A5CA1D-7B85-44FD-B624-85A8B24274F8}]
    [-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
------------------------------------------------------
Run HijackThis again.
------------------------------------------------------
Post back:
Combofix report.
A new HijackThis log.
Jotti results and answer about Reiko files.
Tell me how the pc is running now.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Virtumonde still infecting computer

Unread postby Prille » November 14th, 2007, 8:11 am

Malware thing.

The files I have in Reiko’s file are what he created for me when he was assisting me with my computer. I added the two newest logs, but the rest were from where he RD’d with me.

Jotti Results

File: Reiko.exe Status:
OK(Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: ee86268e59e4b38961e7c40d16be5bb4 Packers detected:
UPX
Bit9 reports: No threat detected (more info)
Scanner results
Scan taken on 14 Nov 2007 11:45:16 (GMT) A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Rising Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

ComboFix 07-11-07.3 - April 2007-11-14 6:01:56.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503 [GMT -6:00]
Running from: C:\Documents and Settings\April\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\April\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\bhxbktsl.dll
C:\WINDOWS\system32\qoenmeaq.dll
C:\WINDOWS\system32\rhqkegfr.exe
C:\WINDOWS\system32\vkeehahi.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups
C:\WINDOWS\system32\qoenmeaq.dll
C:\WINDOWS\system32\vkeehahi.dll

.
((((((((((((((((((((((((( Files Created from 2007-10-14 to 2007-11-14 )))))))))))))))))))))))))))))))
.

2007-11-14 05:28 <DIR> d-------- C:\WatchNow
2007-11-14 03:13 <DIR> dr-h----- C:\Documents and Settings\April\Application Data\yahoo!
2007-11-12 02:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-11-12 02:41 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-11-07 04:52 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel
2007-11-07 03:56 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-07 02:11 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-07 02:11 <DIR> d-------- C:\Documents and Settings\April\Application Data\SUPERAntiSpyware.com
2007-11-07 02:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-06 22:08 <DIR> d-------- C:\Program Files\Atomic Clock Sync
2007-11-06 20:20 <DIR> d-------- C:\Documents and Settings\April\Application Data\Comodo
2007-11-06 20:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Comodo
2007-11-06 20:13 <DIR> d-------- C:\Program Files\Comodo
2007-11-05 07:29 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-11-05 06:13 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-05 06:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-05 06:10 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-05 04:53 <DIR> d-------- C:\Program Files\CCleaner
2007-11-05 04:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-05 04:21 <DIR> d-------- C:\Program Files\Alwil Software
2007-11-05 04:21 801,144 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-11-05 04:21 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-11-05 04:21 94,416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-11-05 04:21 92,848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-11-05 04:21 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-11-05 04:21 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-11-05 04:21 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-11-05 04:00 <DIR> d-------- C:\Program Files\TUGZip
2007-11-05 04:00 156,160 --a------ C:\WINDOWS\system32\unrar3.dll
2007-11-05 04:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2007-11-05 02:57 <DIR> d-------- C:\Program Files\TeamViewer3
2007-11-05 02:57 <DIR> d-------- C:\Documents and Settings\April\Application Data\TeamViewer
2007-11-05 02:56 <DIR> d-------- C:\Documents and Settings\April\temp
2007-10-29 18:42 <DIR> d---s---- C:\Documents and Settings\April\UserData
2007-10-28 04:17 <DIR> d-------- C:\Documents and Settings\April\Application Data\McAfee
2007-10-18 19:20 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-10-18 19:20 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2007-10-18 16:30 <DIR> d-------- C:\Program Files\Microsoft Works
2007-10-18 16:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-10-18 15:37 <DIR> d-------- C:\Documents and Settings\April\Application Data\U3
2007-10-18 15:37 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2007-10-15 17:12 <DIR> d-------- C:\Documents and Settings\April\Application Data\iShell
2007-10-15 17:12 86,016 --a------ C:\WINDOWS\unvise32qt.exe
2007-10-15 17:11 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2007-10-15 17:11 <DIR> d-------- C:\Program Files\QuickTime
2007-10-15 17:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-14 11:58 --------- d-----w C:\Program Files\DivX
2007-11-12 08:42 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-07 04:16 --------- d-----w C:\Program Files\MSN Messenger
2007-11-05 14:20 --------- d-----w C:\Program Files\McAfee
2007-11-05 14:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2007-11-01 19:26 --------- d-----w C:\Program Files\Java
2007-10-18 21:41 --------- d-----w C:\Documents and Settings\April\Application Data\DivX
2007-10-13 08:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\scar5
2007-10-13 07:50 --------- d-----w C:\Program Files\scar5
2007-10-13 07:50 --------- d-----w C:\Documents and Settings\April\Application Data\scar5
2007-10-06 09:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-09-30 23:45 --------- d-----w C:\Documents and Settings\April\Application Data\Viewpoint
2007-09-28 08:07 --------- d-----w C:\Program Files\Veoh Networks
2007-09-19 02:50 --------- d-----w C:\Documents and Settings\April\Application Data\AdobeUM
2007-09-18 22:28 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-09-18 22:26 --------- d-----w C:\Program Files\Microsoft.NET
2007-09-18 19:54 --------- d-----w C:\Program Files\Viewpoint
2007-09-18 05:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-09-18 05:21 --------- d-----w C:\Program Files\Yahoo!
2007-09-18 04:50 --------- d-----w C:\Program Files\MSXML 4.0
2007-09-18 04:20 --------- d-----w C:\Documents and Settings\April\Application Data\Talkback
2007-09-18 04:17 --------- d-----w C:\Program Files\AOD
2007-09-18 04:17 --------- d-----w C:\Program Files\AIM
2007-09-18 04:17 --------- d-----w C:\Documents and Settings\April\Application Data\Aim
2007-09-18 04:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-09-18 02:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com Personal Firewall
2007-09-18 01:08 --------- d-----w C:\Documents and Settings\LocalService\Application Data\McAfee.com Personal Firewall
2007-09-18 01:04 --------- d-----w C:\Documents and Settings\April\Application Data\McAfee.com Personal Firewall
2007-09-18 00:58 --------- d-----w C:\Program Files\Canon
2007-09-18 00:51 --------- d-----w C:\Program Files\CyberLink
2007-09-18 00:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Dell
2007-09-18 00:47 28,352 ----a-w C:\WINDOWS\system32\drivers\MxlW2k.sys
2007-09-18 00:46 --------- d-----w C:\Program Files\MUSICMATCH
2007-09-18 00:46 --------- d-----w C:\Program Files\Dell
2007-09-18 00:45 --------- d-----w C:\Program Files\Jasc Software Inc
2007-09-18 00:43 --------- d-----w C:\Program Files\Dell Computer
2007-09-18 00:43 --------- d-----w C:\Documents and Settings\April\Application Data\Jasc Software Inc
2007-09-18 00:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2007-09-18 00:06 --------- d-----w C:\Program Files\Common Files\AOL
2007-09-18 00:01 --------- d-----w C:\Documents and Settings\April\Application Data\ATI
2007-09-17 23:59 --------- d-----w C:\Program Files\Modem Helper
2007-09-17 23:55 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-09-17 23:55 --------- d-----w C:\Program Files\ATI Technologies
2007-09-17 23:54 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\Intel
2007-09-17 23:54 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Intel
2007-09-17 23:54 --------- d-----w C:\Documents and Settings\Default User\Application Data\Intel
2007-09-17 23:54 --------- d-----w C:\Documents and Settings\April\Application Data\Intel
2007-09-17 23:53 21,425 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2007-09-17 23:53 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\Intel
2007-09-17 23:53 --------- d-----w C:\Program Files\Intel
2007-09-17 23:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intel
2007-09-17 23:51 --------- d-----w C:\Program Files\Synaptics
2007-09-17 23:51 --------- d-----w C:\Program Files\CONEXANT
2007-09-17 23:50 --------- d-----w C:\Program Files\DIFX
2007-09-17 23:47 --------- d-----w C:\Program Files\SigmaTel
2007-09-17 23:45 --------- d-----w C:\Program Files\Common Files\Java
2007-09-17 23:30 5 ----a-w C:\WINDOWS\system32\drivers\DELL_XPS_MM061 .MRK
2007-09-17 23:30 5 ----a-w C:\WINDOWS\system32\drivers\1028_DELL_XPS_MM061 .MRK
2007-09-17 22:51 --------- d-----w C:\Program Files\RGB
2007-09-17 22:49 --------- d-----w C:\Program Files\GemMaster
2007-09-17 22:49 --------- d-----w C:\Program Files\EnglishOtto
2007-09-17 22:38 --------- d-----w C:\Program Files\microsoft frontpage
2007-09-17 22:31 --------- d-----w C:\Program Files\Windows Plus
.

((((((((((((((((((((((((((((( snapshot@2007-11-07_ 4.06.25.10 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-10-19 07:34:15 1,165,584 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\accicons.exe
+ 2007-11-14 09:01:01 1,165,584 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\accicons.exe
- 2007-10-19 07:34:15 20,240 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\cagicon.exe
+ 2007-11-14 09:01:02 20,240 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\cagicon.exe
- 2007-10-19 07:34:15 217,864 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\misc.exe
+ 2007-11-14 09:01:02 217,864 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\misc.exe
- 2007-10-19 07:34:15 18,704 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\mspicons.exe
+ 2007-11-14 09:01:02 18,704 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\mspicons.exe
- 2007-10-19 07:34:15 35,088 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\oisicon.exe
+ 2007-11-14 09:01:03 35,088 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\oisicon.exe
- 2007-10-19 07:34:15 845,584 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\outicon.exe
+ 2007-11-14 09:01:02 845,584 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\outicon.exe
- 2007-10-19 07:34:15 922,384 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\pptico.exe
+ 2007-11-14 09:01:02 922,384 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\pptico.exe
- 2007-10-19 07:34:15 272,648 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\pubs.exe
+ 2007-11-14 09:01:02 272,648 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\pubs.exe
- 2007-10-19 07:34:15 888,080 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\wordicon.exe
+ 2007-11-14 09:01:03 888,080 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\wordicon.exe
- 2007-10-19 07:34:15 1,172,240 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\xlicons.exe
+ 2007-11-14 09:01:02 1,172,240 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\xlicons.exe
- 2007-10-19 08:44:35 12,288 ----a-r C:\WINDOWS\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2007-11-14 09:02:17 12,288 ----a-r C:\WINDOWS\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2007-10-19 08:44:35 135,168 ----a-r C:\WINDOWS\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2007-11-14 09:02:17 135,168 ----a-r C:\WINDOWS\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2007-10-19 08:44:35 11,264 ----a-r C:\WINDOWS\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2007-11-14 09:02:17 11,264 ----a-r C:\WINDOWS\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2007-10-19 08:44:35 27,136 ----a-r C:\WINDOWS\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2007-11-14 09:02:18 27,136 ----a-r C:\WINDOWS\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2007-10-19 08:44:35 4,096 ----a-r C:\WINDOWS\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2007-11-14 09:02:18 4,096 ----a-r C:\WINDOWS\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2007-10-19 08:44:35 794,624 ----a-r C:\WINDOWS\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2007-11-14 09:02:18 794,624 ----a-r C:\WINDOWS\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2007-10-19 08:44:35 23,040 ----a-r C:\WINDOWS\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2007-11-14 09:02:18 23,040 ----a-r C:\WINDOWS\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2007-10-19 08:44:35 286,720 ----a-r C:\WINDOWS\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2007-11-14 09:02:17 286,720 ----a-r C:\WINDOWS\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2007-10-19 08:44:35 409,600 ----a-r C:\WINDOWS\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2007-11-14 09:02:17 409,600 ----a-r C:\WINDOWS\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2007-11-12 08:41:19 295,606 ----a-r C:\WINDOWS\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Acrobat.exe
+ 2007-11-12 08:41:20 295,606 ----a-r C:\WINDOWS\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Acrobat_3D.exe
+ 2007-11-12 08:41:20 295,606 ----a-r C:\WINDOWS\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Acrobat_Standard.exe
+ 2007-11-12 08:41:20 25,214 ----a-r C:\WINDOWS\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Distiller.exe
+ 2007-11-12 08:41:20 7,278 ----a-r C:\WINDOWS\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_ELEMENTS_DT.exe
+ 2007-11-12 08:41:19 23,558 ----a-r C:\WINDOWS\Installer\{AC76BA86-1033-F400-7760-000000000003}\SC_Designer_PFM.70DBED24_B579_40CB_AB0B_F1221A3E9EC5.exe
+ 2006-09-29 12:56:38 28,248 ----a-r C:\WINDOWS\system32\AdobePDF.dll
- 2006-12-19 21:52:18 8,453,632 -c--a-w C:\WINDOWS\system32\dllcache\shell32.dll
+ 2007-10-26 03:34:01 8,460,288 -c--a-w C:\WINDOWS\system32\dllcache\shell32.dll
- 2007-11-05 14:05:03 264,616 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2007-11-14 11:28:02 266,208 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2007-08-07 19:37:56 53,248 ----a-w C:\WINDOWS\system32\Macromed\Common\SwSupport.dll
+ 2007-08-07 23:20:44 182,248 ----a-w C:\WINDOWS\system32\Macromed\Director\SwDir.dll
- 2007-09-18 22:55:36 45,218 ----a-w C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
+ 2007-11-13 06:27:46 45,218 ----a-w C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
+ 2007-08-07 19:35:56 585,728 ----a-w C:\WINDOWS\system32\Macromed\Shockwave 10\Control.dll
+ 2007-08-07 19:19:40 1,490,944 ----a-w C:\WINDOWS\system32\Macromed\Shockwave 10\dirapi.dll
+ 2007-08-07 19:36:32 24,576 ----a-w C:\WINDOWS\system32\Macromed\Shockwave 10\DynaPlayer.dll
+ 2007-08-07 19:17:24 606,208 ----a-w C:\WINDOWS\system32\Macromed\Shockwave 10\iml32.dll
+ 2007-08-07 19:35:22 339,968 ----a-w C:\WINDOWS\system32\Macromed\Shockwave 10\Plugin.dll
+ 2007-08-07 19:35:32 483,328 ----a-w C:\WINDOWS\system32\Macromed\Shockwave 10\PluginPing.dll
+ 2007-08-07 19:28:38 180,224 ----a-w C:\WINDOWS\system32\Macromed\Shockwave 10\Proj.dll
+ 2007-08-07 23:20:28 391,144 ----a-w C:\WINDOWS\system32\Macromed\Shockwave 10\SwHelper_1020023.exe
+ 2007-08-07 19:37:56 77,824 ----a-w C:\WINDOWS\system32\Macromed\Shockwave 10\SwInit.exe
+ 2007-08-07 19:35:18 86,016 ----a-w C:\WINDOWS\system32\Macromed\Shockwave 10\SwMenu.dll
+ 2007-08-07 19:37:58 98,304 ----a-w C:\WINDOWS\system32\Macromed\Shockwave 10\SwOnce.dll
+ 1999-06-25 16:55:30 149,504 ----a-w C:\WINDOWS\system32\Macromed\Shockwave 10\UNWISE.EXE
+ 2004-02-20 22:15:42 40,960 ----a-r C:\WINDOWS\system32\MFC71CHS.DLL
+ 2004-02-20 22:15:42 45,056 ----a-r C:\WINDOWS\system32\MFC71CHT.DLL
+ 2004-02-20 22:15:42 65,536 ----a-r C:\WINDOWS\system32\MFC71DEU.DLL
+ 2003-10-17 18:44:08 57,344 ----a-r C:\WINDOWS\system32\MFC71ENU.DLL
+ 2004-02-20 22:15:42 61,440 ----a-r C:\WINDOWS\system32\MFC71ESP.DLL
+ 2004-02-20 22:15:42 61,440 ----a-r C:\WINDOWS\system32\MFC71FRA.DLL
+ 2004-02-20 22:15:42 61,440 ----a-r C:\WINDOWS\system32\MFC71ITA.DLL
+ 2004-02-20 22:15:42 49,152 ----a-r C:\WINDOWS\system32\MFC71JPN.DLL
+ 2004-02-20 22:15:42 49,152 ----a-r C:\WINDOWS\system32\MFC71KOR.DLL
- 2007-09-28 05:19:39 18,089,592 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2007-11-02 07:12:57 18,238,072 ----a-w C:\WINDOWS\system32\MRT.exe
- 2007-11-07 09:11:55 62,746 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-11-14 12:01:02 62,746 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-11-07 09:11:55 401,632 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-11-14 12:01:02 401,632 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2006-12-19 21:52:18 8,453,632 ----a-w C:\WINDOWS\system32\shell32.dll
+ 2007-10-26 03:34:01 8,460,288 ----a-w C:\WINDOWS\system32\shell32.dll
- 2006-01-19 19:29:19 14,048 ----a-w C:\WINDOWS\system32\spmsg.dll
+ 2007-03-06 01:22:33 14,048 ------w C:\WINDOWS\system32\spmsg.dll
+ 2007-05-11 05:13:07 24,456 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\ADREGP.DLL
+ 2007-05-11 05:13:22 190,072 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\ADUIGP.DLL
+ 2003-05-05 22:47:20 129,024 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\Ps5ui.dll
+ 2003-05-05 22:47:20 455,168 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\PSCRIPT5.DLL
+ 2007-05-11 05:13:07 24,456 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\AdReGP.dll
+ 2007-05-11 05:13:22 190,072 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\ADUIGP.dll
+ 2003-05-05 22:47:20 129,024 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\PS5UI.DLL
+ 2003-05-05 22:47:20 455,168 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\PSCRIPT5.DLL
- 2007-08-21 10:13:33 350,720 ----a-w C:\WINDOWS\system32\xpsp3res.dll
+ 2007-10-29 10:04:03 350,720 ----a-w C:\WINDOWS\system32\xpsp3res.dll
+ 2006-06-05 21:47:40 1,093,632 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_39049d00\mfc80.dll
+ 2006-06-05 21:47:48 1,080,320 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_39049d00\mfc80u.dll
+ 2006-06-05 21:47:50 69,632 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_39049d00\mfcm80.dll
+ 2006-06-05 21:47:50 57,856 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_39049d00\mfcm80u.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 12:56]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 11:48]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 17:04]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 16:58]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 16:41]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2006-08-03 17:51]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 19:15]
"mmtask"="c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2004-04-20 12:24]
"PDVDDXSrv"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 16:23]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 05:06]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-11-06 20:13]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 22:46]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [2007-10-17 00:29]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4b9aeba6-7dc2-11dc-8293-0018de813166}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-14 06:05:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-14 6:07:35 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-09 23:34
C:\ComboFix3.txt ... 2007-11-07 05:21
.
--- E O F ---

Logfile of HijackThis v1.99.1
Scan saved at 6:09:02 AM, on 11/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\April\Desktop\Reiko files\Reiko.exe
\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

My computer is running the same as it was before.
Prille
Active Member
 
Posts: 6
Joined: November 10th, 2007, 1:28 am

Re: Virtumonde still infecting computer

Unread postby chryssi2001 » November 14th, 2007, 4:19 pm

Hello Prille, :)

My computer is running the same as it was before.

That means it runs normal, no pop-ups or anything?
------------------------------------------------
Please download ATF cleaner
Make sure that all browser windows are closed.
    Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.
If you use Firefox browser
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
------------------------------------------------
AVG Anti-Spyware - 1st Part
Download the trial version of AVG Anti-Spyware from here and install it. When the program has been installed, and you click the Finish button, AVG Anti-Spyware will open.
If the program does not automatically update itself during installation, or you are unsure whether it has done so, please do the following:
  • Click the Update icon at the top and under Manual Update click the Start update button.
  • The program will either update or inform you that no update was available.
  • It is essential that you get the update - keep trying until successful. (Note: If you have problems getting the update, you can download an installer for the full database from here (save it on your desktop). Once you have downloaded the installer, make sure that AVG Anti-Spyware is closed and then double-click on avgas-signatures-full-current.exe to install the database).
Please set up the program as follows:
  • Click the Shield icon at the top and under Resident shield is... click active. This should now change to inactive.
  • Click the Update icon and untick the automatic update option.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act? - make sure that Quarantine is selected.
    • Under How to scan? - All checkboxes should be ticked.
    • Under Possibly unwanted software - All checkboxes should be ticked.
    • Under Reports - Select Do not automatically generate reports.
    • Under What to scan? - Select Scan every file.
Close all open windows.
Do not run a scan yet.
------------------------------------------------
I see you have installed TeamViewer3 and TeamViewer.
Some sites flag them as low risk programs due to the way they work. If you need them to contact other computers, let them alone.
Just have in mind that when using them and transferring files from one computer to the other, infections could be transmitted.
See some information here
------------------------------------------------
OPTIONAL

I see that Viewpoint is installed. Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player’s components. You can disable this using the Viewpoint Manager Control Panel found in the Windows Control Panel menu. By selecting Disable auto-updating for the Viewpoint Manager -- the player will no longer attempt to check for updates. Anything that is installed without your consent is suspect. Read what Viewpoint says and make your own decision.
To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint. Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player. The Viewpoint Media Player randomly generates the CUID during installation and uses it to indicate a unique installation of the product. A CUID is never connected to a user's name, email address, or other personal contact information. CUIDs are used for the sole purpose of filtering redundant information. Each of these information exchanges occurs anonymously.

Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything "bad". This may change, read Viewpoint to Plunge Into Adware.
I recommend that you remove the Viewpoint products; however, decide for yourself. To uninstall the the Viewpoint components (Viewpoint, Viewpoint Manager, Viewpoint Media Player):
  • Click Start, point to Settings, and then click Control Panel.
  • In Control Panel, double-click Add or Remove Programs.
  • In Add or Remove Programs, highlight >>Viewpoint component<< , click Remove.
  • Do the same for each Viewpoint component.
------------------------------------------------
FIX HIJACKTHIS ENTRIES

Open up Hijackthis.
Click on do a system scan only.
Place a checkmark next to these lines(if still present).

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)


Then close all windows except Hijackthis and click Fix Checked
Close HijackThis.
------------------------------------------------
AVG Anti-Spyware - 2nd Part

Print out these instructions or save them into a notepad on your desktop, because you will not have internet access while in Safe Mode.

Go in Safe Mode by restarting your computer, then continually tapping F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

  • Click on Scanner on the toolbar.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan your computer.
  • When the scan has finished, follow the instructions below:
    • Make sure that Set all elements to: shows Quarantine
    • Important: Click on the Apply all Actions button (*** This must done before saving the report***)
    • When the program has finished, it will display the message All actions have been applied.
    • Then click the Save Scan Report button.
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Tray Icon and select Exit. Confirm by clicking Yes.
  • Reboot in normal mode and copy the report back to this topic.
------------------------------------------------
Post back:
AVG Anti-Spyware report.
A new HijackThis log.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Virtumonde still infecting computer

Unread postby chryssi2001 » November 18th, 2007, 4:12 am

Hello Prille,

Are you still with me? Any problems with my instructions?
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Virtumonde still infecting computer

Unread postby Prille » November 18th, 2007, 4:51 pm

Sorry about the delay. I've been ill and haven't felt like messing with my computer. In regards to your previous question; my computer is running as it normally does; neither slow nor fast. There aren't any pop-ups except for the occasional one via firefox.

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 1:24:23 PM 11/18/2007

+ Scan result:



C:\Documents and Settings\April\Desktop\Avast Antivirus Profesional 4.7.892.rar/keygen.exe -> Downloader.Agent.dlu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3DEEC9AD-2D5C-467A-9A10-DF0C45BE2CFF}\RP33\A0005686.exe -> Not-A-Virus.Downloader.Win32.DigStream : Cleaned with backup (quarantined).


::Report end

Logfile of HijackThis v1.99.1
Scan saved at 2:46:58 PM, on 11/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Documents and Settings\April\Desktop\Reiko files\Reiko.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
Prille
Active Member
 
Posts: 6
Joined: November 10th, 2007, 1:28 am

Re: Virtumonde still infecting computer

Unread postby chryssi2001 » November 19th, 2007, 9:52 am

Hello Prille,

Sorry about the delay. I've been ill and haven't felt like messing with my computer. In regards to your previous question; my computer is running as it normally does; neither slow nor fast. There aren't any pop-ups except for the occasional one via firefox.


I hope you feel better now. :)

What are those occasional pop-ups you get when you use firefox?
Can you describe what they are? Do you have a pop-up blocker on and still get them?
----------------------------------------------------
Run Kaspersky Online AV Scanner
Using Internet Explorer Go to http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html and click the Accept button at the end of the page.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
  • Read the Requirements and limitations before you click Accept.
  • Allow the ActiveX download if necessary.
  • Once the database has downloaded, click Next.
  • Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
  • Click on "My Computer" and then put the kettle on!
  • When the scan has completed, click Save Report As...
  • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
  • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
Copy and paste the report into your next reply together with a new Hijackthis log.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Virtumonde still infecting computer

Unread postby Prille » November 19th, 2007, 11:51 am

I feel a little better, yes. The pop-ups were actually from IE, but I haven't gotten any in a few weeks. I use a pop-up blocker so now the only thing that pops up is updates and things that were installed.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, November 19, 2007 9:47:01 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 19/11/2007
Kaspersky Anti-Virus database records: 461649
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\

Scan Statistics:
Total number of scanned objects: 52722
Number of viruses found: 3
Number of infected objects: 6
Number of suspicious objects: 0
Duration of the scan process: 01:02:03

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware 2007\update\backup\Ad-Aware2007.exe.old Infected: Backdoor.Win32.SdBot.cic skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare Object is locked skipped
C:\Documents and Settings\April\Application Data\Aim\jztytbiv\SarcasmInt3nd3d\cert8.db Object is locked skipped
C:\Documents and Settings\April\Application Data\Aim\jztytbiv\SarcasmInt3nd3d\key3.db Object is locked skipped
C:\Documents and Settings\April\Application Data\Microsoft\Templates\Normal.dot Object is locked skipped
C:\Documents and Settings\April\Application Data\Mozilla\Firefox\Profiles\k317v2d7.default\cert8.db Object is locked skipped
C:\Documents and Settings\April\Application Data\Mozilla\Firefox\Profiles\k317v2d7.default\history.dat Object is locked skipped
C:\Documents and Settings\April\Application Data\Mozilla\Firefox\Profiles\k317v2d7.default\key3.db Object is locked skipped
C:\Documents and Settings\April\Application Data\Mozilla\Firefox\Profiles\k317v2d7.default\parent.lock Object is locked skipped
C:\Documents and Settings\April\Application Data\Mozilla\Firefox\Profiles\k317v2d7.default\search.sqlite Object is locked skipped
C:\Documents and Settings\April\Application Data\Mozilla\Firefox\Profiles\k317v2d7.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\April\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\April\Desktop\Avast Antivirus Profesional 4.7.892\crack.exe Infected: Trojan.Win32.Dialer.qn skipped
C:\Documents and Settings\April\Local Settings\Application Data\ApplicationHistory\cli.exe.c88dbd71.ini.inuse Object is locked skipped
C:\Documents and Settings\April\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_219.wmdb Object is locked skipped
C:\Documents and Settings\April\Local Settings\Application Data\Microsoft\Messenger\drowninginsilence@hotmail.com\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
C:\Documents and Settings\April\Local Settings\Application Data\Microsoft\Messenger\drowninginsilence@hotmail.com\SharingMetadata\pending.dat Object is locked skipped
C:\Documents and Settings\April\Local Settings\Application Data\Microsoft\Messenger\drowninginsilence@hotmail.com\SharingMetadata\Working\database_EA0_B9CF_A0B9_BD91\dfsr.db Object is locked skipped
C:\Documents and Settings\April\Local Settings\Application Data\Microsoft\Messenger\drowninginsilence@hotmail.com\SharingMetadata\Working\database_EA0_B9CF_A0B9_BD91\fsr.log Object is locked skipped
C:\Documents and Settings\April\Local Settings\Application Data\Microsoft\Messenger\drowninginsilence@hotmail.com\SharingMetadata\Working\database_EA0_B9CF_A0B9_BD91\fsrtmp.log Object is locked skipped
C:\Documents and Settings\April\Local Settings\Application Data\Microsoft\Messenger\drowninginsilence@hotmail.com\SharingMetadata\Working\database_EA0_B9CF_A0B9_BD91\tmp.edb Object is locked skipped
C:\Documents and Settings\April\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\April\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\April\Local Settings\Application Data\Microsoft\Windows Live Contacts\drowninginsilence@hotmail.com\real\members.stg Object is locked skipped
C:\Documents and Settings\April\Local Settings\Application Data\Microsoft\Windows Live Contacts\drowninginsilence@hotmail.com\shadow\members.stg Object is locked skipped
C:\Documents and Settings\April\Local Settings\Application Data\Mozilla\Firefox\Profiles\k317v2d7.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\April\Local Settings\Application Data\Mozilla\Firefox\Profiles\k317v2d7.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\April\Local Settings\Application Data\Mozilla\Firefox\Profiles\k317v2d7.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\April\Local Settings\Application Data\Mozilla\Firefox\Profiles\k317v2d7.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\April\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\April\Local Settings\History\History.IE5\MSHist012007111820071119\index.dat Object is locked skipped
C:\Documents and Settings\April\Local Settings\History\History.IE5\MSHist012007111920071120\index.dat Object is locked skipped
C:\Documents and Settings\April\Local Settings\Temp\Perflib_Perfdata_214.dat Object is locked skipped
C:\Documents and Settings\April\Local Settings\Temp\Perflib_Perfdata_aa4.dat Object is locked skipped
C:\Documents and Settings\April\Local Settings\Temp\Perflib_Perfdata_d50.dat Object is locked skipped
C:\Documents and Settings\April\Local Settings\Temp\~DF1217.tmp Object is locked skipped
C:\Documents and Settings\April\Local Settings\Temp\~DF121F.tmp Object is locked skipped
C:\Documents and Settings\April\Local Settings\Temp\~DF1F29.tmp Object is locked skipped
C:\Documents and Settings\April\Local Settings\Temp\~DF2E6B.tmp Object is locked skipped
C:\Documents and Settings\April\Local Settings\Temp\~DF2E74.tmp Object is locked skipped
C:\Documents and Settings\April\Local Settings\Temp\~DF3E41.tmp Object is locked skipped
C:\Documents and Settings\April\Local Settings\Temp\~DF3E60.tmp Object is locked skipped
C:\Documents and Settings\April\Local Settings\Temp\~DF49EE.tmp Object is locked skipped
C:\Documents and Settings\April\Local Settings\Temp\~WRF0000.tmp Object is locked skipped
C:\Documents and Settings\April\Local Settings\Temp\~WRS0001.tmp Object is locked skipped
C:\Documents and Settings\April\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\April\My Documents\GhalerionScript4.0\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\Documents and Settings\April\My Documents\PHX\CJA580\Allcock -- Week 4.doc Object is locked skipped
C:\Documents and Settings\April\My Documents\PHX\CJA580\~WRL0005.tmp Object is locked skipped
C:\Documents and Settings\April\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\April\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\Program Files\Common Files\Wise Installation Wizard\WISDED53B0BB67C4244AE6AD6FD3C28D1EF_7_0_2_3.MSI/Cabs.w1.cab/AdAware2007.exe Infected: Backdoor.Win32.SdBot.cic skipped
C:\Program Files\Common Files\Wise Installation Wizard\WISDED53B0BB67C4244AE6AD6FD3C28D1EF_7_0_2_3.MSI/Cabs.w1.cab Infected: Backdoor.Win32.SdBot.cic skipped
C:\Program Files\Common Files\Wise Installation Wizard\WISDED53B0BB67C4244AE6AD6FD3C28D1EF_7_0_2_3.MSI Embedded: infected - 2 skipped
C:\Program Files\Yahoo!\Messenger\logs\billing_April.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\client_April.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\network_April.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_Conexant HDA D110 MDC V.92 Modem.txt Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{CD6C1249-86A1-49E9-B5A2-A372F9D06491}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_764.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


Logfile of HijackThis v1.99.1
Scan saved at 9:48:25 AM, on 11/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Documents and Settings\April\My Documents\GhalerionScript4.0\mirc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Documents and Settings\April\Desktop\Reiko files\Reiko.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
Prille
Active Member
 
Posts: 6
Joined: November 10th, 2007, 1:28 am

Re: Virtumonde still infecting computer

Unread postby chryssi2001 » November 20th, 2007, 2:20 am

Hello Prille,

I feel a little better, yes.
Good, i hope you feel even better in next days. :)

The pop-ups were actually from IE, but I haven't gotten any in a few weeks. I use a pop-up blocker so now the only thing that pops up is updates and things that were installed.

Do you mean you see the balloon which says that updates are ready to install and then that they installed?
So if it's that, is normal and nothing to worry about.
------------------------------------------------
You have both AVAST AV and Ad-Aware2007 installed using crack. That's illegal.
I advise you to remove them via Start > Control Panel > Add/Remove programs immediately, and install the free-clean ones (legal) from the below links.

avast! 4 Home Edition
Follow these instructions to uninstall and re-install AVAST AV.

Please follow below details regarding to Antivirus installation-see my post below:
  • download the installer
  • disconnect from internet
  • remove old one
  • install new one
  • reconnect, immediately update, and
  • run the Anti-virus and let it quarantine all it's findings.

Ad-aware 2007
Download it from here
Find here the tutorial on how to use Adaware properly here
------------------------------------------------
After you do the above, please run Kaspersky on-line Scan again and post back the report together with a new HijackThis log.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Virtumonde still infecting computer

Unread postby Prille » November 21st, 2007, 3:16 am

I did as instructed, but the two I had on my computer were not cranks. They were downloaded from the reputable sites, like the two you gave me.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, November 21, 2007 1:13:33 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 21/11/2007
Kaspersky Anti-Virus database records: 462591
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\

Scan Statistics:
Total number of scanned objects: 50961
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 01:00:56

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare Object is locked skipped
C:\Documents and Settings\April\Application Data\Aim\jztytbiv\SarcasmInt3nd3d\cert8.db Object is locked skipped
C:\Documents and Settings\April\Application Data\Aim\jztytbiv\SarcasmInt3nd3d\key3.db Object is locked skipped
C:\Documents and Settings\April\Application Data\Microsoft\Templates\Normal.dot Object is locked skipped
C:\Documents and Settings\April\Application Data\Microsoft\Word\AutoRecovery save of Allcock -- Week 4.asd Object is locked skipped
C:\Documents and Settings\April\Application Data\Mozilla\Firefox\Profiles\k317v2d7.default\cert8.db Object is locked skipped
C:\Documents and Settings\April\Application Data\Mozilla\Firefox\Profiles\k317v2d7.default\history.dat Object is locked skipped
C:\Documents and Settings\April\Application Data\Mozilla\Firefox\Profiles\k317v2d7.default\key3.db Object is locked skipped
C:\Documents and Settings\April\Application Data\Mozilla\Firefox\Profiles\k317v2d7.default\parent.lock Object is locked skipped
C:\Documents and Settings\April\Application Data\Mozilla\Firefox\Profiles\k317v2d7.default\search.sqlite Object is locked skipped
C:\Documents and Settings\April\Application Data\Mozilla\Firefox\Profiles\k317v2d7.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\April\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\April\Local Settings\Application Data\ApplicationHistory\cli.exe.c88dbd71.ini.inuse Object is locked skipped
C:\Documents and Settings\April\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_219.wmdb Object is locked skipped
C:\Documents and Settings\April\Local Settings\Application Data\Microsoft\Messenger\drowninginsilence@hotmail.com\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
C:\Documents and Settings\April\Local Settings\Application Data\Microsoft\Messenger\drowninginsilence@hotmail.com\SharingMetadata\pending.dat Object is locked skipped
C:\Documents and Settings\April\Local Settings\Application Data\Microsoft\Messenger\drowninginsilence@hotmail.com\SharingMetadata\Working\database_EA0_B9CF_A0B9_BD91\dfsr.db Object is locked skipped
C:\Documents and Settings\April\Local Settings\Application Data\Microsoft\Messenger\drowninginsilence@hotmail.com\SharingMetadata\Working\database_EA0_B9CF_A0B9_BD91\fsr.log Object is locked skipped
C:\Documents and Settings\April\Local Settings\Application Data\Microsoft\Messenger\drowninginsilence@hotmail.com\SharingMetadata\Working\database_EA0_B9CF_A0B9_BD91\fsrtmp.log Object is locked skipped
C:\Documents and Settings\April\Local Settings\Application Data\Microsoft\Messenger\drowninginsilence@hotmail.com\SharingMetadata\Working\database_EA0_B9CF_A0B9_BD91\tmp.edb Object is locked skipped
C:\Documents and Settings\April\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\April\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\April\Local Settings\Application Data\Microsoft\Windows Live Contacts\drowninginsilence@hotmail.com\real\members.stg Object is locked skipped
C:\Documents and Settings\April\Local Settings\Application Data\Microsoft\Windows Live Contacts\drowninginsilence@hotmail.com\shadow\members.stg Object is locked skipped
C:\Documents and Settings\April\Local Settings\Application Data\Mozilla\Firefox\Profiles\k317v2d7.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\April\Local Settings\Application Data\Mozilla\Firefox\Profiles\k317v2d7.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\April\Local Settings\Application Data\Mozilla\Firefox\Profiles\k317v2d7.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\April\Local Settings\Application Data\Mozilla\Firefox\Profiles\k317v2d7.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\April\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\April\Local Settings\History\History.IE5\MSHist012007112020071121\index.dat Object is locked skipped
C:\Documents and Settings\April\Local Settings\Temp\Perflib_Perfdata_63c.dat Object is locked skipped
C:\Documents and Settings\April\Local Settings\Temp\Perflib_Perfdata_8b4.dat Object is locked skipped
C:\Documents and Settings\April\Local Settings\Temp\Perflib_Perfdata_d48.dat Object is locked skipped
C:\Documents and Settings\April\Local Settings\Temp\~DF1E81.tmp Object is locked skipped
C:\Documents and Settings\April\Local Settings\Temp\~DF23BA.tmp Object is locked skipped
C:\Documents and Settings\April\Local Settings\Temp\~DF7D7D.tmp Object is locked skipped
C:\Documents and Settings\April\Local Settings\Temp\~DFAA7C.tmp Object is locked skipped
C:\Documents and Settings\April\Local Settings\Temp\~DFEFC5.tmp Object is locked skipped
C:\Documents and Settings\April\Local Settings\Temp\~DFF2AA.tmp Object is locked skipped
C:\Documents and Settings\April\Local Settings\Temp\~DFF320.tmp Object is locked skipped
C:\Documents and Settings\April\Local Settings\Temp\~WRF0001.tmp Object is locked skipped
C:\Documents and Settings\April\Local Settings\Temp\~WRS0002.tmp Object is locked skipped
C:\Documents and Settings\April\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\April\My Documents\GhalerionScript4.0\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\Documents and Settings\April\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\April\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\billing_April.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\client_April.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\network_April.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{3DEEC9AD-2D5C-467A-9A10-DF0C45BE2CFF}\RP2\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_Conexant HDA D110 MDC V.92 Modem.txt Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{395B1B95-52A3-4202-8389-472DD091431D}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{221FC35D-2585-402A-AEE2-EBDF17E90F4E}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\Antiviru.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_414.dat Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_e80.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


Logfile of HijackThis v1.99.1
Scan saved at 1:13:58 AM, on 11/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\April\My Documents\GhalerionScript4.0\mirc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\April\Desktop\Reiko files\Reiko.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
Prille
Active Member
 
Posts: 6
Joined: November 10th, 2007, 1:28 am

Re: Virtumonde still infecting computer

Unread postby chryssi2001 » November 21st, 2007, 2:02 pm

Hello Prille,

C:\Documents and Settings\April\My Documents\GhalerionScript4.0\mirc.exe ------> Client-IRC.Win32.mIRC.616 skipped

Your mirc.exe shows infected. Also it is not installed in the proper folder.
The functionality of MIRC makes it possible for it to be used with malicious intent.

MIRC functions are often used by virus writers in order to create backdoors.
Older versions might have bugs that have been fixed in newer versions.

You could uninstall MIRC and and re-download again the latest version, but use a different link this time and install it in it's own folder.

If you decide to uninstall please follow the instructions below:
Using Windows Explore by right-clicking the Start button and left clicking Explore navigate to and find the following files: if found, delete it:

C:\Documents and Settings\April\My Documents\GhalerionScript4.0\mirc.exe

Here is the link of the Official site for MIRC download.
----------------------------------------------------
Although we've clean all the infections found on your machine the presence of the SDBot, in the cracked programs of Ad-Aware2007 and Avast means that your computer is very likely compromised and there is no way to be sure your computer can ever again be trusted.

I can't guarantee that your computer will be 100% secure from now and on.

The best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

Should you have any questions, please feel free to ask.

If you decide not to reformat and reinstall, please let me know so i will help you remove all the programs we used to clean your computer.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Virtumonde still infecting computer

Unread postby Vino Rosso » December 2nd, 2007, 11:44 am

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

Note: If it has been ten days or more since your last post and the helper assisting you posted a response to that post to which you did not reply, this topic will not be reopened. If you still require help, please start a new topic and include a fresh HijackThis log and a link to this thread in your new topic.

You can help support this site from this link: >Donations For Malware Removal<

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
Vino Rosso
Admin/Teacher Emeritus
 
Posts: 9024
Joined: April 24th, 2006, 8:36 am
Location: Gloria Jean's in Murray St. Mall (I wish!)
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 277 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware