Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Virtumonde

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Virtumonde

Unread postby Axephilic » September 8th, 2008, 6:13 pm

Hello,

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

Code: Select all
File::
C:\WINDOWS\Downloaded Program Files\gbn163.exe


Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply along with a new HijackThis log.

Regards,
Adam
User avatar
Axephilic
Retired Graduate
 
Posts: 2180
Joined: June 18th, 2007, 1:10 pm
Location: Wisconsin, US
Advertisement
Register to Remove

Re: Virtumonde

Unread postby Humboldt12 » September 8th, 2008, 7:13 pm

Latest ComboFix log:

ComboFix 08-08-24.02 - nakadasachiko 2008-09-09 7:53:05.4 - NTFSx86
Running from: C:\Documents and Settings\nakadasachiko\ƒfƒXƒNƒgƒbƒv\ComboFix.exe
Command switches used :: C:\Documents and Settings\nakadasachiko\ƒfƒXƒNƒgƒbƒv\CFScript.txt
* Created a new restore point
.
- REDUCED FUNCTIONALITY MODE -

FILE ::
C:\WINDOWS\Downloaded Program Files\gbn163.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Downloaded Program Files\gbn163.exe

.
((((((((((((((((((((((((( Files Created from 2008-08-08 to 2008-09-08 )))))))))))))))))))))))))))))))
.

2008-09-09 01:05 . 2008-09-09 01:05 <DIR> d-------- C:\WINDOWS\Sun
2008-09-09 01:03 . 2008-09-09 01:27 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-09-09 01:03 . 2008-09-09 01:03 1,409 --a------ C:\WINDOWS\QTFont.for
2008-09-09 01:02 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-09-09 00:58 . 2008-09-09 01:02 <DIR> d-------- C:\Program Files\Java
2008-09-09 00:50 . 2008-09-09 02:24 <DIR> d-------- C:\WINDOWS\SYSTEM32\CatRoot_bak
2008-08-18 01:22 . 2008-08-18 01:22 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-16 18:58 . 2008-05-01 23:30 331,776 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msadce.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-08 20:05 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-08 20:04 --------- d-----w C:\Program Files\Spyware Doctor
2008-09-08 16:27 --------- d-----w C:\Program Files\PC Tools AntiVirus
2008-09-08 15:57 --------- d-----w C:\Program Files\Common Files\Java
2008-09-08 15:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-08-17 09:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-08-17 09:55 --------- d-----w C:\Program Files\Hewlett-Packard
2008-08-16 18:45 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-16 18:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-19 11:03 --------- d-----w C:\Program Files\XML
2008-07-19 10:49 --------- d-----w C:\Documents and Settings\nakadasachiko\Application Data\PC Tools
2008-07-19 10:48 --------- d-----w C:\Program Files\Google
2008-07-07 20:30 253,952 ----a-w C:\WINDOWS\SYSTEM32\es.dll
2008-07-07 20:30 253,952 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\es.dll
2008-06-24 16:22 74,240 ----a-w C:\WINDOWS\SYSTEM32\mscms.dll
2008-06-24 16:22 74,240 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mscms.dll
2008-06-24 01:14 3,592,192 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2008-06-23 09:22 70,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2008-06-23 09:22 625,664 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2008-06-23 09:20 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2008-06-21 05:23 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2008-06-20 17:39 243,200 ----a-w C:\WINDOWS\SYSTEM32\mswsock.dll
2008-06-20 17:39 243,200 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mswsock.dll
2008-06-20 17:39 148,992 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip.sys
2008-06-20 10:44 138,368 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip6.sys
2008-06-14 17:57 270,464 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys
2007-03-24 11:10 34,584 ----a-w C:\Documents and Settings\nakadasachiko\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2008-08-29_10.28.50.51 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-08 18:20:29 145,936 ----a-w C:\WINDOWS\SYSTEM32\FNTCACHE.DAT
+ 2008-09-08 15:14:49 145,936 ----a-w C:\WINDOWS\SYSTEM32\FNTCACHE.DAT
+ 2008-06-09 16:21:01 135,168 ----a-w C:\WINDOWS\SYSTEM32\java.exe
+ 2008-06-09 16:21:04 135,168 ----a-w C:\WINDOWS\SYSTEM32\javaw.exe
+ 2008-06-09 17:32:34 139,264 ----a-w C:\WINDOWS\SYSTEM32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 16:55 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 16:55 208952]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 14:32 455168]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 14:32 455168]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2002-06-20 02:14 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2002-06-20 02:05 114688]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2002-08-01 14:43 126976]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2002-08-01 14:43 557056]
"imjpmig"="C:\Program Files\Common Files\Microsoft Shared\IME\IMJP\imjpmig.exe" [2003-09-03 12:33 192591]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2003-03-13 04:52 77824]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe" [2006-06-26 09:46 497200]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" [2006-06-26 10:34 614960]
"LVCOMSX"="C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe" [2006-06-26 10:33 243248]
"PCTAVApp"="C:\Program Files\PC Tools AntiVirus\PCTAV.exe" [2008-03-05 09:37 1238928]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-02-01 12:55 1103240]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"PCTVOICE"="pctspk.exe" [2002-10-11 00:39 163840 C:\WINDOWS\SYSTEM32\pctspk.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 16:55 15360]

C:\Documents and Settings\All Users\ƒXƒ^[ƒg ƒƒjƒ…[\ƒvƒƒOƒ‰ƒ€\ƒXƒ^[ƒgƒAƒbƒv\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
QuickShelf.lnk - C:\Program Files\Microsoft Reference\Microsoft Bookshelf 3.0\qshelf.exe [2000-12-20 19:06:16 36911]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.HFYU"= huffyuv.dll
"vidc.xvid"= xvid.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^ƒXƒ^[ƒg ƒƒjƒ…[^ƒvƒƒOƒ‰ƒ€^ƒXƒ^[ƒgƒAƒbƒv^Date Manager.lnk]
path=C:\Documents and Settings\All Users\ƒXƒ^[ƒg ƒƒjƒ…[\ƒvƒƒOƒ‰ƒ€\ƒXƒ^[ƒgƒAƒbƒv\Date Manager.lnk
backup=C:\WINDOWS\pss\Date Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^ƒXƒ^[ƒg ƒƒjƒ…[^ƒvƒƒOƒ‰ƒ€^ƒXƒ^[ƒgƒAƒbƒv^GStartup.lnk]
path=C:\Documents and Settings\All Users\ƒXƒ^[ƒg ƒƒjƒ…[\ƒvƒƒOƒ‰ƒ€\ƒXƒ^[ƒgƒAƒbƒv\GStartup.lnk
backup=C:\WINDOWS\pss\GStartup.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^ƒXƒ^[ƒg ƒƒjƒ…[^ƒvƒƒOƒ‰ƒ€^ƒXƒ^[ƒgƒAƒbƒv^PrecisionTime.lnk]
path=C:\Documents and Settings\All Users\ƒXƒ^[ƒg ƒƒjƒ…[\ƒvƒƒOƒ‰ƒ€\ƒXƒ^[ƒgƒAƒbƒv\PrecisionTime.lnk
backup=C:\WINDOWS\pss\PrecisionTime.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^ƒXƒ^[ƒg ƒƒjƒ…[^ƒvƒƒOƒ‰ƒ€^ƒXƒ^[ƒgƒAƒbƒv^TabUserW.exe.lnk]
path=C:\Documents and Settings\All Users\ƒXƒ^[ƒg ƒƒjƒ…[\ƒvƒƒOƒ‰ƒ€\ƒXƒ^[ƒgƒAƒbƒv\TabUserW.exe.lnk
backup=C:\WINDOWS\pss\TabUserW.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R0 hpt3xx;hpt3xx;C:\WINDOWS\system32\DRIVERS\hpt3xx.sys [2001-08-17 13:52]
R3 {A7E39B01-B403-11d4-BD18-00D0B7A1821E};AIM 3.0 Part 01 Codec Driver VCH-A;C:\WINDOWS\system32\drivers\Vch.sys [2002-06-21 18:44]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-09 07:55:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\Documents and Settings\nakadasachiko\C:\Documents and Settings\nakadasachiko\C:\Documents and Settings\nakadasachiko\C:\Documents and Settings\nakadasachiko\C:\Documents and Settings\nakadasachiko\C:\Documents and Settings\nakadasachiko\C:\Documents and Settings\nakadasachiko\C:\Documents and Settings\nakadasachiko\ 4718592 bytes
C:\Documents and Settings\nakadasachiko\ 81920 bytes
C:\Documents and Settings\nakadasachiko\ 278 bytes
C:\Documents and Settings\nakadasachiko\C:\Documents and Settings\nakadasachiko\C:\Documents and Settings\nakadasachiko\C:\Documents and Settings\nakadasachiko\C:\Documents and Settings\nakadasachiko\C:\Documents and Settings\nakadasachiko\C:\Documents and Settings\nakadasachiko\C:\Documents and Settings\nakadasachiko\
C:\Documents and Settings\All Users\C:\Documents and Settings\All Users\C:\Documents and Settings\All Users\C:\Documents and Settings\All Users\C:\Documents and Settings\All Users\ 262144 bytes
C:\Documents and Settings\All Users\ 1024 bytes
C:\Documents and Settings\All Users\C:\Documents and Settings\All Users\C:\Documents and Settings\All Users\C:\Documents and Settings\All Users\

scan completed successfully
hidden files: 28

**************************************************************************
.
Completion time: 2008-09-09 8:01:11
ComboFix-quarantined-files.txt 2008-09-08 23:00:35
ComboFix2.txt 2008-09-08 15:30:54
ComboFix3.txt 2008-08-29 01:31:10

Pre-Run: 4,448,428,032 ƒoƒCƒg‚̋󂫗̈æ
Post-Run: 4,480,356,352 ƒoƒCƒg‚̋󂫗̈æ

151 --- E O F --- 2008-08-16 13:44:23


Latest HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:04:33, on 09/09/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Microsoft Reference\Microsoft Bookshelf 3.0\qshelf.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live ?T?C?g?C?g ?w???p?[ - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\ja\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\ja\msntb.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [imjpmig] C:\Program Files\Common Files\Microsoft Shared\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Lookup in Bookshelf - res://C:\Program Files\Microsoft Reference\Microsoft Bookshelf 3.0\bsdef.dll/#1001
O8 - Extra context menu item: Bookshelf‚ÅŒŸõ(&L) - res://C:\Program Files\Microsoft Reference\Microsoft Bookshelf 3.0\bsdef.dll/#1001
O8 - Extra context menu item: Microsoft Excel ‚ɃGƒNƒXƒ|[ƒg(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun ? Java ????? - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 1455382692
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL ... 586-jc.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 7600 bytes
Humboldt12
Active Member
 
Posts: 11
Joined: August 22nd, 2008, 5:09 am

Re: Virtumonde

Unread postby Axephilic » September 8th, 2008, 7:38 pm

Congratulations! You are now all clean! To help to prevent from becoming reinfected, please follow the instructions below in order. If you have any questions, please feel free to ask them.

Now lets uninstall ComboFix:

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

Hide system files

  1. Open My Computer.
  2. Go to Tools > Folder Options.
  3. Select the View tab.
  4. Scroll down to Hidden files and folders.
  5. Select Do not show hidden files and folders.
  6. Check (tick) Hide extensions of known file types.
  7. Check (tick) Hide protected operating system files (Recommended).
  8. Click OK.
  9. Close My Computer.

Flush the system restore points

  1. Right click on My Computer and select Properties.
  2. Select the System Restore tab.
  3. Check (tick) Turn off system restore on all drives box.
  4. Click Apply.
  5. Uncheck (untick) Turn off system restore on all drives box.
  6. Click OK.
  7. Restart your computer.
Note: Do this only ONCE, don't flush it regularly.

Keep your system updated

Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Please ensure that you visit the following websites regularly or do update your system regularly.

Install the updates immediately if they are found. Reboot your computer if necessary, revisit Windows Update and Office update sites until there are no more updates to be installed.

To update Windows

Go to Start > All Programs > Windows Update

To update Office

Open up any Office program.

Go to Help > Check for Updates

Alternatively, you can visit the links below to update Windows and Office products.

Windows Update
Office Update

If you are forgetful, you can change some settings so that you will be informed of updates. Here's how:

  1. Go to Start > Control Panel > Automatic Updates
  2. Select Automatic (recommended) radio button if you want the updates to be downloaded and installed without prompting you.
  3. Select Download updates for me, but let me chose when to install them radio button if you want the updates to be downloaded automatically but to be installed at another time.
  4. Select Notify me but don't automatically download or install them radio button if you want to be notified of the updates.

Besides Windows that needs regular updating, antivirus, anti-spyware and firewall programs update regularly too.

Please make sure that you update your antivirus, firewall and anti-spyware programs at least once a week.

Be careful when opening attachments and downloading files.

  1. Never open email attachments, not even if they are from someone you know. If you need to open them, scan them with your antivirus program before opening.
  2. Never open emails from unknown senders.
  3. Beware of emails that warn about viruses that are spreading, especially those from antivirus vendors. These email addresses can be easily spoofed. Check the antivirus vendor websites to be sure.
  4. Be careful of what you download. Only download files from known sources. Also, avoid cracked programs. If you need a particular program that costs too much for you, try finding free alternatives on Sourceforge or Pricelessware.

Surf safely

Many of the exploits are directed to users of Internet Explorer and Firefox.

Using Firefox with NoScript add-on helps to prevent most exploits from running as NoScript by default disables all scripts on all websites. If you trust the website, you can manually allow it.

If you prefer to use Internet Explorer, here are some settings to change to improve the security of Internet Explorer.

For Internet Explorer 7

Please read this article to configure Internet Explorer 7 properly.

Stop malicious scripts

Windows by default allow scripts (which is VBScript and JavaScript) to run and some of these scripts are malicious. Use Noscript by Symantec or Script Defender by AnalogX to handle these scripts.

Backup regularly

You never know when your PC will become unstable or become so infected that you can't recover it. Follow this Microsoft article to learn how to backup. Follow this article by Microsoft to restore your backups.

Alternatively, you can use 3rd-party programs to back up your data. One example can be found at Bleeping Computer.

Avoid P2P

P2P may be a great way to get lots of stuffs, but it is a great way to get infected as well. There's no way to tell if the file being shared is infected. Worse still, some worms spread via P2P networks, infecting you as well. If you do need to use them, use them sparingly. Check this list of clean and infected P2P programs if you need to use one.

Prevent a re-infection

  1. Winpatrol
    Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.

    You can get a free copy of Winpatrol or use the Plus version for more features.

    You can read Winpatrol's FAQ if you run into problems.

  2. Hosts File
    A Hosts file is like a phone book. You look up someone's name in the phone book before calling him/her. Similarly, your PC will look up the website's IP address before you can view the website.

    Hosts file will replace your current Hosts file with another one containing well-known advertisement sites, spyware sites and other bad sites. This new Hosts file will protect you by re-directing these bad sites to 127.0.0.1.

    Here are some Hosts files:

    MVPS Hosts File
    Bluetack's Hosts File
    Bluetack's Host Manager
    hpHosts

    A tutorial about Hosts File can be found at Malware Removal.

  3. Spybot Search and Destroy
    Spybot Search & Destroy is another program for scanning spywares and adwares. Not only so, it has other preventive options as well. You are strongly encouraged to run a scan at least once per week.

    Spybot Search & Destroy can be downloaded from here.

    If you need help in using Spybot Search & Destroy, you can read Spybot Search and Destroy tutorial at Bleeping Computer.

    Before downloading any anti-spyware programs, always check the Rogue/Suspect list of anti-spyware programs and Malwarebytes RogueNET. This will save you from a lot of trouble. If in doubt, don't ever download it.

  4. SiteHound Toolbar
    SiteHound is a toolbar that warns you if you go to a site that is known to scam people, that has potentially lots of viruses or spywares or has questionable contents. If you know the site, you can enter it; if you don't, it will bring you back to the previous page. Currently, SiteHound works for Internet Explorer and Firefox only.


Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place

Happy surfing and stay clean!

Regards,
Adam
User avatar
Axephilic
Retired Graduate
 
Posts: 2180
Joined: June 18th, 2007, 1:10 pm
Location: Wisconsin, US

Re: Virtumonde

Unread postby Humboldt12 » September 9th, 2008, 10:53 pm

:cheers: :cheers: :cheers: Thankyou so much for your help. I appreciate you giving up your free time for this, and I think it's a really good thing you guys do on this site.

Best wishes,

Stephen
Humboldt12
Active Member
 
Posts: 11
Joined: August 22nd, 2008, 5:09 am

Re: Virtumonde

Unread postby NonSuch » September 14th, 2008, 3:33 am

As this issue is resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove

Previous

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 310 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware