Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Virtumonde

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Virtumonde

Unread postby PeterD » December 18th, 2008, 6:46 pm

Hello!
I come home for christmas every year and every year my parent's computer is choca block with spyware. This year there are tons of redirects, most noticible from the google results page. It opens every link in a new window and takes you to completely unrelated websites. You can usually (but not always) get around it by right clicking the link and selecting "open in a new window" (and incidentally the advertisement links section on the right hand side of the results page is much wider than on the usual web page). There are also a lot of popups that sometimes appear without clicking a new link at all.

I've tried AVG and AdAware without luck (for some reason neither program could access their server to update their definitions files, no matter how I tweak the firewall and connection settings). I thought I had a little more luck with Spybot search and destroy but the same problem keeps happening. One of the infections Spybot found was Virtumonde, which it said was particularly difficult to remove, not sure if thats helpful.

Here is my Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:19:56, on 18/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\UAService7.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/e ... efault.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.zycqkssdxkwhmplljrgn.net/3hL ... UzSnZ.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCPrivacyTool] "C:\Program Files\PCPrivacyTool\GDC.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [qooys] "c:\windows\system32\qooys.exe" qooys
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Road kind] C:\DOCUME~1\Brian\APPLIC~1\LOADME~1\64 Film Third.exe
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [ieupdate] "C:\WINDOWS\system32\ieupdates.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://training.k2ms.com/WebPlayer/auth ... wswaxd.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b31267.cab
O16 - DPF: {38D63471-E630-4492-A986-B8C48B79F2F8} (CVideoEgg_ActiveXCtl Object) - http://update.videoegg.com/wintel/VideoEggPublisher.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.co.uk/SnapfishUKActivia.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computerc ... diagcc.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnme ... loader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZI ... b32846.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DE05969D-2AC6-42AF-92E9-E6FE596A0583}: NameServer = 85.255.116.150 85.255.112.70
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: rqrrspo - rqrrspo.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe

--
End of file - 8739 bytes


I would really appreciate any help that anyone could give.

Thank you
PeterD
Active Member
 
Posts: 3
Joined: December 18th, 2008, 6:15 pm
Advertisement
Register to Remove

Re: Virtumonde

Unread postby Bv202 » December 20th, 2008, 7:15 am

Welcome to Malware Removal!
My name is Bjorn, known as Bv202 on this forum and I'll be happy to assist you with all your malware problems you have on your computer.

Before we start fixing your computer, there are a few points you need to know:
  • Please don't start a new topic, but reply on this one.
  • If you don't understand something, please ask!
  • If you find any new problems and/or details, please post them!
  • As I'm still in training here at Malware Removal, all my posts needs to be checked by an expert first.

Remember: absence of symptoms does not mean your computer is clean!!
Please reply to this topic until I say your computer is clean.

I'm now researching your log. Once it's done, I'll be back to you.

In the meantime, please do this:
  • Open HijackThis.
  • Look under System tools.
  • Click on the Open Uninstall Manager... button.
  • Click on the Save list... button.
  • It will prompt you to save. Save this log in a convenient location. By default it's named uninstall_list.txt.
  • Notepad will open. Please copy and paste the contents of this log in your next reply.
See in this link details.
http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg
Bv202
Regular Member
 
Posts: 1732
Joined: May 3rd, 2008, 10:46 am
Location: Belgium (GMT +1)

Re: Virtumonde

Unread postby PeterD » December 21st, 2008, 11:52 am

Thank you so much for your time!

Here's the list you asked for:
AC3Filter (remove only)
Ad-Aware
Adobe Acrobat 4.0
Adobe Flash Player ActiveX
Adobe Reader 7.0
Audacity 1.2.6
AVG Free 8.0
BCM V.92 56K Modem
Broadcom Management Programs
BT Voyager 105 ADSL Modem
CCleaner (remove only)
Direct Show Ogg Vorbis Filter (remove only)
DivX Codec
DivX Player
DivX Web Player
DVDSentry
Easy CD Creator 5 Basic
ebgcInfra
ebgcRes
ebgcSDK
FruityLoops Studio Producer Edition v4.01
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
hp deskjet 640c series
ImageMixer VCD/DVD2 for OLYMPUS
Indeo® software
Intel(R) Extreme Graphics Driver
iPod for Windows 2005-02-07
iPod for Windows 2005-06-26
iPod Update 2004-04-28
IrfanView (remove only)
iTunes
J2SE Runtime Environment 5.0 Update 8
J2SE Runtime Environment 5.0 Update 9
Java(TM) 6 Update 2
LiveUpdate 1.80 (Symantec Corporation)
Macromedia Shockwave Player
Mah Jong Medley
Malwarebytes' Anti-Malware
Microsoft Data Access Components KB870669
Microsoft Office 2000 Standard
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Modem Helper
Mozilla Firefox (2.0.0.18)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Native Instruments Traktor DJ Studio 3
NI Service Center
OLYMPUS Master
Photo_Tour_Salzburg
PowerDVD
Project64 1.6
QuickTime
RealPlayer
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB960714)
Shockwave
SoulSeek 157 test 8
SoulSeek Client 156c
SpeedTouch USB Software
Spybot - Search & Destroy
Steinberg Cubasis go 3
SWiSHmax
Ulead Photo Explorer 8.0 SE Basic
Ulead Photo Express 5 SE
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
V3105s Digital Camera Driver
VeohTV BETA
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 9 Hotfix [See KB885492 for more information]
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
Windows XP Service Pack 2

Its a family computer so its totally full of all sorts of useless programmes from who-knows-when. Thanks again for your time

Merry Christmas!!
PeterD
Active Member
 
Posts: 3
Joined: December 18th, 2008, 6:15 pm

Re: Virtumonde

Unread postby Bv202 » December 22nd, 2008, 6:16 am

Hi,

There is more in this log then just Virtumonde :(


Disable anti-malware products
You have some anti-malware producs running which needs disabling first. Please re-enable them after running LOP S&D (or at least re-enable AVG8!)

AVG8
Please open the AVG Control Center. click on "Tools," select "Advanced" and then in the left-hand pane scroll down to "Resident Shield." In the main pane, deselect the option to "Enable Resident Shield."
If you want to re-enable AVG, please select "Enable Resident Shield" again.

Teatimer
First step:
  • Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  • If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident
Second step, For Either Version :
  • Open Spybot S&D
  • Click Mode, choose Advanced Mode
  • Go To the bottom of the Vertical Panel on the Left, Click Tools
  • then, also in left panel, click Resident shows a red/white shield.
  • If your firewall raises a question, say OK
  • In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
  • OK any prompts.
  • Use File, Exit to terminate Spybot


Windows Defender
  • Open Windows Defender
  • Select Tools and then General Settings
  • Under Real Time Protection Options uncheck Turn on real-time protection
  • Select Save

Reboot the computer

Download and run Combofix
Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.
* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, see the instructions above.
  • Close all programs before running ComboFix. While it's running, please don't do anything with your keyboard/mouse.
Please include the C:\ComboFix.txt in your next reply for further review.



Lop S&D-Option 1
Download Lop S&D by Eric_71 and save it to your desktop.
Lop S&D will only run on Windows XP and Windows Vista

Please stay disabling antivirus and antimalware programs so they do not interfere with the running of Lop S&D. After running LOP S&D, please re-enable at least your antivirus.
  • Double-click Lop S&D.exe
  • Choose the language by typing of the corresponding letter and press Enter
  • Click OK at the informative window
  • Type 1, to choose Option 1 (Search) then press Enter
  • Wait until the end of the scan
  • A report will be generated, post the contents of it in your next reply.
(Copy of the report can be found at this location: %systemdrive%\lopR.txt, in most cases C:\lopR.txt)

In your next reply, please post:
1) The ComboFix log
2) The LOP S&D log
3) A new HijackThis log

Merry Christmas :)
Bv202
Regular Member
 
Posts: 1732
Joined: May 3rd, 2008, 10:46 am
Location: Belgium (GMT +1)

Re: Virtumonde

Unread postby PeterD » December 23rd, 2008, 6:15 pm

Hello again!
I've done my best to follow your instructions exactly. I had a little trouble with COmbofix: it ran ok, but when I went to look for the log the folder was empty so I had to re-run it. If there are any problems or errors in the logs then let me know and I'll redo it.

Combofix log:
ComboFix 08-12-23.01 - Brian 2008-12-23 21:58:05.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.246 [GMT 0:00]
Running from: c:\documents and settings\Brian\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-11-23 to 2008-12-23 )))))))))))))))))))))))))))))))
.

2008-12-23 20:15 . 2008-12-23 21:37 <DIR> d-------- C:\Lop SD
2008-12-19 19:49 . 2008-12-20 04:09 <DIR> d-------- c:\windows\SYSTEM32\CatRoot_bak
2008-12-18 22:51 . 2008-12-18 22:51 <DIR> d-------- C:\VundoFix Backups
2008-12-18 21:57 . 2008-12-18 21:57 <DIR> d-------- c:\program files\Trend Micro
2008-12-17 23:21 . 2008-12-17 23:21 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-23 20:30 --------- d-----w c:\program files\Soulseek
2008-12-19 15:55 --------- d-----w c:\documents and settings\Brian\Application Data\AdobeUM
2008-12-18 16:46 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-18 12:22 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-17 23:22 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-12 17:33 3,060,224 ------w c:\windows\SYSTEM32\DLLCACHE\mshtml.dll
2008-11-20 18:58 --------- d-----w c:\program files\Soulseek-Test
2008-10-26 16:05 --------- d-----w c:\documents and settings\Daniel\Application Data\U3
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 11:10 453,632 ------w c:\windows\SYSTEM32\DLLCACHE\mrxsmb.sys
2008-10-23 13:01 283,648 ----a-w c:\windows\SYSTEM32\gdi32.dll
2008-10-23 13:01 283,648 ------w c:\windows\SYSTEM32\DLLCACHE\gdi32.dll
2008-10-16 14:13 202,776 ----a-w c:\windows\SYSTEM32\wuweb.dll
2008-10-16 14:13 202,776 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuweb.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\SYSTEM32\wuaueng.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuaueng.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\SYSTEM32\wuapi.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuapi.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\SYSTEM32\wucltui.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\SYSTEM32\DLLCACHE\wucltui.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\SYSTEM32\DLLCACHE\cdm.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\SYSTEM32\cdm.dll
2008-10-16 14:09 51,224 ----a-w c:\windows\SYSTEM32\wuauclt.exe
2008-10-16 14:09 51,224 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuauclt.exe
2008-10-16 14:09 43,544 ----a-w c:\windows\SYSTEM32\wups2.dll
2008-10-16 14:08 34,328 ----a-w c:\windows\SYSTEM32\wups.dll
2008-10-16 14:08 34,328 ----a-w c:\windows\SYSTEM32\DLLCACHE\wups.dll
2008-10-15 16:57 332,800 ------w c:\windows\SYSTEM32\DLLCACHE\netapi32.dll
2008-10-15 09:45 18,432 ------w c:\windows\SYSTEM32\DLLCACHE\iedw.exe
2008-10-03 10:15 247,326 ----a-w c:\windows\SYSTEM32\strmdll.dll
2008-10-03 10:15 247,326 ------w c:\windows\SYSTEM32\DLLCACHE\strmdll.dll
2008-09-30 16:43 1,286,152 ----a-w c:\windows\SYSTEM32\msxml4.dll
2007-01-14 13:15 1,709,364 ----a-w c:\documents and settings\Daniel\worms.zip
2006-12-03 12:59 34,740,280 ----a-w c:\documents and settings\Daniel\Traktor_320_Win.zip
2006-12-03 12:42 19,944,018 ----a-w c:\documents and settings\Daniel\TDS301_OSX_Demo.zip
2006-11-04 16:44 311,066 ----a-w c:\documents and settings\Daniel\dgVoodoo1.40plus.zip
2006-11-04 16:44 236,257 ----a-w c:\documents and settings\Daniel\dgVoodoo1.31_log.zip
2006-10-18 18:41 774,144 ----a-w c:\program files\RngInterstitial.dll
2003-12-19 11:15 158,720 -c--a-w c:\program files\IPhOexam2Dec2003.doc
2003-12-09 23:30 445,952 ----a-w c:\program files\kmd.exe
1996-12-04 23:00 73,184 -c----w c:\program files\Common Files\Dao2535.tlb
1996-12-02 17:44 582,144 -c----w c:\program files\Common Files\dao350.dll
2008-12-22 18:25 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-22 18:25 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-22 18:25 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-12-22 18:26 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-22 18:26 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"OM_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2006-05-16 57344]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-12-08 98304]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-19 1261336]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-08-25 185896]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 c:\windows\SYSTEM32\narrator.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
PowerReg Scheduler.exe [2004-05-30 251392]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= ir41_32.dll
"vidc.mxmc"= MimicICM.DLL
"VIDC.MJPG"= pvmjpg21.dll
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll schannel.dll digest.dll msnsspc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
--a------ 2002-12-17 11:28 684032 c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLAGENTEXE]
--------- 2003-08-19 13:47 16384 c:\program files\BT Voyager 105 ADSL Modem\dslagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLSTATEXE]
--------- 2003-06-28 16:10 1658965 c:\program files\BT Voyager 105 ADSL Modem\dslstat.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2004-12-08 18:37 98304 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2008-08-25 16:50 214560 c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-08-25 16:50 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AOLService"=2 (0x2)
"Schedule"=2 (0x2)
"SCardSvr"=3 (0x3)
"RDSessMgr"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\Soulseek-Test\\slsk.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgui.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgtray.exe"=
"c:\\Program Files\\Lavasoft\\Ad-Aware\\Ad-Aware.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"27439:TCP"= 27439:TCP:BitComet 27439 TCP
"27439:UDP"= 27439:UDP:BitComet 27439 UDP
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-08-25 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-08-25 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-08-25 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-08-25 76040]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2007-04-01 c:\windows\Tasks\A6F828B6918BA2FA.job
- c:\docume~1\brian\applic~1\loadme~1\Cake owns anti.exe []

2007-04-01 c:\windows\Tasks\AA6B9F45918413ED.job
- c:\docume~1\peter\applic~1\loadme~1\Cake owns anti.exe []

2007-04-01 c:\windows\Tasks\AC77DFF891B052C0.job
- c:\docume~1\daniel\applic~1\loadme~1\Cake owns anti.exe []

2004-07-05 c:\windows\Tasks\New Task.job
- c:\program files\Kazaa\My Shared Folder\Bloc Party - banquet.mp3 []

2007-08-05 c:\windows\Tasks\Pareto UNS.job
- c:\program files\Common Files\ParetoLogic\UUS\UUS.dll\Pareto_Update.exe []

2003-09-27 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2002-08-07 08:04]

2007-04-01 c:\windows\Tasks\XoftSpy.job
- c:\program files\XoftSpy\XoftSpy.exe [2007-04-26 13:39]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
mStart Page = hxxp://www.google.co.uk/
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
TCP: {DE05969D-2AC6-42AF-92E9-E6FE596A0583} = 212.139.132.25 212.139.132.24

O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-23 22:03:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-12-23 22:05:45
ComboFix-quarantined-files.txt 2008-12-23 22:05:10
ComboFix2.txt 2008-12-23 21:30:29

Pre-Run: 3,934,351,360 bytes free
Post-Run: 3,919,024,128 bytes free

186 --- E O F --- 2008-12-19 19:20:23


Lop SD log:

--------------------\\ Lop S&D 4.2.5-0 XP/Vista

Microsoft Windows XP Home Edition ( v5.1.2600 ) Service Pack 2
X86-based PC ( Uniprocessor Free : Intel(R) Celeron(R) CPU 2.20GHz )
BIOS : Phoenix ROM BIOS PLUS Version 1.10 A02
USER : Brian ( Administrator )
BOOT : Normal boot
Antivirus : AVG Anti-Virus Free 8.0 (Not Activated)
A:\ (USB)
C:\ (Local Disk) - NTFS - Total:38 Go (Free:3 Go)
D:\ (CD or DVD)

"C:\Lop SD" ( MAJ : 19-12-2008|23:40 )
Option : [1] ( 23/12/2008|21:32 )

--------------------\\ Listing folders in APPLIC~1

[29/10/2006|15:34] C:\DOCUME~1\ADMINI~1\APPLIC~1\Identities
[22/08/2006|13:27] C:\DOCUME~1\ADMINI~1\APPLIC~1\Lavasoft
[25/08/2008|12:51] C:\DOCUME~1\ADMINI~1\APPLIC~1\Microsoft
[29/10/2006|15:34] C:\DOCUME~1\ADMINI~1\APPLIC~1\Symantec

[09/09/2007|08:38] C:\DOCUME~1\ALLUSE~1\APPLIC~1\2 inside axis barb
[19/12/2008|15:54] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe
[24/03/2006|13:05] C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL
[08/12/2004|18:36] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
[25/08/2008|12:52] C:\DOCUME~1\ALLUSE~1\APPLIC~1\avg8
[10/02/2004|22:02] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Driving Test Success
[10/11/2006|11:38] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
[04/11/2007|13:24] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Grisoft
[07/07/2005|19:57] C:\DOCUME~1\ALLUSE~1\APPLIC~1\GTek
[03/02/2004|23:34] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Hazard Perception Training
[16/10/2006|18:09] C:\DOCUME~1\ALLUSE~1\APPLIC~1\JollyBear
[17/12/2008|23:22] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
[26/08/2008|12:14] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Malwarebytes
[21/07/2008|19:41] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft
[27/09/2003|18:36] C:\DOCUME~1\ALLUSE~1\APPLIC~1\MSN6
[05/08/2007|01:22] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ParetoLogic Anti-Spyware
[27/09/2003|18:08] C:\DOCUME~1\ALLUSE~1\APPLIC~1\QuickTime
[25/09/2003|01:58] C:\DOCUME~1\ALLUSE~1\APPLIC~1\SBSI
[18/12/2008|16:46] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
[16/08/2005|16:24] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
[17/10/2006|19:16] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trymedia
[28/12/2006|11:41] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Ulead Systems
[27/08/2006|18:13] C:\DOCUME~1\ALLUSE~1\APPLIC~1\VideoEgg1
[05/02/2005|14:47] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Viewpoint
[11/09/2006|21:17] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage

[08/01/2008|17:55] C:\DOCUME~1\Anne\APPLIC~1\Adobe
[07/04/2008|14:58] C:\DOCUME~1\Anne\APPLIC~1\AdobeUM
[17/03/2006|21:00] C:\DOCUME~1\Anne\APPLIC~1\AOL
[24/02/2007|19:57] C:\DOCUME~1\Anne\APPLIC~1\Apple Computer
[07/08/2007|10:02] C:\DOCUME~1\Anne\APPLIC~1\Grisoft
[28/09/2003|17:54] C:\DOCUME~1\Anne\APPLIC~1\Help
[25/09/2003|01:10] C:\DOCUME~1\Anne\APPLIC~1\Identities
[18/10/2006|18:34] C:\DOCUME~1\Anne\APPLIC~1\Macromedia
[25/08/2008|12:51] C:\DOCUME~1\Anne\APPLIC~1\Microsoft
[31/07/2006|23:18] C:\DOCUME~1\Anne\APPLIC~1\OLYMPUS
[29/08/2008|20:16] C:\DOCUME~1\Anne\APPLIC~1\Real
[18/10/2006|18:16] C:\DOCUME~1\Anne\APPLIC~1\Sun
[25/09/2003|02:01] C:\DOCUME~1\Anne\APPLIC~1\Symantec
[05/12/2003|17:11] C:\DOCUME~1\Anne\APPLIC~1\Template
[07/04/2008|14:52] C:\DOCUME~1\Anne\APPLIC~1\U3
[08/11/2005|19:33] C:\DOCUME~1\Anne\APPLIC~1\You've Got Pictures Screensaver

[30/12/2007|23:16] C:\DOCUME~1\Brian\APPLIC~1\Adobe
[19/12/2008|15:55] C:\DOCUME~1\Brian\APPLIC~1\AdobeUM
[17/03/2006|21:00] C:\DOCUME~1\Brian\APPLIC~1\AOL
[29/07/2005|15:11] C:\DOCUME~1\Brian\APPLIC~1\Apple Computer
[09/05/2004|20:13] C:\DOCUME~1\Brian\APPLIC~1\CyberLink
[03/08/2007|19:42] C:\DOCUME~1\Brian\APPLIC~1\DivX
[05/02/2005|14:50] C:\DOCUME~1\Brian\APPLIC~1\Help
[25/09/2003|01:10] C:\DOCUME~1\Brian\APPLIC~1\Identities
[07/11/2006|21:00] C:\DOCUME~1\Brian\APPLIC~1\Lavasoft
[04/11/2006|09:10] C:\DOCUME~1\Brian\APPLIC~1\Load Media Bait
[01/05/2005|18:49] C:\DOCUME~1\Brian\APPLIC~1\Macromedia
[29/08/2008|12:54] C:\DOCUME~1\Brian\APPLIC~1\Malwarebytes
[25/08/2008|12:51] C:\DOCUME~1\Brian\APPLIC~1\Microsoft
[23/08/2006|07:08] C:\DOCUME~1\Brian\APPLIC~1\okay once safe
[18/04/2006|13:59] C:\DOCUME~1\Brian\APPLIC~1\OLYMPUS
[26/05/2005|20:40] C:\DOCUME~1\Brian\APPLIC~1\Real
[24/08/2008|16:13] C:\DOCUME~1\Brian\APPLIC~1\Snapfish
[27/08/2006|23:25] C:\DOCUME~1\Brian\APPLIC~1\Sun
[25/09/2003|02:01] C:\DOCUME~1\Brian\APPLIC~1\Symantec
[25/11/2003|22:08] C:\DOCUME~1\Brian\APPLIC~1\Template
[17/01/2008|22:44] C:\DOCUME~1\Brian\APPLIC~1\U3
[01/08/2007|18:18] C:\DOCUME~1\Brian\APPLIC~1\Ulead Systems
[05/02/2005|14:47] C:\DOCUME~1\Brian\APPLIC~1\You've Got Pictures Screensaver

[31/12/2007|01:17] C:\DOCUME~1\Daniel\APPLIC~1\Adobe
[08/10/2006|15:28] C:\DOCUME~1\Daniel\APPLIC~1\AdobeUM
[17/03/2006|21:00] C:\DOCUME~1\Daniel\APPLIC~1\AOL
[08/12/2004|18:37] C:\DOCUME~1\Daniel\APPLIC~1\Apple Computer
[10/10/2003|15:20] C:\DOCUME~1\Daniel\APPLIC~1\CyberLink
[24/12/2006|12:46] C:\DOCUME~1\Daniel\APPLIC~1\DivX
[18/03/2007|21:53] C:\DOCUME~1\Daniel\APPLIC~1\Google
[06/08/2007|12:07] C:\DOCUME~1\Daniel\APPLIC~1\Grisoft
[05/10/2003|15:55] C:\DOCUME~1\Daniel\APPLIC~1\Help
[25/09/2003|01:10] C:\DOCUME~1\Daniel\APPLIC~1\Identities
[04/06/2008|16:57] C:\DOCUME~1\Daniel\APPLIC~1\InstallShield Installation Information
[09/09/2007|08:38] C:\DOCUME~1\Daniel\APPLIC~1\Load Media Bait
[12/01/2008|13:35] C:\DOCUME~1\Daniel\APPLIC~1\Macromedia
[26/08/2008|12:14] C:\DOCUME~1\Daniel\APPLIC~1\Malwarebytes
[05/07/2007|09:06] C:\DOCUME~1\Daniel\APPLIC~1\Microsoft
[24/10/2008|17:36] C:\DOCUME~1\Daniel\APPLIC~1\Mozilla
[06/07/2004|01:18] C:\DOCUME~1\Daniel\APPLIC~1\MP3download
[18/01/2004|00:43] C:\DOCUME~1\Daniel\APPLIC~1\MSN6
[29/08/2006|07:48] C:\DOCUME~1\Daniel\APPLIC~1\okay once safe
[20/04/2006|10:23] C:\DOCUME~1\Daniel\APPLIC~1\OLYMPUS
[15/08/2008|10:48] C:\DOCUME~1\Daniel\APPLIC~1\Real
[13/10/2003|15:39] C:\DOCUME~1\Daniel\APPLIC~1\Roxio
[28/09/2003|12:38] C:\DOCUME~1\Daniel\APPLIC~1\Steinberg
[19/03/2007|10:41] C:\DOCUME~1\Daniel\APPLIC~1\Sun
[25/09/2003|02:01] C:\DOCUME~1\Daniel\APPLIC~1\Symantec
[26/10/2008|16:05] C:\DOCUME~1\Daniel\APPLIC~1\U3
[28/12/2006|11:48] C:\DOCUME~1\Daniel\APPLIC~1\Ulead Systems

[25/09/2003|01:10] C:\DOCUME~1\DEFAUL~1\APPLIC~1\Identities
[25/09/2003|01:10] C:\DOCUME~1\DEFAUL~1\APPLIC~1\Microsoft
[25/09/2003|02:01] C:\DOCUME~1\DEFAUL~1\APPLIC~1\Symantec

[03/02/2008|10:41] C:\DOCUME~1\Hannah\APPLIC~1\Adobe
[25/04/2007|09:26] C:\DOCUME~1\Hannah\APPLIC~1\AdobeUM
[17/03/2006|21:00] C:\DOCUME~1\Hannah\APPLIC~1\AOL
[06/03/2005|13:46] C:\DOCUME~1\Hannah\APPLIC~1\Apple Computer
[25/12/2007|14:12] C:\DOCUME~1\Hannah\APPLIC~1\DivX
[14/08/2007|20:12] C:\DOCUME~1\Hannah\APPLIC~1\Grisoft
[25/09/2003|01:10] C:\DOCUME~1\Hannah\APPLIC~1\Identities
[13/02/2005|16:50] C:\DOCUME~1\Hannah\APPLIC~1\Macromedia
[25/08/2008|12:51] C:\DOCUME~1\Hannah\APPLIC~1\Microsoft
[03/02/2008|11:44] C:\DOCUME~1\Hannah\APPLIC~1\Real
[28/03/2004|10:13] C:\DOCUME~1\Hannah\APPLIC~1\Roxio
[23/11/2006|12:21] C:\DOCUME~1\Hannah\APPLIC~1\Sun
[25/09/2003|02:01] C:\DOCUME~1\Hannah\APPLIC~1\Symantec

[25/08/2008|12:51] C:\DOCUME~1\LOCALS~1\APPLIC~1\Microsoft

[25/08/2008|12:51] C:\DOCUME~1\NETWOR~1\APPLIC~1\Microsoft

[04/01/2008|11:41] C:\DOCUME~1\Peter\APPLIC~1\Adobe
[04/10/2006|11:26] C:\DOCUME~1\Peter\APPLIC~1\AdobeUM
[17/03/2006|21:00] C:\DOCUME~1\Peter\APPLIC~1\AOL
[16/12/2004|03:00] C:\DOCUME~1\Peter\APPLIC~1\Apple Computer
[10/10/2003|22:27] C:\DOCUME~1\Peter\APPLIC~1\CyberLink
[26/12/2007|13:34] C:\DOCUME~1\Peter\APPLIC~1\DivX
[31/07/2006|18:17] C:\DOCUME~1\Peter\APPLIC~1\Google
[06/08/2007|10:44] C:\DOCUME~1\Peter\APPLIC~1\Grisoft
[07/07/2005|19:57] C:\DOCUME~1\Peter\APPLIC~1\GTek
[27/09/2003|19:35] C:\DOCUME~1\Peter\APPLIC~1\Help
[25/09/2003|01:10] C:\DOCUME~1\Peter\APPLIC~1\Identities
[31/03/2007|14:37] C:\DOCUME~1\Peter\APPLIC~1\Lavasoft
[25/08/2008|14:23] C:\DOCUME~1\Peter\APPLIC~1\Load Media Bait
[12/06/2004|01:40] C:\DOCUME~1\Peter\APPLIC~1\Macromedia
[07/09/2006|17:02] C:\DOCUME~1\Peter\APPLIC~1\Microsoft
[27/09/2003|19:16] C:\DOCUME~1\Peter\APPLIC~1\Microsoft Web Folders
[28/06/2005|14:14] C:\DOCUME~1\Peter\APPLIC~1\Motive
[28/09/2003|22:14] C:\DOCUME~1\Peter\APPLIC~1\MSN6
[22/08/2006|17:17] C:\DOCUME~1\Peter\APPLIC~1\okay once safe
[28/03/2007|18:44] C:\DOCUME~1\Peter\APPLIC~1\Real
[06/10/2003|17:10] C:\DOCUME~1\Peter\APPLIC~1\Roxio
[21/03/2005|21:17] C:\DOCUME~1\Peter\APPLIC~1\SecuROM
[28/09/2003|12:07] C:\DOCUME~1\Peter\APPLIC~1\Steinberg
[22/08/2006|15:55] C:\DOCUME~1\Peter\APPLIC~1\Sun
[25/09/2003|02:01] C:\DOCUME~1\Peter\APPLIC~1\Symantec
[23/07/2005|13:09] C:\DOCUME~1\Peter\APPLIC~1\You've Got Pictures screensaver

--------------------\\ Scheduled Tasks located in C:\WINDOWS\Tasks

[05/08/2007 01:22][--a------] C:\WINDOWS\tasks\Pareto UNS.job
[01/04/2007 16:00][--ah-----] C:\WINDOWS\tasks\AC77DFF891B052C0.job
[01/04/2007 16:00][--ah-----] C:\WINDOWS\tasks\A6F828B6918BA2FA.job
[01/04/2007 08:00][--a------] C:\WINDOWS\tasks\XoftSpy.job
[01/04/2007 16:00][--ah-----] C:\WINDOWS\tasks\AA6B9F45918413ED.job
[05/07/2004 00:23][--a------] C:\WINDOWS\tasks\New Task.job
[27/09/2003 17:32][--a------] C:\WINDOWS\tasks\Symantec NetDetect.job
[01/04/2007 16:01][--ah-----] C:\WINDOWS\tasks\SA.DAT
[29/08/2002 04:00][-r-h-----] C:\WINDOWS\tasks\DESKTOP.INI

( A6F828B6918BA2FA.job )=( c:\docume~1\brian\applic~1\loadme~1\Cakeownsanti.exe )
( AA6B9F45918413ED.job )=( c:\docume~1\peter\applic~1\loadme~1\Cakeownsanti.exe )
( AC77DFF891B052C0.job )=( c:\docume~1\daniel\applic~1\loadme~1\Cakeownsanti.exe )

--------------------\\ Listing Folders in C:\Program Files

[27/09/2006|14:37] C:\Program Files\1964
[03/08/2007|19:49] C:\Program Files\AC3Filter
[19/12/2008|15:51] C:\Program Files\Adobe
[20/07/2007|16:00] C:\Program Files\Audacity
[25/08/2008|12:52] C:\Program Files\AVG
[06/12/2003|20:15] C:\Program Files\BarbieDaisiescreensaver
[20/10/2006|18:50] C:\Program Files\BFG
[01/10/2007|07:07] C:\Program Files\BitComet
[25/09/2003|01:59] C:\Program Files\Broadcom Management Programs
[31/07/2006|21:38] C:\Program Files\BT Voyager 105 ADSL Modem
[05/09/2004|14:12] C:\Program Files\BTopenworld
[29/08/2008|10:50] C:\Program Files\CCleaner
[23/12/2008|21:06] C:\Program Files\Common Files
[25/09/2003|02:00] C:\Program Files\CyberLink
[01/04/2007|15:41] C:\Program Files\Dell
[23/07/2005|17:07] C:\Program Files\Dell Computer
[29/07/2007|14:35] C:\Program Files\DivX
[10/12/2005|18:40] C:\Program Files\FLStudio4
[07/11/2006|18:57] C:\Program Files\GameHouse
[21/07/2008|19:46] C:\Program Files\Grisoft
[30/09/2007|14:28] C:\Program Files\GuitarFX 3
[24/07/2008|20:18] C:\Program Files\InstallShield Installation Information
[28/09/2003|12:03] C:\Program Files\Intel
[28/10/2003|18:54] C:\Program Files\Internet
[19/12/2008|19:19] C:\Program Files\Internet Explorer
[24/03/2006|14:10] C:\Program Files\iPod
[01/08/2007|18:23] C:\Program Files\IrfanView
[07/07/2005|20:11] C:\Program Files\iTunes
[30/07/2007|22:01] C:\Program Files\Java
[22/03/2006|22:19] C:\Program Files\Kazaa
[29/08/2008|10:50] C:\Program Files\Lavasoft
[20/08/2006|10:00] C:\Program Files\Load Media Bait
[07/04/2005|09:57] C:\Program Files\Logitech
[28/06/2004|16:18] C:\Program Files\LucasArts
[26/08/2008|12:15] C:\Program Files\Malwarebytes' Anti-Malware
[03/08/2006|20:27] C:\Program Files\Maxis
[21/09/2008|20:07] C:\Program Files\Messenger
[31/05/2004|21:53] C:\Program Files\MGI
[29/07/2005|12:57] C:\Program Files\Microsoft AntiSpyware
[27/09/2003|19:15] C:\Program Files\microsoft frontpage
[27/09/2003|19:16] C:\Program Files\Microsoft Office
[02/02/2008|00:43] C:\Program Files\Microsoft Silverlight
[18/03/2006|13:53] C:\Program Files\Modem Helper
[04/08/2006|17:37] C:\Program Files\Movie Maker
[23/12/2008|17:12] C:\Program Files\Mozilla Firefox
[04/08/2006|18:14] C:\Program Files\msn gaming zone
[15/09/2007|09:13] C:\Program Files\MSN Messenger
[16/11/2006|11:06] C:\Program Files\MSXML 4.0
[03/04/2007|11:06] C:\Program Files\Native Instruments
[04/08/2006|17:34] C:\Program Files\NetMeeting
[16/08/2005|16:24] C:\Program Files\Norton AntiVirus
[25/09/2003|02:03] C:\Program Files\Nullsoft
[18/04/2006|13:54] C:\Program Files\OLYMPUS
[23/07/2005|17:05] C:\Program Files\Online Services
[14/06/2007|02:03] C:\Program Files\Outlook Express
[01/04/2007|15:49] C:\Program Files\Picture Organiser
[18/04/2006|13:52] C:\Program Files\PIXELA
[27/09/2006|14:46] C:\Program Files\Project64 1.6
[07/07/2005|20:11] C:\Program Files\QuickTime
[25/04/2004|15:25] C:\Program Files\Rapidocs
[22/10/2006|12:05] C:\Program Files\Real
[29/08/2006|16:57] C:\Program Files\ReflexiveArcade
[20/07/2007|16:20] C:\Program Files\Rockstar Games
[25/09/2003|02:03] C:\Program Files\Roxio
[23/12/2008|20:30] C:\Program Files\Soulseek
[20/11/2008|18:58] C:\Program Files\Soulseek-Test
[18/12/2008|12:22] C:\Program Files\Spybot - Search & Destroy
[18/08/2008|12:49] C:\Program Files\Steinberg
[12/03/2006|20:01] C:\Program Files\SWiSHmax
[16/08/2005|16:23] C:\Program Files\Symantec
[21/04/2006|09:22] C:\Program Files\Thomson
[30/08/2006|01:34] C:\Program Files\thriXXX
[18/12/2008|21:57] C:\Program Files\Trend Micro
[28/12/2006|11:41] C:\Program Files\Ulead Systems
[06/07/2004|01:58] C:\Program Files\Uninstall Information
[28/12/2006|11:39] C:\Program Files\V3105s Digital Camera
[24/07/2008|20:16] C:\Program Files\Veoh Networks
[22/03/2006|23:05] C:\Program Files\VoyagerTest
[27/09/2003|18:23] C:\Program Files\Windows Media Components
[10/09/2006|20:04] C:\Program Files\Windows Media Player
[04/08/2006|17:34] C:\Program Files\Windows NT
[18/08/2004|21:31] C:\Program Files\WindowsUpdate
[01/04/2007|15:43] C:\Program Files\WinRAR
[25/09/2003|01:11] C:\Program Files\XEROX
[05/08/2007|01:20] C:\Program Files\XoftSpy
[10/11/2006|11:39] C:\Program Files\Yahoo!

--------------------\\ Listing Folders in C:\Program Files\Common Files

[25/09/2003|02:03] C:\Program Files\Common Files\Adaptec Shared
[01/04/2007|15:40] C:\Program Files\Common Files\Adobe
[22/03/2006|22:19] C:\Program Files\Common Files\AOL
[05/02/2005|14:48] C:\Program Files\Common Files\aolback
[16/07/2005|19:05] C:\Program Files\Common Files\aolshare(2)
[16/07/2005|19:02] C:\Program Files\Common Files\aolshare(3)
[27/09/2003|19:18] C:\Program Files\Common Files\Designer
[01/10/2003|23:03] C:\Program Files\Common Files\InstallShield
[22/08/2006|15:52] C:\Program Files\Common Files\Java
[27/09/2003|18:19] C:\Program Files\Common Files\Logitech
[25/08/2008|12:52] C:\Program Files\Common Files\Microsoft Shared
[09/04/2005|12:55] C:\Program Files\Common Files\mnpdperf
[25/09/2003|01:11] C:\Program Files\Common Files\MSSoap
[05/02/2005|14:46] C:\Program Files\Common Files\Nullsoft
[25/08/2008|16:51] C:\Program Files\Common Files\Real
[25/09/2003|01:11] C:\Program Files\Common Files\Services
[25/09/2003|01:10] C:\Program Files\Common Files\SpeechEngines
[24/07/2008|14:47] C:\Program Files\Common Files\Symantec Shared
[14/06/2007|02:03] C:\Program Files\Common Files\System
[28/12/2006|11:40] C:\Program Files\Common Files\Ulead Systems
[17/12/2008|23:21] C:\Program Files\Common Files\Wise Installation Wizard
[25/08/2008|16:52] C:\Program Files\Common Files\xing shared

--------------------\\ Process

( 28 Processes )

... OK !

--------------------\\ Searching with S_Lop

No Lop folder found !

--------------------\\ Searching for Lop Files - Folders

C:\DOCUME~1\Brian\APPLIC~1\loadme~1
C:\DOCUME~1\Daniel\APPLIC~1\loadme~1
C:\DOCUME~1\Daniel\APPLIC~1\loadme~1\dogaaimi.exe
C:\DOCUME~1\Daniel\APPLIC~1\loadme~1\iqydhhij.exe
C:\DOCUME~1\Peter\APPLIC~1\loadme~1
C:\DOCUME~1\Peter\APPLIC~1\loadme~1\jgcivevi.exe
C:\Program Files\loadme~1
C:\DOCUME~1\Brian\Cookies\brian@adverts.adgenie.co[1].txt
C:\DOCUME~1\Brian\Cookies\brian@ipt.advertserve[1].txt
C:\DOCUME~1\Brian\Cookies\brian@messagespace.advertserve[1].txt
C:\DOCUME~1\Brian\Cookies\brian@adultfriendfinder[2].txt
C:\DOCUME~1\Brian\Cookies\brian@32vegas[1].txt
C:\DOCUME~1\Brian\Cookies\brian@banner.32vegas[2].txt
C:\DOCUME~1\Brian\Cookies\brian@www.32vegas[1].txt
C:\DOCUME~1\Brian\Cookies\brian@888ladies[1].txt
C:\DOCUME~1\Brian\Cookies\brian@888ladies[2].txt
C:\WINDOWS\Tasks\A6F828B6918BA2FA.job
C:\WINDOWS\Tasks\AA6B9F45918413ED.job
C:\WINDOWS\Tasks\AC77DFF891B052C0.job

--------------------\\ Searching within the Registry

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

..... OK !

--------------------\\ Checking the Hosts file

Hosts file CLEAN


--------------------\\ Searching for hidden files with Catchme

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-23 21:36:05
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden files: 0

--------------------\\ Searching for other infections


No other infections found !

[F:742][D:0]-> C:\DOCUME~1\Brian\Cookies
[F:1][D:0]-> C:\DOCUME~1\Brian\LOCALS~1\TEMPOR~1\content.IE5

1 - "C:\Lop SD\LopR_1.txt" - 23/12/2008|21:37 - Option : [1]

--------------------\\ Scan completed at 21:37:52


HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:46:50, on 23/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\UAService7.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://training.k2ms.com/WebPlayer/auth ... wswaxd.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b31267.cab
O16 - DPF: {38D63471-E630-4492-A986-B8C48B79F2F8} (CVideoEgg_ActiveXCtl Object) - http://update.videoegg.com/wintel/VideoEggPublisher.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.co.uk/SnapfishUKActivia.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computerc ... diagcc.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnme ... loader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZI ... b32846.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DE05969D-2AC6-42AF-92E9-E6FE596A0583}: NameServer = 212.139.132.25 212.139.132.24
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe

--
End of file - 8073 bytes


Like I said, any problems just let me know and I can re-run the programs. Thank you very much again and Merry Christmas!
PeterD
Active Member
 
Posts: 3
Joined: December 18th, 2008, 6:15 pm

Re: Virtumonde

Unread postby Bv202 » December 24th, 2008, 4:04 pm

Hi PeterD

REMOVE P2P PROGRAMS
IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

SoulSeek 157 test 8
SoulSeek Client 156c


Before I can continue with cleaning your system, you must remove any/all Peer-to-Peer filesharing programs. For an explanation of our policy, please read the following P2P Program Policy

Note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

Go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red) NOW.
Then, navigate and delete these folders:
C:\Program Files\Kazaa
C:\Program Files\BitComet
I also want to warn you about Kazaa. Kazaa is known as one of the bad P2P programs. You can read more about it here.

Post back a new uninstall list, so we can continue cleaning your pc.
Bv202
Regular Member
 
Posts: 1732
Joined: May 3rd, 2008, 10:46 am
Location: Belgium (GMT +1)

Re: Virtumonde

Unread postby Bv202 » December 27th, 2008, 1:04 pm

Hello,

It's been 3 days since my last post. Do you still require help? If not, please tell us so this thread can get closed.

If you do not reply within 2 days, we'll close this thread.
Bv202
Regular Member
 
Posts: 1732
Joined: May 3rd, 2008, 10:46 am
Location: Belgium (GMT +1)

Re: Virtumonde

Unread postby NonSuch » December 29th, 2008, 3:51 pm

Due to lack of response, this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 618 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware