Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

can't get rid of trojan.virtumonde please help

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

can't get rid of trojan.virtumonde please help

Unread postby Metnut » July 10th, 2009, 1:55 pm

Hi all, I appreciate any help anyone can give because I am stuck here. I've run spyware doctor many times and it still can't seem to get rid of trojan.virtumonde. My comp is still running slow and having unwanted popups. Here is my hijack this log. Thanks for any help you can give!

EDIT: After continuing to work on getting rid of this i was able to run combofix. A lot of the problems are gone (comp runs faster) but my browser still gets hijacked so sometimes. Below my initial hijack log, I am posting a combofix log.

Logfile of HijackThis v1.99.1
Scan saved at 1:51:56 PM, on 7/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\WINDOWS\sySTEM32\SvchoSt.ExE
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Software Secure, Inc\SSIRuntimeService\SSIRuntimeService.exe
C:\WINDOWS\system32\ssisvr32.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\WebUpdateSvc4.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
c:\windows\ld12.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: Shell=
O1 - Hosts: ::1 localhost
O1 - Hosts: 209.44.111.62 aviremover-2009.com
O1 - Hosts: 209.44.111.62 http://www.aviremover-2009.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: MessengerUpdate - {5948A52A-BA3A-49A8-BCAF-D578502BDA9D} - (no file)
O2 - BHO: (no name) - {a61246e7-96f5-482f-a6cc-32aea3d220c3} - C:\WINDOWS\system32\migisibi.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: Hotspot Shield Class - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files\Hotspot Shield\hssie\HssIE.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [net] "C:\WINDOWS\system32\net.net"
O4 - HKLM\..\Run: [CPMbbe285f5] Rundll32.exe "c:\windows\system32\susonuno.dll",a
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [vobohuzogi] Rundll32.exe "C:\WINDOWS\system32\kedohugu.dll",s
O4 - HKLM\..\Run: [sysldtray] c:\windows\ld12.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\John\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O20 - AppInit_DLLs: C:\DOCUME~1\John\LOCALS~1\Temp\549002433922mxx.dll c:\windows\system32\susonuno.dll,C:\WINDOWS\system32\zotokohu.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\susonuno.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\openvpnas.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: PostgreSQL Database Server 8.3 (pgsql-8.3) - Unknown owner - C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe" runservice -w -N "pgsql-8.3" -D "C:\Program Files\PostgreSQL\8.3\data\ (file missing)
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SSIRuntimeService - Unknown owner - C:\Program Files\Software Secure, Inc\SSIRuntimeService\SSIRuntimeService.exe" (file missing)
O23 - Service: Software Secure Service (SSISvr32) - SoftwareSecure Inc - C:\WINDOWS\system32\ssisvr32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Web Update Wizard Service V4 by PowerProgrammer (WebUpdate4) - Data Perceptions / PowerProgrammer - C:\WINDOWS\system32\WebUpdateSvc4.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE








ComboFix Log








ComboFix 09-07-09.08 - John 07/10/2009 19:43.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.290 [GMT -4:00]
Running from: c:\documents and settings\John\Desktop\Combo-Fix.exe
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\010112010146118114.dat
c:\windows\0101120101464849.dat
c:\windows\0101120101465752.dat
c:\windows\system32\drivers\SKYNETbknlhswo.sys
c:\windows\system32\drivers\UACuwmtggioommeosogu.sys
c:\windows\system32\fibidaku.dll.tmp
c:\windows\system32\gdi32lib.dll
c:\windows\system32\juvihawo.dll.tmp
c:\windows\system32\SKYNEThnhsbvxe.dat
c:\windows\system32\SKYNETokahnahb.dat
c:\windows\system32\SKYNETpsawvlaq.dll
c:\windows\system32\SKYNETrodwqekk.dll
c:\windows\system32\tadagagu.dll
c:\windows\system32\UACbekayekclusffdkka.dll
c:\windows\system32\UACilrsdswrsekkigvai.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACinxdcofwjbmreydui.dll
c:\windows\system32\UACivjhukvvehhjnbslp.dat
c:\windows\system32\uactmp.db
c:\windows\system32\UACuymueawfooishcgcv.dll
c:\windows\system32\UACvvatwjojrbrflkwac.db
c:\windows\system32\UACvygegonhxhdlhxqnb.dll
C:\xcrashdump.dat

c:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Service_SKYNETrvpkhctr


((((((((((((((((((((((((( Files Created from 2009-06-10 to 2009-07-10 )))))))))))))))))))))))))))))))
.

2009-07-10 22:03 . 2009-07-10 22:03 -------- d-----w- c:\documents and settings\John\Application Data\Malwarebytes
2009-07-10 21:46 . 2009-07-10 21:46 -------- d-----w- c:\documents and settings\Administrator.JOHN-XYJV14Y551\Application Data\Malwarebytes
2009-07-10 21:22 . 2009-06-17 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-10 21:22 . 2009-07-10 21:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-10 21:22 . 2009-06-17 15:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-10 21:22 . 2009-07-10 21:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-10 20:32 . 2009-03-31 15:23 39200 ----a-w- c:\windows\system32\drivers\TfSysMon.sys
2009-07-10 20:32 . 2009-03-31 15:23 33056 ----a-w- c:\windows\system32\drivers\TfNetMon.sys
2009-07-10 20:32 . 2009-03-31 15:23 12576 ----a-w- c:\windows\system32\drivers\TfKbMon.sys
2009-07-10 20:32 . 2009-03-31 15:23 51488 ----a-w- c:\windows\system32\drivers\TfFsMon.sys
2009-07-10 18:08 . 2009-07-10 18:08 -------- d-----w- C:\VundoFix Backups
2009-07-10 02:48 . 2009-07-10 02:48 -------- d-----w- c:\program files\sFX
2009-07-09 06:14 . 2008-12-11 12:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-07-09 06:14 . 2009-04-03 15:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-07-09 06:14 . 2008-12-18 16:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-07-09 06:14 . 2009-07-10 21:16 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-09 06:14 . 2009-07-09 06:15 -------- d-----w- c:\program files\Common Files\PC Tools
2009-07-09 06:14 . 2008-12-10 15:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-07-09 06:14 . 2009-07-10 21:14 -------- d-----w- c:\program files\Spyware Doctor
2009-07-09 06:14 . 2009-07-10 20:35 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-07-09 06:14 . 2009-07-09 06:14 -------- d-----w- c:\documents and settings\John\Application Data\PC Tools
2009-07-09 06:02 . 2009-07-09 06:06 -------- d-----w- c:\documents and settings\John\Application Data\Messenger

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-09 21:56 . 2005-12-06 09:46 -------- d-----w- c:\program files\PokerStars
2009-07-09 07:00 . 2009-05-18 18:22 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2009-06-16 20:53 . 2007-05-22 17:38 -------- d-----w- c:\program files\Full Tilt Poker
2009-05-19 19:11 . 2009-05-19 19:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard
2009-05-13 16:33 . 2008-11-22 01:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Examsoft
2009-05-13 16:29 . 2008-11-22 01:20 315390 ----a-w- c:\windows\jgzr.dat
2009-05-07 15:32 . 2003-07-16 16:26 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2003-07-16 16:45 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2005-11-16 19:23 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 12:26 . 2003-07-16 16:45 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2002-11-08 01:47 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-14 04:24 . 2009-04-14 04:25 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-04-14 04:23 . 2009-04-14 04:23 152576 ----a-w- c:\documents and settings\John\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]
2008-12-31 04:58 204248 ----a-w- c:\program files\Hotspot Shield\HssIE\HssIE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Google Update"="c:\documents and settings\John\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-09 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-07-29 335872]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-14 148888]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-12-11 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-12-11 267048]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-12-31 185872]
"ATIModeChange"="Ati2mdxx.exe" - c:\windows\system32\Ati2mdxx.exe [2001-09-05 28672]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"AllowMultipleTSSessions"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\ExamSoft\\SofTest\\SoftLnch.exe"= c:\\Program Files\\ExamSoft\\SoftLnch.exe
"c:\\Program Files\\ExamSoft\\SofTest\\softest.exe"= c:\\Program Files\\ExamSoft\\SofTest.exe

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [7/9/2009 2:14 AM 130936]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [7/10/2009 4:32 PM 51488]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [7/10/2009 4:32 PM 39200]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [7/9/2009 2:14 AM 159600]
R1 sFxdrv;sFxdrv;c:\program files\sFX\sfX.sYs [7/9/2009 10:48 PM 9472]
R2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [9/19/2008 3:03 AM 65536]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [7/9/2009 2:14 AM 348752]
R2 sfx;sfx;c:\windows\sySTEM32\SvchoSt.ExE -k sfx [7/16/2003 12:41 PM 14336]
R2 SSIRuntimeService;SSIRuntimeService;c:\program files\Software Secure, Inc\SSIRunTimeService\SSIRuntimeService.exe [5/21/2007 7:55 AM 45056]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/10/2007 6:40 PM 24652]
R2 WebUpdate4;Web Update Wizard Service V4 by PowerProgrammer;c:\windows\system32\WebUpdateSvc4.exe [3/23/2007 6:24 AM 229856]
S2 heihypck;heihypck;c:\windows\system32\drivers\tikpcops.sys --> c:\windows\system32\drivers\tikpcops.sys [?]
S2 orif;orif;c:\windows\system32\drivers\ihihx.sys --> c:\windows\system32\drivers\ihihx.sys [?]
S2 xienm;xienm;c:\windows\system32\drivers\uiaymrw.sys --> c:\windows\system32\drivers\uiaymrw.sys [?]
S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [7/9/2009 2:14 AM 64392]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [7/10/2009 4:32 PM 33056]
S3 ThreatFire;ThreatFire;c:\program files\Spyware Doctor\TFEngine\TFService.exe service --> c:\program files\Spyware Doctor\TFEngine\TFService.exe service [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
sfx REG_MULTI_SZ sfx
.
Contents of the 'Scheduled Tasks' folder

2009-07-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:57]

2009-07-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1708537768-507921405-854245398-1003Core.job
- c:\documents and settings\John\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-09 03:25]

2009-07-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1708537768-507921405-854245398-1003UA.job
- c:\documents and settings\John\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-09 03:25]

2009-07-06 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2009-01-30 18:15]

2009-07-10 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-12 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
FF - ProfilePath - c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\beuhytek.default\
FF - prefs.js: browser.search.selectedEngine - GoogleCOM
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://www.ffsearching.com/search/?ie=U ... &gfns=1&q=
FF - plugin: c:\documents and settings\John\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----

FF - user.js: browser.search.selectedEngine - GoogleCOM
FF - user.js: keyword.URL - hxxp://www.ffsearching.com/search/?ie=U ... &gfns=1&q=
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-10 19:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*]
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1032)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'lsass.exe'(1088)
c:\windows\System32\BCMLogon.dll
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll

- - - - - - - > 'explorer.exe'(3736)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\windows\system32\scardsvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Hotspot Shield\bin\openvpnas.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\windows\system32\ssisvr32.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\ati2evxx.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2009-07-10 20:00 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-11 00:00

Pre-Run: 5,954,961,408 bytes free
Post-Run: 6,055,129,088 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

232 --- E O F --- 2009-06-11 07:03
Metnut
Regular Member
 
Posts: 15
Joined: July 10th, 2009, 1:07 pm
Advertisement
Register to Remove

Re: can't get rid of trojan.virtumonde please help

Unread postby Wingman » July 13th, 2009, 1:54 pm

Hello... Welcome to the forum.
My name is Wingman, and I'll be helping you with any malware problems.
HijackThis logs can take a while to research, so please be patient.

I am currently under the guidance of the MRU teachers, everything I post to you, has been reviewed by them.
This additional review process can add some extra time to my responses...but not too much
.
;)

Before we begin...please note the following important guidelines.
  1. The instructions being given are for YOUR computer and system only!
    Using these instructions on a different computer can cause damage to that computer and possibly render it inoperable!
  2. DO NOT run any other fix or removal tools unless instructed to do so!
  3. DO NOT install any other software (or hardware) during the cleaning process. This adds more items to be researched.
  4. Please, if you have questions about something...ASK, don't guess or assume.
  5. Only- post your problem at (1) one help site. Applying fixes from multiple help sites can cause problems.
  6. Print each set of instructions...if possible...your Internet connection will not be available during some fix processes.
  7. Only- reply to this thread, do not start another ... Please, continue responding, until I give you the "All Clean"

If you follow these guidelines, things should proceed smoothly. :)
I am currently reviewing your log and will return, as soon as possible, with additional instructions.
In the meantime... please perform the following steps.

Please read instructions carefully before executing and perform the steps, in the order given.
lf, you have any questions about or problems with, executing these instructions, <STOP> do not proceed, post back with the question or problem.

Step 1.
RSIT (Random's System Information Tool)
Please download RSIT by random/random... save it to your desktop.
  1. Double click on RSIT.exe to run it.
  2. Please read the disclaimer... click on Continue.
  3. RSIT will start running. When done... 2 logs files...will be produced.
  4. The first one, "log.txt", will be maximized
  5. The second one, "info.txt", will be minimized.
Please post both... "log.txt" and "info.txt", file contents in your next reply.
(These logs can be lengthy, so post 1 log per reply please.)

Step 2.
Please include in your next reply:
  1. Any problem executing the instructions
  2. RSIT log.txt and info.txt file contents
  3. How is your computer behaving
Thanks,
Wingman
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14347
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA

Re: can't get rid of trojan.virtumonde please help

Unread postby Metnut » July 13th, 2009, 2:39 pm

The computer is running at normal speed but whenever i do a google search my browser gets hijacked to another site when i click on a search result. When i open a website on my own I am sometimes redirected to some bogus search results. Finally, i do occasionally get bogus popups saying my computer has been compromised and requests to download bogus virus scans.

Info.txt

info.txt logfile of random's system information tool 1.06 2009-07-13 14:35:57

======Uninstall list======

-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
AC3Filter (remove only)-->C:\Program Files\AC3Filter\uninstall.exe
Ad-Aware SE Personal-->MsiExec.exe /I{101F2C64-5735-4B32-9E52-4CB85E5D8C93}
Adobe Download Manager 2.0 (Remove Only)-->"C:\Program Files\Common Files\Adobe\ESD\uninst.exe"
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0.5-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70500000002}
AOL Instant Messenger-->C:\Program Files\AIM\uninstll.exe -LOG= C:\Program Files\AIM\install.log -OEM=
Apple Mobile Device Support-->MsiExec.exe /I{B5C209B1-8DDB-4642-A573-375B951514CB}
Apple Software Update-->MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
ATI - Software Uninstall Utility-->C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Control Panel-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver-->rundll32 C:\WINDOWS\System32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Azureus-->C:\Program Files\Azureus\Uninstall.exe
BitTorrent 5.0.5-->"C:\Program Files\BitTorrent\uninstall.exe"
Blocktrix 1.00-->C:\Program Files\Blocktrix\uninst.exe
Broadcom Gigabit Integrated Controller-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{BE6890C7-31EF-478C-812E-1E2899ABFCA9} /l1033
CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"
C-Major Audio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}\setup.exe" -l0x9 -remove -removeonly
Conexant D480 MDC V.9x Modem-->C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_8086&DEV_24x6&SUBSYS_542214F1\HXFSETUP.EXE -U -Idel5422k.inf
Critical Update for Windows Media Player 11 (KB959772)-->"C:\WINDOWS\$NtUninstallKB959772_WM11$\spuninst\spuninst.exe"
Dell ResourceCD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe"
Dell Wireless WLAN Card-->"C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwlu00.exe" verbose /rootkey="Software\Broadcom\802.11\UninstallInfo" /rootdir="C:\Program Files\Dell\Dell Wireless WLAN Card"
DivX Media Codec 4.2.1-->C:\WINDOWS\system32\uninstdivx.exe
DivX Player-->C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player-->C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
DivX-->C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
FLV Player 2.0 (build 25)-->C:\Program Files\FLV Player\uninst.exe
Full Tilt Poker-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D4C9692E-4EFA-4DA0-8B7F-9439466D9E31}\setup.exe" -l0x9 -removeonly
GSpot Codec Information Appliance-->C:\Program Files\GSpot\Uninstall.exe
HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall
Holdem Manager-->MsiExec.exe /I{42DE940E-8037-4266-9FBF-5A3AEDA39E96}
Hotfix for Windows Internet Explorer 7 (KB947864)-->"C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Format SDK (KB902344)-->"C:\WINDOWS\$NtUninstallKB902344$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Hotspot Shield 1.10-->C:\Program Files\Hotspot Shield\Uninstall.exe
InterActual Player-->C:\Program Files\InterActual\InterActual Player\inuninst.exe
InterVideo WinDVD-->"C:\Program Files\InstallShield Installation Information\{98E8A2EF-4EAE-43B8-A172-74842B764777}\setup.exe" REMOVEALL
iTunes-->MsiExec.exe /I{18388EF8-E0A3-442B-8BFE-E2F1B3D05C91}
J2SE Runtime Environment 5.0 Update 6-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
Java(TM) 6 Update 13-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216013FF}
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 1-->MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
Microsoft .NET Framework 3.0-->c:\WINDOWS\Microsoft.NET\Framework\v3.0\Microsoft .NET Framework 3.0\setup.exe
Microsoft .NET Framework 3.0-->MsiExec.exe /X{15095BF3-A3D7-4DDF-B193-3A496881E003}
Microsoft Base Smart Card Cryptographic Service Provider Package-->"C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Mozilla Firefox (3.0.11)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 6 Service Pack 2 (KB954459)-->MsiExec.exe /I{1A528690-6A2D-4BC5-B143-8C4AE8D19D96}
O2Micro Smartcard Driver-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{E1547FCE-F5DD-4D77-8C71-13B6A2B8F527} /l1033
PokerStars.net-->C:\Program Files\PokerStars.NET\Uninstall.EXE /u:"PokerStars.net"
PokerStars-->"C:\Program Files\PokerStars\PokerStarsUninstall.exe" /u:PokerStars
PostgreSQL 8.3-->MsiExec.exe /I{B823632F-3B72-4514-8861-B961CE263224}
PrimoPDF-->"C:\WINDOWS\PrimoPDF4\uninstall.exe" "/U:C:\Program Files\activePDF\PrimoPDF\Uninstall\uninstallPrimoPDF4.xml"
QuickTime-->MsiExec.exe /I{E0D51394-1D45-460A-B62D-383BC4F8B335}
RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Securexam Student-->"C:\Documents and Settings\All Users\Application Data\{5A4179C0-3F8D-49C3-810D-881C5BC3DED9}\SecurexamStudentInstaller.exe" REMOVE=TRUE MODIFY=FALSE
Securexam Student-->C:\Documents and Settings\All Users\Application Data\{5A4179C0-3F8D-49C3-810D-881C5BC3DED9}\SecurexamStudentInstaller.exe
Securexam Student-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C2BE55EC-8569-11D4-AADE-52544CC9E028}\Setup.exe" UNINSTALL
Security Update for Windows Internet Explorer 7 (KB928090)-->"C:\WINDOWS\ie7updates\KB928090-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB931768)-->"C:\WINDOWS\ie7updates\KB931768-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB933566)-->"C:\WINDOWS\ie7updates\KB933566-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB937143)-->"C:\WINDOWS\ie7updates\KB937143-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB939653)-->"C:\WINDOWS\ie7updates\KB939653-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB942615)-->"C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB944533)-->"C:\WINDOWS\ie7updates\KB944533-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB960714)-->"C:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB961260)-->"C:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB963027)-->"C:\WINDOWS\ie7updates\KB963027-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB969897)-->"C:\WINDOWS\ie7updates\KB969897-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 9 (KB911565)-->"C:\WINDOWS\$NtUninstallKB911565$\spuninst\spuninst.exe"
Security Update for Windows Media Player 9 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP9$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464-v2)-->"C:\WINDOWS\$NtUninstallKB938464-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969898)-->"C:\WINDOWS\$NtUninstallKB969898$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
SigmaTel AC97 Audio Drivers-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7959721D-8268-4565-9E0E-C41A9F4848A9}\setup.exe" -l0x9 -nodialog -uninstall
Smart Defrag 1.10-->"C:\Program Files\IObit\IObit SmartDefrag\unins000.exe"
SnG Power Tools v1.19b-->"C:\Program Files\Advantage Analysis\SnG Power Tools\unins000.exe"
SofTest-->MsiExec.exe /X{C430FD9C-FFDC-484F-ABF4-870101AE4C70}
Spybot - Search & Destroy 1.4-->MsiExec.exe /I{B8893BFE-D0EB-44A5-A2CE-4840AA0F5CA6}
Spyware Doctor 6.0-->C:\Program Files\Spyware Doctor\unins000.exe /LOG
Take Charge 2.1-->MsiExec.exe /I{AAB04B68-2596-4C2B-B237-D66BBC9B732D}
TetriNet2-->C:\Program Files\TetriNet2\uninstall.exe
Tourney Manager-->MsiExec.exe /I{33FF2328-8CE0-425E-AEDC-BEF9AED09153}
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Viewpoint Manager (Remove Only)-->C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgrInstaller.exe /u /k
Viewpoint Media Player-->C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Web Update Wizard (Redistributable) 4.0-->C:\WINDOWS\system32\wuwuninst.exe
Winamp (remove only)-->"C:\Program Files\Winamp\UninstWA.exe"
Windows Communication Foundation-->MsiExec.exe /X{491DD792-AD81-429C-9EB4-86DD3D22E333}
Windows Imaging Component-->"C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows Presentation Foundation-->MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows Workflow Foundation-->MsiExec.exe /I{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"

======Security center information======

AV: Spyware Doctor with AntiVirus (disabled)

======System event log======

Computer Name: JOHN-XYJV14Y551
Event Code: 4
Message: Broadcom 570x Gigabit Integrated Controller: The network link is down. Check to make sure the network cable is properly connected.

Record Number: 52
Source Name: b57w2k
Time Written: 20090710010740.000000-240
Event Type: warning
User:

Computer Name: JOHN-XYJV14Y551
Event Code: 7034
Message: The PC Tools Security Service service terminated unexpectedly. It has done this 1 time(s).

Record Number: 42
Source Name: Service Control Manager
Time Written: 20090710010246.000000-240
Event Type: error
User:

Computer Name: JOHN-XYJV14Y551
Event Code: 7000
Message: The Viewpoint Manager Service service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.


Record Number: 8
Source Name: Service Control Manager
Time Written: 20090709034427.000000-240
Event Type: error
User:

Computer Name: JOHN-XYJV14Y551
Event Code: 7009
Message: Timeout (30000 milliseconds) waiting for the Viewpoint Manager Service service to connect.

Record Number: 7
Source Name: Service Control Manager
Time Written: 20090709034427.000000-240
Event Type: error
User:

Computer Name: JOHN-XYJV14Y551
Event Code: 4
Message: Broadcom 570x Gigabit Integrated Controller: The network link is down. Check to make sure the network cable is properly connected.

Record Number: 5
Source Name: b57w2k
Time Written: 20090709034312.000000-240
Event Type: warning
User:

=====Application event log=====

Computer Name: JOHN-XYJV14Y551
Event Code: 20
Message:
Record Number: 70419
Source Name: Google Update
Time Written: 20090711004005.000000-240
Event Type: error
User: JOHN-XYJV14Y551\John

Computer Name: JOHN-XYJV14Y551
Event Code: 20
Message:
Record Number: 70418
Source Name: Google Update
Time Written: 20090710234005.000000-240
Event Type: error
User: JOHN-XYJV14Y551\John

Computer Name: JOHN-XYJV14Y551
Event Code: 1517
Message: Windows saved user JOHN-XYJV14Y551\John registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 70403
Source Name: Userenv
Time Written: 20090710195356.000000-240
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: JOHN-XYJV14Y551
Event Code: 1517
Message: Windows saved user JOHN-XYJV14Y551\John registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 70391
Source Name: Userenv
Time Written: 20090710194101.000000-240
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: JOHN-XYJV14Y551
Event Code: 1517
Message: Windows saved user JOHN-XYJV14Y551\John registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 70377
Last edited by Metnut on July 13th, 2009, 2:41 pm, edited 1 time in total.
Metnut
Regular Member
 
Posts: 15
Joined: July 10th, 2009, 1:07 pm

Re: can't get rid of trojan.virtumonde please help

Unread postby Metnut » July 13th, 2009, 2:41 pm

log.txt

Logfile of random's system information tool 1.06 (written by random/random)
Run by John at 2009-07-13 14:35:39
Microsoft Windows XP Professional Service Pack 3
System drive C: has 6 GB (15%) free of 38 GB
Total RAM: 511 MB (34% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:35:51 PM, on 7/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\WINDOWS\sySTEM32\SvchoSt.ExE
C:\Program Files\Software Secure, Inc\SSIRuntimeService\SSIRuntimeService.exe
C:\WINDOWS\system32\ssisvr32.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\WebUpdateSvc4.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\John\Desktop\RSIT.exe
C:\Program Files\trend micro\John.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: Hotspot Shield Class - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files\Hotspot Shield\hssie\HssIE.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\John\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\openvpnas.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PostgreSQL Database Server 8.3 (pgsql-8.3) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SSIRuntimeService - Unknown owner - C:\Program Files\Software Secure, Inc\SSIRuntimeService\SSIRuntimeService.exe
O23 - Service: Software Secure Service (SSISvr32) - SoftwareSecure Inc - C:\WINDOWS\system32\ssisvr32.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Web Update Wizard Service V4 by PowerProgrammer (WebUpdate4) - Data Perceptions / PowerProgrammer - C:\WINDOWS\system32\WebUpdateSvc4.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7175 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1708537768-507921405-854245398-1003Core.job
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1708537768-507921405-854245398-1003UA.job
C:\WINDOWS\tasks\WGASetup.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2005-09-24 63136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3049C3E9-B461-4BC5-8870-4C09146192CA}]
RealPlayer Download and Record Plugin for Internet Explorer - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll [2008-12-31 304736]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 853672]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-04-14 35840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-04-14 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]
Hotspot Shield Class - C:\Program Files\Hotspot Shield\hssie\HssIE.dll [2008-12-31 204248]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"=C:\WINDOWS\system32\Ati2mdxx.exe [2001-09-04 28672]
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [2003-07-29 335872]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-04-14 148888]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2007-12-11 286720]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2007-12-11 267048]
"Broadcom Wireless Manager UI"=C:\WINDOWS\system32\WLTRAY.exe [2005-12-19 1347584]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2008-12-31 185872]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-14 1695232]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"Google Update"=C:\Documents and Settings\John\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-08 133104]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2003-07-29 86016]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2008-09-06 241704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdauxservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdcoreservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"AllowMultipleTSSessions"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Application Loader"
"C:\Program Files\BitTorrent\bittorrent.exe"="C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent"
"C:\Program Files\AIM\aim.exe"="C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\ExamSoft\SofTest\SoftLnch.exe"="C:\Program Files\ExamSoft\SoftLnch.exe:*:Enabled:SofLaunch
"
"C:\Program Files\ExamSoft\SofTest\softest.exe"="C:\Program Files\ExamSoft\SofTest.exe:*:Enabled:SofTest
"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\AIM\aim.exe"="C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======File associations======

.ini - open - C:\WINDOWS\SYSTEM32\NOTEPAD.EXE %1
.txt - open - C:\WINDOWS\SYSTEM32\NOTEPAD.EXE %1

======List of files/folders created in the last 1 months======

2009-07-13 14:35:40 ----D---- C:\Program Files\trend micro
2009-07-13 14:35:39 ----D---- C:\rsit
2009-07-11 14:47:13 ----A---- C:\ComboFix.txt
2009-07-10 19:33:21 ----A---- C:\Boot.bak
2009-07-10 19:33:10 ----RASHD---- C:\cmdcons
2009-07-10 19:30:54 ----A---- C:\WINDOWS\zip.exe
2009-07-10 19:30:54 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-07-10 19:30:54 ----A---- C:\WINDOWS\SWSC.exe
2009-07-10 19:30:54 ----A---- C:\WINDOWS\SWREG.exe
2009-07-10 19:30:54 ----A---- C:\WINDOWS\sed.exe
2009-07-10 19:30:54 ----A---- C:\WINDOWS\PEV.exe
2009-07-10 19:30:54 ----A---- C:\WINDOWS\NIRCMD.exe
2009-07-10 19:30:54 ----A---- C:\WINDOWS\grep.exe
2009-07-10 19:29:40 ----D---- C:\WINDOWS\ERDNT
2009-07-10 19:29:23 ----D---- C:\Qoobox
2009-07-10 18:03:47 ----D---- C:\Documents and Settings\John\Application Data\Malwarebytes
2009-07-10 17:22:21 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-07-10 17:22:20 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-07-10 14:08:50 ----D---- C:\VundoFix Backups
2009-07-10 14:08:50 ----A---- C:\VundoFix.txt
2009-07-10 13:34:11 ----D---- C:\Program Files\HijackThis
2009-07-09 22:48:25 ----D---- C:\Program Files\sFX
2009-07-09 03:13:19 ----SHD---- C:\WINDOWS\CSC
2009-07-09 03:13:05 ----A---- C:\WINDOWS\ntbtlog.txt
2009-07-09 02:14:11 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-07-09 02:14:06 ----D---- C:\Program Files\Common Files\PC Tools
2009-07-09 02:14:00 ----D---- C:\Program Files\Spyware Doctor
2009-07-09 02:14:00 ----D---- C:\Documents and Settings\John\Application Data\PC Tools
2009-07-09 02:14:00 ----D---- C:\Documents and Settings\All Users\Application Data\PC Tools
2009-07-09 02:02:55 ----D---- C:\Documents and Settings\John\Application Data\Messenger

======List of files/folders modified in the last 1 months======

2009-07-13 14:35:44 ----D---- C:\WINDOWS\Prefetch
2009-07-13 14:35:40 ----RD---- C:\Program Files
2009-07-13 14:31:10 ----D---- C:\Program Files\Mozilla Firefox
2009-07-12 16:40:00 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-07-11 14:47:16 ----D---- C:\WINDOWS\system32
2009-07-11 14:45:52 ----D---- C:\WINDOWS\Temp
2009-07-11 14:43:05 ----D---- C:\WINDOWS
2009-07-11 14:43:05 ----A---- C:\WINDOWS\system.ini
2009-07-11 14:36:03 ----D---- C:\WINDOWS\system32\drivers
2009-07-11 14:36:03 ----D---- C:\WINDOWS\AppPatch
2009-07-11 14:35:56 ----D---- C:\Program Files\Common Files
2009-07-11 14:35:31 ----D---- C:\WINDOWS\system32\CatRoot2
2009-07-11 13:01:53 ----D---- C:\Program Files\PokerStars
2009-07-10 19:59:33 ----SD---- C:\WINDOWS\Tasks
2009-07-10 19:59:14 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-07-10 19:53:30 ----D---- C:\WINDOWS\system32\config
2009-07-10 19:33:22 ----RASH---- C:\boot.ini
2009-07-10 18:25:26 ----D---- C:\WINDOWS\Minidump
2009-07-10 17:44:20 ----D---- C:\Documents and Settings
2009-07-10 16:35:42 ----SHD---- C:\WINDOWS\Installer
2009-07-10 16:35:33 ----D---- C:\WINDOWS\WinSxS
2009-07-09 03:38:41 ----D---- C:\WINDOWS\system32\wbem
2009-07-09 03:00:54 ----D---- C:\Program Files\Common Files\Blizzard Entertainment
2009-06-16 16:53:47 ----D---- C:\Program Files\Full Tilt Poker

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 Cdr4_xp;Cdr4_xp; C:\WINDOWS\system32\drivers\Cdr4_xp.sys [2006-08-24 2432]
R1 Cdralw2k;Cdralw2k; C:\WINDOWS\system32\drivers\Cdralw2k.sys [2006-08-24 2560]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-14 36352]
R1 OMCI;OMCI WDM Device Driver; C:\WINDOWS\System32\DRIVERS\omci.sys [2004-02-20 17217]
R1 pctgntdi;pctgntdi; \??\C:\WINDOWS\system32\drivers\pctgntdi.sys []
R1 sFxdrv;sFxdrv; \??\C:\Program Files\sFX\sfX.sYs []
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2003-07-16 12032]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\System32\DRIVERS\mdmxsdk.sys [2003-04-09 11043]
R3 ati2mtag;ati2mtag; C:\WINDOWS\System32\DRIVERS\ati2mtag.sys [2003-07-29 587264]
R3 b57w2k;Broadcom 570x Gigabit Integrated Controller; C:\WINDOWS\System32\DRIVERS\b57xp32.sys [2003-05-21 175360]
R3 BCM43XX;Dell Wireless WLAN Card Driver; C:\WINDOWS\System32\DRIVERS\bcmwl5.sys [2005-11-02 424320]
R3 catchme;catchme; \??\C:\DOCUME~1\John\LOCALS~1\Temp\catchme.sys []
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\System32\DRIVERS\CmBatt.sys [2008-04-14 13952]
R3 GEARAspiWDM;GEARAspiWDM; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2006-09-19 15664]
R3 HSF_DP;HSF_DP; C:\WINDOWS\System32\DRIVERS\HSF_DP.sys [2003-07-03 1063936]
R3 HSFHWICH;HSFHWICH; C:\WINDOWS\System32\DRIVERS\HSFHWICH.sys [2003-07-03 189056]
R3 O2SCBUS;O2Micro SmartCardBus Reader; C:\WINDOWS\System32\DRIVERS\ozscr.sys [2003-12-11 91395]
R3 STAC97;Audio Driver (WDM) - SigmaTel CODEC; C:\WINDOWS\system32\drivers\STAC97.sys [2004-11-15 264440]
R3 tapvpn;TAP VPN Adapter; C:\WINDOWS\system32\DRIVERS\tapvpn.sys [2008-01-23 27136]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2008-04-14 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-14 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-14 20608]
R3 winachsf;winachsf; C:\WINDOWS\System32\DRIVERS\HSF_CNXT.sys [2003-07-03 631680]
S2 heihypck;heihypck; C:\WINDOWS\system32\drivers\tikpcops.sys []
S2 orif;orif; C:\WINDOWS\system32\drivers\ihihx.sys []
S2 xienm;xienm; C:\WINDOWS\system32\drivers\uiaymrw.sys []
S3 pctplsg;pctplsg; \??\C:\WINDOWS\system32\drivers\pctplsg.sys []
S3 TfNetMon;TfNetMon; \??\C:\WINDOWS\system32\drivers\TfNetMon.sys []
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2007-10-31 30464]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
S3 wanatw;WAN Miniport (ATW); C:\WINDOWS\system32\DRIVERS\wanatw4.sys [2003-01-10 33588]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2007-10-31 110592]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\System32\Ati2evxx.exe [2003-07-29 323584]
R2 HotspotShieldService;Hotspot Shield Service; C:\Program Files\Hotspot Shield\bin\openvpnas.exe [2008-11-25 88024]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-04-14 152984]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-20 322120]
R2 pgsql-8.3;PostgreSQL Database Server 8.3; C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe [2008-09-19 65536]
R2 sdAuxService;PC Tools Auxiliary Service; C:\Program Files\Spyware Doctor\pctsAuxs.exe [2009-01-07 348752]
R2 sfx;sfx; C:\WINDOWS\sySTEM32\SvchoSt.ExE [2008-04-14 14336]
R2 SSIRuntimeService;SSIRuntimeService; C:\Program Files\Software Secure, Inc\SSIRuntimeService\SSIRuntimeService.exe [2007-05-21 45056]
R2 SSISvr32;Software Secure Service; C:\WINDOWS\system32\ssisvr32.exe [2007-01-16 200704]
R2 Viewpoint Manager Service;Viewpoint Manager Service; C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
R2 WebUpdate4;Web Update Wizard Service V4 by PowerProgrammer; C:\WINDOWS\system32\WebUpdateSvc4.exe [2007-03-23 229856]
R2 wltrysvc;Dell Wireless WLAN Tray Service; C:\WINDOWS\System32\WLTRYSVC.EXE [2005-12-19 18944]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2007-12-11 504104]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe [2006-10-20 36864]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2006-10-30 741376]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 sdCoreService;PC Tools Security Service; C:\Program Files\Spyware Doctor\pctsSvc.exe [2009-01-21 1095560]
S3 ThreatFire;ThreatFire; C:\Program Files\Spyware Doctor\TFEngine\TFService.exe [2009-03-31 70944]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2006-10-30 122880]

-----------------EOF-----------------
Metnut
Regular Member
 
Posts: 15
Joined: July 10th, 2009, 1:07 pm

Re: can't get rid of trojan.virtumonde please help

Unread postby Wingman » July 16th, 2009, 8:59 am

Hi Metnut,
I know you want your computer running smoothly as fast as possible. I will try to accommodate that wish. However...
It is apparent by the various logs, that you are running "fix" programs, scripts or deleting files on your own... If you want me to continue trying to help, I am more than willing but you must stop
running any fix programs, or making any other software changes, including deleting files. I need to see what's going on and while removing a file may appear to be a good idea, it can mask
what is really taking place.

Backdoor Warning
Your computer has multiple infections, including a Backdoor.

The particular infection is part of a Koobface worm infection, with backdoor capabilities. This infection can be picked up by using various "social networks" like Facebook or MySpace.
Some reference material: http://www.threatexpert.com/report.aspx ... 6aee787101

A backdoor is a software program that gives an attacker unauthorized access to a machine and the means for remotely controlling the machine without the user's knowledge.
A backdoor compromises system integrity by making changes to the system that allow it to by used by the attacker for malicious purposes unknown to the user.
Typically it's installed without user interaction through security exploits, and can severely compromise system security.
Such infections may open illicit network connections, use polymorphic tactics to self-mutate, disable security software, modify system files, and install additional malware.
These backdoor infections may also collect and transmit personally identifiable information, without your consent and severely degrade the performance and stability of your computer.
A backdoor infection can give intruders complete control of your computer, logs your keystrokes, obtain passwords, steal personal information, etc.

You are strongly advised to do the following:
  • Disconnect the computer from the Internet and from any networked computers until it is cleaned.
  • Call all your banks, financial institutions, credit card companies and inform them that you may be a victim of identity theft
    and put a watch on your accounts. If you don't mind the hassle, change all your account numbers.
  • From a clean computer, change all your passwords
    (ISP login password, your email address(es) passwords, financial accounts, PayPal, eBay, Amazon, any online activity you perform, requiring a username and password).
    Do NOT change your passwords from this computer as the attacker will be able to get all the new passwords and transaction records.
  • Back up all your important data except programs. The programs can be reinstalled back from the original disc or from the Net.

Due to its backdoor functionality, your computer is very likely to have been compromised and there is no way that it can be trusted again.
Many experts in the security community believe that once infected with this type of Trojan,
the best course of action would be to do a reformat and re-installation of the operating system (OS).
This decision will have to be made by you...

We can attempt to clean this machine but we will not guarantee that it won't still be compromised, afterwards.

To help you understand more, please take some time to read the following articles:
When should I re-format and reinstall my OS
What are Remote Access Trojans and why are they dangerous
How do I respond to a possible identity theft and how do I prevent it
Where to backup your files
How to backup your files in Windows XP
Restoring your backups

Please let me know how you would like to proceed.
If you wish to continue, please perform the following steps. If you do not want to continue, let me know and this topic will be closed.


P2P Advisory!
IMPORTANT There are signs of one or more P2P (Peer to Peer) File Sharing Programs installed on your computer.
Azureus
BitTorrent 5.0.5

As long as you have the P2P program(s) installed, per Forum Policy, I can offer you no further assitance.
If you choose NOT to remove the program(s)...indicate that in your next reply and this topic will be closed.

Otherwise, please perform the following steps:

Step 1.
Remove P2P Program(s)
  1. Click on Start > Control Panel and double click on Add/Remove Programs.
  2. Locate the following program:
    Azureus
    BitTorrent 5.0.5
  3. Click on the Change/Remove button to uninstall it.
    Repeat steps 2 and 3 for each program listed.
  4. When the program(s) have been uninstalled... Close Add/Remove Programs. Close Control Panel.

By using any form of P2P networking to download files you can anticipate infestations of malware to occur. The P2P program
itself, may be safe but the files may not... use P2P at your own risk! Keep in mind that this practice may be the source of your current malware infestation.
References... siting risk factors, using P2P programs: Malware: Help prevent the Infection and How to Prevent the Online Invasion of Spyware and Adware

Step 2.
Re-run - RSIT (Random's System Information Tool)
You should still have this program on your desktop.
  1. Double click on RSIT.exe to run it.
  2. Please read the disclaimer... click on Continue.
  3. RSIT will start running. When done... ONLY the LOG.txt file ...will be produced.
  4. The "log.txt", will be maximized
    Please post ONLY the "log.txt", file contents in your next reply.

Please include in your next reply:
  1. Proceed with cleaning?
  2. New RSIT log
Thanks,
Wingman
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14347
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA

Re: can't get rid of trojan.virtumonde please help

Unread postby Metnut » July 16th, 2009, 1:08 pm

Lets proceed with cleaning. If you feel that it becomes futile let me know. As asked, I removed the p2p programs. Also as asked, I have not run any system cleaners since your last post and will not run anymore for the duration of you helping me. However, overnight last night windows installed some update and said that an infection had been removed. Here is the log that you requested.

Logfile of random's system information tool 1.06 (written by random/random)
Run by John at 2009-07-16 13:07:14
Microsoft Windows XP Professional Service Pack 3
System drive C: has 6 GB (15%) free of 38 GB
Total RAM: 511 MB (16% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:07:20 PM, on 7/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\WINDOWS\sySTEM32\SvchoSt.ExE
C:\Program Files\Software Secure, Inc\SSIRuntimeService\SSIRuntimeService.exe
C:\WINDOWS\system32\ssisvr32.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\WebUpdateSvc4.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\John\Desktop\RSIT.exe
C:\Program Files\trend micro\John.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: Hotspot Shield Class - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files\Hotspot Shield\hssie\HssIE.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\John\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\openvpnas.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PostgreSQL Database Server 8.3 (pgsql-8.3) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SSIRuntimeService - Unknown owner - C:\Program Files\Software Secure, Inc\SSIRuntimeService\SSIRuntimeService.exe
O23 - Service: Software Secure Service (SSISvr32) - SoftwareSecure Inc - C:\WINDOWS\system32\ssisvr32.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Web Update Wizard Service V4 by PowerProgrammer (WebUpdate4) - Data Perceptions / PowerProgrammer - C:\WINDOWS\system32\WebUpdateSvc4.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7136 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1708537768-507921405-854245398-1003Core.job
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1708537768-507921405-854245398-1003UA.job
C:\WINDOWS\tasks\WGASetup.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2005-09-24 63136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3049C3E9-B461-4BC5-8870-4C09146192CA}]
RealPlayer Download and Record Plugin for Internet Explorer - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll [2008-12-31 304736]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 853672]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-04-14 35840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-04-14 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]
Hotspot Shield Class - C:\Program Files\Hotspot Shield\hssie\HssIE.dll [2008-12-31 204248]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"=C:\WINDOWS\system32\Ati2mdxx.exe [2001-09-04 28672]
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [2003-07-29 335872]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-04-14 148888]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2007-12-11 286720]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2007-12-11 267048]
"Broadcom Wireless Manager UI"=C:\WINDOWS\system32\WLTRAY.exe [2005-12-19 1347584]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2008-12-31 185872]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-14 1695232]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"Google Update"=C:\Documents and Settings\John\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-08 133104]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2003-07-29 86016]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2008-09-06 241704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdauxservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdcoreservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"AllowMultipleTSSessions"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Application Loader"
"C:\Program Files\BitTorrent\bittorrent.exe"="C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent"
"C:\Program Files\AIM\aim.exe"="C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\ExamSoft\SofTest\SoftLnch.exe"="C:\Program Files\ExamSoft\SoftLnch.exe:*:Enabled:SofLaunch
"
"C:\Program Files\ExamSoft\SofTest\softest.exe"="C:\Program Files\ExamSoft\SofTest.exe:*:Enabled:SofTest
"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\AIM\aim.exe"="C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======File associations======

.ini - open - C:\WINDOWS\SYSTEM32\NOTEPAD.EXE %1
.txt - open - C:\WINDOWS\SYSTEM32\NOTEPAD.EXE %1

======List of files/folders created in the last 1 months======

2009-07-16 03:03:42 ----HDC---- C:\WINDOWS\$NtUninstallKB973346$
2009-07-16 03:03:34 ----HDC---- C:\WINDOWS\$NtUninstallKB971633$
2009-07-16 03:01:57 ----A---- C:\WINDOWS\system32\MRT.exe
2009-07-16 03:01:41 ----HDC---- C:\WINDOWS\$NtUninstallKB961371$
2009-07-13 14:35:40 ----D---- C:\Program Files\trend micro
2009-07-13 14:35:39 ----D---- C:\rsit
2009-07-11 14:47:13 ----A---- C:\ComboFix.txt
2009-07-10 19:33:21 ----A---- C:\Boot.bak
2009-07-10 19:33:10 ----RASHD---- C:\cmdcons
2009-07-10 19:30:54 ----A---- C:\WINDOWS\zip.exe
2009-07-10 19:30:54 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-07-10 19:30:54 ----A---- C:\WINDOWS\SWSC.exe
2009-07-10 19:30:54 ----A---- C:\WINDOWS\SWREG.exe
2009-07-10 19:30:54 ----A---- C:\WINDOWS\sed.exe
2009-07-10 19:30:54 ----A---- C:\WINDOWS\PEV.exe
2009-07-10 19:30:54 ----A---- C:\WINDOWS\NIRCMD.exe
2009-07-10 19:30:54 ----A---- C:\WINDOWS\grep.exe
2009-07-10 19:29:40 ----D---- C:\WINDOWS\ERDNT
2009-07-10 19:29:23 ----D---- C:\Qoobox
2009-07-10 18:03:47 ----D---- C:\Documents and Settings\John\Application Data\Malwarebytes
2009-07-10 17:22:21 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-07-10 17:22:20 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-07-10 14:08:50 ----D---- C:\VundoFix Backups
2009-07-10 14:08:50 ----A---- C:\VundoFix.txt
2009-07-10 13:34:11 ----D---- C:\Program Files\HijackThis
2009-07-09 22:48:25 ----D---- C:\Program Files\sFX
2009-07-09 03:13:19 ----SHD---- C:\WINDOWS\CSC
2009-07-09 03:13:05 ----A---- C:\WINDOWS\ntbtlog.txt
2009-07-09 02:14:11 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-07-09 02:14:06 ----D---- C:\Program Files\Common Files\PC Tools
2009-07-09 02:14:00 ----D---- C:\Program Files\Spyware Doctor
2009-07-09 02:14:00 ----D---- C:\Documents and Settings\John\Application Data\PC Tools
2009-07-09 02:14:00 ----D---- C:\Documents and Settings\All Users\Application Data\PC Tools
2009-07-09 02:02:55 ----D---- C:\Documents and Settings\John\Application Data\Messenger

======List of files/folders modified in the last 1 months======

2009-07-16 13:07:20 ----D---- C:\WINDOWS\Prefetch
2009-07-16 13:03:23 ----D---- C:\Program Files\BitTorrent
2009-07-16 12:33:58 ----D---- C:\Program Files\Mozilla Firefox
2009-07-16 12:32:43 ----D---- C:\WINDOWS\Temp
2009-07-16 12:32:32 ----D---- C:\WINDOWS
2009-07-16 03:11:27 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-07-16 03:09:42 ----D---- C:\WINDOWS\system32\CatRoot2
2009-07-16 03:03:44 ----HD---- C:\WINDOWS\inf
2009-07-16 03:03:43 ----D---- C:\WINDOWS\system32
2009-07-16 03:03:40 ----HD---- C:\WINDOWS\$hf_mig$
2009-07-16 03:03:38 ----A---- C:\WINDOWS\imsins.BAK
2009-07-16 03:03:37 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-07-16 03:03:29 ----A---- C:\WINDOWS\system32\MRT.INI
2009-07-14 14:11:53 ----D---- C:\Documents and Settings\John\Application Data\MSN6
2009-07-13 14:35:40 ----RD---- C:\Program Files
2009-07-11 14:43:05 ----A---- C:\WINDOWS\system.ini
2009-07-11 14:36:03 ----D---- C:\WINDOWS\system32\drivers
2009-07-11 14:36:03 ----D---- C:\WINDOWS\AppPatch
2009-07-11 14:35:56 ----D---- C:\Program Files\Common Files
2009-07-11 13:01:53 ----D---- C:\Program Files\PokerStars
2009-07-10 19:59:33 ----SD---- C:\WINDOWS\Tasks
2009-07-10 19:53:30 ----D---- C:\WINDOWS\system32\config
2009-07-10 19:33:22 ----RASH---- C:\boot.ini
2009-07-10 18:25:26 ----D---- C:\WINDOWS\Minidump
2009-07-10 17:44:20 ----D---- C:\Documents and Settings
2009-07-10 16:35:42 ----SHD---- C:\WINDOWS\Installer
2009-07-10 16:35:33 ----D---- C:\WINDOWS\WinSxS
2009-07-09 03:38:41 ----D---- C:\WINDOWS\system32\wbem
2009-07-09 03:00:54 ----D---- C:\Program Files\Common Files\Blizzard Entertainment

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 Cdr4_xp;Cdr4_xp; C:\WINDOWS\system32\drivers\Cdr4_xp.sys [2006-08-24 2432]
R1 Cdralw2k;Cdralw2k; C:\WINDOWS\system32\drivers\Cdralw2k.sys [2006-08-24 2560]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-14 36352]
R1 OMCI;OMCI WDM Device Driver; C:\WINDOWS\System32\DRIVERS\omci.sys [2004-02-20 17217]
R1 pctgntdi;pctgntdi; \??\C:\WINDOWS\system32\drivers\pctgntdi.sys []
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2003-07-16 12032]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\System32\DRIVERS\mdmxsdk.sys [2003-04-09 11043]
R3 ati2mtag;ati2mtag; C:\WINDOWS\System32\DRIVERS\ati2mtag.sys [2003-07-29 587264]
R3 b57w2k;Broadcom 570x Gigabit Integrated Controller; C:\WINDOWS\System32\DRIVERS\b57xp32.sys [2003-05-21 175360]
R3 BCM43XX;Dell Wireless WLAN Card Driver; C:\WINDOWS\System32\DRIVERS\bcmwl5.sys [2005-11-02 424320]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\System32\DRIVERS\CmBatt.sys [2008-04-14 13952]
R3 GEARAspiWDM;GEARAspiWDM; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2006-09-19 15664]
R3 HSF_DP;HSF_DP; C:\WINDOWS\System32\DRIVERS\HSF_DP.sys [2003-07-03 1063936]
R3 HSFHWICH;HSFHWICH; C:\WINDOWS\System32\DRIVERS\HSFHWICH.sys [2003-07-03 189056]
R3 O2SCBUS;O2Micro SmartCardBus Reader; C:\WINDOWS\System32\DRIVERS\ozscr.sys [2003-12-11 91395]
R3 STAC97;Audio Driver (WDM) - SigmaTel CODEC; C:\WINDOWS\system32\drivers\STAC97.sys [2004-11-15 264440]
R3 tapvpn;TAP VPN Adapter; C:\WINDOWS\system32\DRIVERS\tapvpn.sys [2008-01-23 27136]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2008-04-14 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-14 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-14 20608]
R3 winachsf;winachsf; C:\WINDOWS\System32\DRIVERS\HSF_CNXT.sys [2003-07-03 631680]
S2 heihypck;heihypck; C:\WINDOWS\system32\drivers\tikpcops.sys []
S2 orif;orif; C:\WINDOWS\system32\drivers\ihihx.sys []
S2 xienm;xienm; C:\WINDOWS\system32\drivers\uiaymrw.sys []
S3 catchme;catchme; \??\C:\DOCUME~1\John\LOCALS~1\Temp\catchme.sys []
S3 pctplsg;pctplsg; \??\C:\WINDOWS\system32\drivers\pctplsg.sys []
S3 TfNetMon;TfNetMon; \??\C:\WINDOWS\system32\drivers\TfNetMon.sys []
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2007-10-31 30464]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
S3 wanatw;WAN Miniport (ATW); C:\WINDOWS\system32\DRIVERS\wanatw4.sys [2003-01-10 33588]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2007-10-31 110592]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\System32\Ati2evxx.exe [2003-07-29 323584]
R2 HotspotShieldService;Hotspot Shield Service; C:\Program Files\Hotspot Shield\bin\openvpnas.exe [2008-11-25 88024]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-04-14 152984]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-20 322120]
R2 pgsql-8.3;PostgreSQL Database Server 8.3; C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe [2008-09-19 65536]
R2 sdAuxService;PC Tools Auxiliary Service; C:\Program Files\Spyware Doctor\pctsAuxs.exe [2009-01-07 348752]
R2 sfx;sfx; C:\WINDOWS\sySTEM32\SvchoSt.ExE [2008-04-14 14336]
R2 SSIRuntimeService;SSIRuntimeService; C:\Program Files\Software Secure, Inc\SSIRuntimeService\SSIRuntimeService.exe [2007-05-21 45056]
R2 SSISvr32;Software Secure Service; C:\WINDOWS\system32\ssisvr32.exe [2007-01-16 200704]
R2 Viewpoint Manager Service;Viewpoint Manager Service; C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
R2 WebUpdate4;Web Update Wizard Service V4 by PowerProgrammer; C:\WINDOWS\system32\WebUpdateSvc4.exe [2007-03-23 229856]
R2 wltrysvc;Dell Wireless WLAN Tray Service; C:\WINDOWS\System32\WLTRYSVC.EXE [2005-12-19 18944]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2007-12-11 504104]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe [2006-10-20 36864]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2006-10-30 741376]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 sdCoreService;PC Tools Security Service; C:\Program Files\Spyware Doctor\pctsSvc.exe [2009-01-21 1095560]
S3 ThreatFire;ThreatFire; C:\Program Files\Spyware Doctor\TFEngine\TFService.exe [2009-03-31 70944]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2006-10-30 122880]

-----------------EOF-----------------
Metnut
Regular Member
 
Posts: 15
Joined: July 10th, 2009, 1:07 pm

Re: can't get rid of trojan.virtumonde please help

Unread postby Wingman » July 17th, 2009, 10:26 am

Hello Metnut,
Part of the update from Microsoft was the monthly execution of the Malicious Software Removal tool... that's what ran and deleted the "infection" you mentioned.
Let's continue...
Please read the instructions carefully, before executing and perform the following steps in the order given.
lf, you have any questions about or problems with, executing these instructions, <STOP> do not proceed, post back with the question or problem.

Step 1.
OTM
  1. Please download OTM.exe...by Old Timer. Save it to your desktop.
  2. Double click on OTM.exe to run it.
    If you receive the "Open File - Security Warning", please press Run.
  3. Please copy and paste the text in the Code box below, into OTM (1).
    Warning: Do not type it out... errors could damage your machine.
    Code: Select all
    :Services
    sfx
    
    :Reg
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "C:\Program Files\BitTorrent\bittorrent.exe"=-
    
    :Files
    C:\Program Files\sFX\
    C:\WINDOWS\system32\drivers\tikpcops.sys
    C:\WINDOWS\system32\drivers\ihihx.sys 
    C:\WINDOWS\system32\drivers\uiaymrw.sys 
    
    :Commands
    [EmptyTemp]
    [Reboot]
    

    Please refer to this image to use OTM.exe

    Image
  4. Click on MoveIt! (2)
  5. The end results of the processing will be in 2 places:
    • The Results window on the right side of the OTM screen.
    • A log (text) file created in "C:\_OTM\MovedFiles\mmddyyyy_hhmmss.log"
  6. Copy all the text from the Results window... Open Notepad, paste the OTM results into the Notepad file, save it on your desktop.
  7. Click Exit (3) when done.
  8. Please paste the entire content from the OTM (Results) window (Notepad file) or the OTM log file, in your next reply.
NOTE: If your computer did not automatically reboot... please reboot it (normally) now!

Step 2.
Malwarebytes' Anti-Malware
Please save any items you were working on... close any open programs. You may be asked to reboot your machine.
Please download Malwarebytes Anti-Malware and save it to your desktop. If needed...Tutorial w/screenshots
Alternate download site available here.
  1. Make sure you are connected to the Internet.
  2. Double-click on Download_mbam-setup.exe to install the application.
  3. When the installation begins, follow the prompts and do not make any changes to default settings.
  4. When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
    • Then click Finish.
    MBAM will automatically start and you will be asked to update the program before performing a scan.
    • If an update is found, the program will automatically update itself.
    • Press the OK button to close that box and continue.
    • Problems downloading the updates? Manually download them from here and double-click on "mbam-rules.exe" to install.
On the Scanner tab:
  1. Make sure the "Perform Quick Scan" option is selected.
  2. Then click on the Scan button.
    If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
    The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  3. When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  4. Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:
  1. Click on the Show Results button to see a list of any malware that was found.
  2. Check all items except items in the C:\System Volume Information folder... then click on Remove Selected.
    We will take care of the System Volume Information items later.
  3. When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  4. The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  5. Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Step 3.
Kaspersky Online Scanner.
Please go to Kaspersky Online Virus Scanner © Kaspersky Lab to perform an online antivirus scan.
  1. Click on the Image ...button.
  2. The program will launch and fill in the Information section ... on the left.
  3. Read the "Requirements and Limitations" then press... the Image ...button.
  4. The program will begin downloading the latest program and definition files.
    It takes a while... please be patient and let it finish.
  5. Once the files have been downloaded, click on the Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Image ...button, if you made any changes.
  6. Now under the Scan section on the left:
      Select My Computer
  7. The program will start and scan your system. This will run for a while, be patient... let it run.
    Once the scan is complete it will display if your system has been infected.
  8. Save the scan results as a Text file ... save it to your desktop.
  9. Copy and paste the saved scan results file in your next reply.

Step 4.
Please include in your next reply:
  1. Any problem executing the instructions
  2. OTM report
  3. MBAM scan results
  4. Kaspersky scan results
  5. How is the computer behaving?
Thanks,
Wingman
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14347
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA

Re: can't get rid of trojan.virtumonde please help

Unread postby Metnut » July 18th, 2009, 12:42 pm

The computer seems to be behaving perfectly. My google results have not been hijacked the past few days (even before i ran these scans) nor have i had unwanted popups telling me to buy fake anti malware programs. However, the results of the latter of these scans was unsettling.

OTM log

All processes killed
========== SERVICES/DRIVERS ==========

Service\Driver sfx deleted successfully.
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\Program Files\BitTorrent\bittorrent.exe deleted successfully.
========== FILES ==========
C:\Program Files\sFX moved successfully.
File/Folder C:\WINDOWS\system32\drivers\tikpcops.sys not found.
File/Folder C:\WINDOWS\system32\drivers\ihihx.sys not found.
File/Folder C:\WINDOWS\system32\drivers\uiaymrw.sys not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 165389 bytes
->FireFox cache emptied: 63891399 bytes

User: Administrator.JOHN-XYJV14Y551
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 78991 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: John
->Temp folder emptied: 3611361 bytes
->Temporary Internet Files folder emptied: 1295732 bytes
->Java cache emptied: 22556763 bytes
->FireFox cache emptied: 84495204 bytes
->Google Chrome cache emptied: 2385524 bytes

User: light
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 78991 bytes

User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 327814 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: postgres
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33428 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 1145933 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
Windows Temp folder emptied: 16871 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 171.78 mb


OTM by OldTimer - Version 3.0.0.5 log created on 07172009_143115

Files moved on Reboot...

Registry entries deleted on Reboot...






Malware Bytes Anti-malware log

Malwarebytes' Anti-Malware 1.39
Database version: 2421
Windows 5.1.2600 Service Pack 3

7/17/2009 2:52:57 PM
mbam-log-2009-07-17 (14-52-57).txt

Scan type: Quick Scan
Objects scanned: 110784
Time elapsed: 6 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\sfx (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\934fdfg34fgjf23 (Worm.KoobFace) -> Quarantined and deleted successfully.



KASPERSKY ONLINE SCANNER 7.0 REPORT
Saturday, July 18, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Friday, July 17, 2009 20:40:59
Records in database: 2483190
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
C:\
D:\
Scan statistics
Files scanned 60224
Threat name 7
Infected objects 11
Suspicious objects 0
Duration of the scan 07:59:45

File name Threat name Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\UACuwmtggioommeosogu.sys.vir Infected: Rootkit.Win32.Agent.mih 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\fibidaku.dll.tmp.vir Infected: Trojan-Downloader.Win32.Agent.bqxc 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\gdi32lib.dll.vir Infected: Trojan-Downloader.Win32.FraudLoad.wfxo 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\juvihawo.dll.tmp.vir Infected: Trojan-Downloader.Win32.Agent.bqxc 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\SKYNETpsawvlaq.dll.vir Infected: Trojan.Win32.Monder.gen 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\SKYNETrodwqekk.dll.vir Infected: Trojan.Win32.Monder.gen 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\tadagagu.dll.vir Infected: Trojan-Downloader.Win32.Agent.bqxc 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACbekayekclusffdkka.dll.vir Infected: Trojan.Win32.TDSS.adzz 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACilrsdswrsekkigvai.dll.vir Infected: Packed.Win32.Tdss.m 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACuymueawfooishcgcv.dll.vir Infected: Trojan.Win32.TDSS.aekg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACvygegonhxhdlhxqnb.dll.vir Infected: Packed.Win32.Tdss.m 1
The selected area was scanned.
Metnut
Regular Member
 
Posts: 15
Joined: July 10th, 2009, 1:07 pm

Re: can't get rid of trojan.virtumonde please help

Unread postby Wingman » July 18th, 2009, 10:08 pm

Hello Metnut,
You can relax about the last KAS scan results. The (eleven) files referenced in the Qoobox folder are the files that ComboFix found and quarantined
from the run of CF, you made earlier. We will take care of those files shortly...

In the mean time, please perform the following steps:
Please read the instructions carefully, before executing and perform the following steps in the order given.
lf, you have any questions about or problems with, executing these instructions, <STOP> do not proceed, post back with the question or problem.

Step 1.
ComboFix
This program is a powerful tool, intended by its creator, to be "used under the guidance and supervision of trained malware removers", NOT for general public use.
Using this tool incorrectly could cause problems with your operating system... preventing it from ever starting again!

The first thing you need to do is print out How-To-Use-ComboFix. Read these instructions thoroughly.
You will not have Internet access when you execute ComboFix. All open windows will need to be closed!
If you previously downloaded ComboFix, please delete that version and download it again. This tool is frequently updated.
  1. Please download ComboFix.exe... © Copyrighted to sUBs
    Save it to your desktop. Alternate download sites: forospyware.com or geekstogo.com.
    Once the download is completed...
    Image
    ComboFix.exe <<------------- you should see this on your desktop.
  2. Please disable any Antivirus or Firewall you have active.
    SPYWARE DOCTOR
    • Click the Spyware Doctor icon in the System Tray.
    • Click Settings. Click Startup Settings under Pick a Category.
    • Uncheck "Run at Windows startup".
    • Click Apply and Exit Spyware Doctor.
    • From within Spyware Doctor, click the "OnGuard" button on the left side.
    • Uncheck "Activate OnGuard".
    • (When we are done, you can reenable Spyware Doctor)
  3. Double click the ComboFix.exe icon on your desktop to begin execution.
    If you receive the "Open File - Security Warning"... press Run.
  4. Press Yes to the Disclaimer prompt.
    ComboFix screen appears... preparing to run. ComboFix will now begin creating a System Restore Point and then backup your registry.
  5. If not already installed... Press Yes to the "Install Recovery Console" prompt.
  6. Press Yes at the Recovery Console installation results prompt... Even if unsuccessful, have ComboFix continue the scan.
    Do Not use your keyboard or mouse click anywhere in the ComboFix window, as this may cause the program to stall or crash.
    Do Not touch your computer when ComboFix is running!

    ComboFix will disconnect you from the Internet and also change your clock settings... this is normal, so don't worry. They will be restored when finished.
    The ComboFix window data will be changing with various "Stages"... completed. When finished the screen will show that a log is being created.
    Your desktop may disappear... this is normal and will be restored.
    ComboFix disables autorun of all CD, floppy and USB devices to assist with malware removal and increase security.
    When finished... Notepad will open ... ComboxFix will produce a log file called "log.txt".
  7. Please copy/paste the contents of log.txt... in your next reply.
** Enable your Antivirus and Firewall, before connecting to the Internet again! **

Step 2.
RSIT (Random's System Information Tool)
You should still have this program on your desktop. If so, just ignore the download instructions.
Please download RSIT by random/random... save it to your desktop.

In order for both info and log files to be produced again, I need you to delete the existing RSIT folder:
  1. C:\RSIT <-- delete this entire folder , then...
  2. Double click on RSIT.exe to run it.
  3. Please read the disclaimer... click on Continue.
    RSIT will start running. When done... 2 (Notepad) text files...will be produced.
    The first one, "C:\RSIT\log.txt", will be maximized... the second one, "C:\RSIT\info.txt", will be minimized.
  4. Please post both... "log.txt" and "info.txt", file contents in your next reply.
    (These logs can be lengthy, so post 1 log per reply please.)

Step 3.
Please include in your next reply:
  1. Any problem executing the instructions
  2. ComboFix report
  3. New RSIT log and info text file contents
  4. How is the computer behaving?
Thanks,
Wingman
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14347
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA

Re: can't get rid of trojan.virtumonde please help

Unread postby Metnut » July 19th, 2009, 2:07 am

Computer is still behaving ok, none of the previous signs of the infection are showing up. Here is the combofix log.

ComboFix 09-07-14.08 - John 07/19/2009 1:41.3.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.282 [GMT -4:00]
Running from: c:\documents and settings\John\Desktop\ComboFix.exe
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SFXDRV


((((((((((((((((((((((((( Files Created from 2009-06-19 to 2009-07-19 )))))))))))))))))))))))))))))))
.

2009-07-18 03:40 . 2009-07-18 03:40 -------- d-----w- c:\documents and settings\John\Local Settings\Application Data\Temp
2009-07-17 18:43 . 2009-07-17 18:43 3775176 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-07-17 18:31 . 2009-07-17 18:31 -------- d-----w- C:\_OTM
2009-07-13 18:35 . 2009-07-16 17:07 -------- d-----w- c:\program files\trend micro
2009-07-13 18:35 . 2009-07-13 18:35 -------- d-----w- C:\rsit
2009-07-10 22:03 . 2009-07-10 22:03 -------- d-----w- c:\documents and settings\John\Application Data\Malwarebytes
2009-07-10 21:46 . 2009-07-10 21:46 -------- d-----w- c:\documents and settings\Administrator.JOHN-XYJV14Y551\Application Data\Malwarebytes
2009-07-10 21:22 . 2009-07-13 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-10 21:22 . 2009-07-13 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-10 21:22 . 2009-07-10 21:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-10 21:22 . 2009-07-17 18:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-10 20:32 . 2009-03-31 15:23 39200 ----a-w- c:\windows\system32\drivers\TfSysMon.sys
2009-07-10 20:32 . 2009-03-31 15:23 33056 ----a-w- c:\windows\system32\drivers\TfNetMon.sys
2009-07-10 20:32 . 2009-03-31 15:23 12576 ----a-w- c:\windows\system32\drivers\TfKbMon.sys
2009-07-10 20:32 . 2009-03-31 15:23 51488 ----a-w- c:\windows\system32\drivers\TfFsMon.sys
2009-07-10 18:08 . 2009-07-10 18:08 -------- d-----w- C:\VundoFix Backups
2009-07-09 06:14 . 2008-12-11 12:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-07-09 06:14 . 2009-04-03 15:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-07-09 06:14 . 2008-12-18 16:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-07-09 06:14 . 2009-07-10 21:16 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-09 06:14 . 2009-07-09 06:15 -------- d-----w- c:\program files\Common Files\PC Tools
2009-07-09 06:14 . 2008-12-10 15:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-07-09 06:14 . 2009-07-10 21:14 -------- d-----w- c:\program files\Spyware Doctor
2009-07-09 06:14 . 2009-07-10 20:35 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-07-09 06:14 . 2009-07-09 06:14 -------- d-----w- c:\documents and settings\John\Application Data\PC Tools
2009-07-09 06:02 . 2009-07-09 06:06 -------- d-----w- c:\documents and settings\John\Application Data\Messenger

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-19 05:31 . 2005-12-06 09:46 -------- d-----w- c:\program files\PokerStars
2009-07-16 17:03 . 2005-12-30 03:28 -------- d-----w- c:\program files\BitTorrent
2009-07-14 18:11 . 2005-12-14 05:06 -------- d-----w- c:\documents and settings\John\Application Data\MSN6
2009-07-09 07:00 . 2009-05-18 18:22 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2009-06-16 20:53 . 2007-05-22 17:38 -------- d-----w- c:\program files\Full Tilt Poker
2009-06-16 14:36 . 2003-07-16 16:41 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2003-07-16 16:22 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-03 19:09 . 2003-07-16 16:36 1291264 ------w- c:\windows\system32\quartz.dll
2009-05-13 16:29 . 2008-11-22 01:20 315390 ----a-w- c:\windows\jgzr.dat
2009-05-07 15:32 . 2003-07-16 16:26 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2003-07-16 16:45 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2005-11-16 19:23 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-12 22:54 . 2008-10-17 18:43 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-07-10_23.56.41 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-19 05:52 . 2009-07-19 05:52 16384 c:\windows\Temp\Perflib_Perfdata_340.dat
+ 2007-03-21 14:16 . 2008-07-08 13:02 17272 c:\windows\system32\spmsg.dll
- 2007-03-21 14:16 . 2008-07-09 07:38 17272 c:\windows\system32\spmsg.dll
+ 2009-06-16 14:36 . 2009-06-16 14:36 81920 c:\windows\system32\dllcache\fontsub.dll
+ 2009-06-16 14:36 . 2009-06-16 14:36 119808 c:\windows\system32\dllcache\t2embed.dll
+ 2008-05-07 05:12 . 2009-06-03 19:09 1291264 c:\windows\system32\dllcache\quartz.dll
+ 2009-07-16 07:01 . 2009-07-07 12:10 24539592 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]
2008-12-31 04:58 204248 ----a-w- c:\program files\Hotspot Shield\HssIE\HssIE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Google Update"="c:\documents and settings\John\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-09 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-07-29 335872]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-14 148888]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-12-11 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-12-11 267048]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-12-31 185872]
"ATIModeChange"="Ati2mdxx.exe" - c:\windows\system32\Ati2mdxx.exe [2001-09-05 28672]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"AllowMultipleTSSessions"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\ExamSoft\\SofTest\\SoftLnch.exe"= c:\\Program Files\\ExamSoft\\SoftLnch.exe
"c:\\Program Files\\ExamSoft\\SofTest\\softest.exe"= c:\\Program Files\\ExamSoft\\SofTest.exe

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [7/9/2009 2:14 AM 130936]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [7/10/2009 4:32 PM 51488]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [7/10/2009 4:32 PM 39200]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [7/9/2009 2:14 AM 159600]
R2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [9/19/2008 3:03 AM 65536]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [7/9/2009 2:14 AM 348752]
R2 SSIRuntimeService;SSIRuntimeService;c:\program files\Software Secure, Inc\SSIRunTimeService\SSIRuntimeService.exe [5/21/2007 7:55 AM 45056]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/10/2007 6:40 PM 24652]
R2 WebUpdate4;Web Update Wizard Service V4 by PowerProgrammer;c:\windows\system32\WebUpdateSvc4.exe [3/23/2007 6:24 AM 229856]
S2 heihypck;heihypck;c:\windows\system32\drivers\tikpcops.sys --> c:\windows\system32\drivers\tikpcops.sys [?]
S2 orif;orif;c:\windows\system32\drivers\ihihx.sys --> c:\windows\system32\drivers\ihihx.sys [?]
S2 xienm;xienm;c:\windows\system32\drivers\uiaymrw.sys --> c:\windows\system32\drivers\uiaymrw.sys [?]
S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [7/9/2009 2:14 AM 64392]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [7/10/2009 4:32 PM 33056]
S3 ThreatFire;ThreatFire;c:\program files\Spyware Doctor\TFEngine\TFService.exe service --> c:\program files\Spyware Doctor\TFEngine\TFService.exe service [?]
.
Contents of the 'Scheduled Tasks' folder

2009-07-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:57]

2009-07-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1708537768-507921405-854245398-1003Core.job
- c:\documents and settings\John\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-09 03:25]

2009-07-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1708537768-507921405-854245398-1003UA.job
- c:\documents and settings\John\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-09 03:25]

2009-07-19 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-12 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
FF - ProfilePath - c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\beuhytek.default\
FF - prefs.js: browser.search.selectedEngine - GoogleCOM
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://www.ffsearching.com/search/?ie=U ... &gfns=1&q=
FF - plugin: c:\documents and settings\John\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll


Here is the RSIT Log.txt

Logfile of random's system information tool 1.06 (written by random/random)
Run by John at 2009-07-19 02:05:57
Microsoft Windows XP Professional Service Pack 3
System drive C: has 6 GB (15%) free of 38 GB
Total RAM: 511 MB (28% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:06:01 AM, on 7/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Software Secure, Inc\SSIRuntimeService\SSIRuntimeService.exe
C:\WINDOWS\system32\ssisvr32.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\WebUpdateSvc4.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\John\Desktop\RSIT.exe
C:\Program Files\trend micro\John.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: Hotspot Shield Class - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files\Hotspot Shield\hssie\HssIE.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\John\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\openvpnas.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PostgreSQL Database Server 8.3 (pgsql-8.3) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SSIRuntimeService - Unknown owner - C:\Program Files\Software Secure, Inc\SSIRuntimeService\SSIRuntimeService.exe
O23 - Service: Software Secure Service (SSISvr32) - SoftwareSecure Inc - C:\WINDOWS\system32\ssisvr32.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Web Update Wizard Service V4 by PowerProgrammer (WebUpdate4) - Data Perceptions / PowerProgrammer - C:\WINDOWS\system32\WebUpdateSvc4.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7214 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1708537768-507921405-854245398-1003Core.job
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1708537768-507921405-854245398-1003UA.job
C:\WINDOWS\tasks\WGASetup.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2005-09-24 63136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3049C3E9-B461-4BC5-8870-4C09146192CA}]
RealPlayer Download and Record Plugin for Internet Explorer - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll [2008-12-31 304736]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 853672]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-04-14 35840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-04-14 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]
Hotspot Shield Class - C:\Program Files\Hotspot Shield\hssie\HssIE.dll [2008-12-31 204248]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"=C:\WINDOWS\system32\Ati2mdxx.exe [2001-09-04 28672]
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [2003-07-29 335872]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-04-14 148888]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2007-12-11 286720]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2007-12-11 267048]
"Broadcom Wireless Manager UI"=C:\WINDOWS\system32\WLTRAY.exe [2005-12-19 1347584]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2008-12-31 185872]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-14 1695232]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"Google Update"=C:\Documents and Settings\John\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-08 133104]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2003-07-29 86016]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2008-09-06 241704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdauxservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdcoreservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"AllowMultipleTSSessions"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Application Loader"
"C:\Program Files\AIM\aim.exe"="C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\ExamSoft\SofTest\SoftLnch.exe"="C:\Program Files\ExamSoft\SoftLnch.exe:*:Enabled:SofLaunch
"
"C:\Program Files\ExamSoft\SofTest\softest.exe"="C:\Program Files\ExamSoft\SofTest.exe:*:Enabled:SofTest
"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\AIM\aim.exe"="C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======File associations======

.ini - open - C:\WINDOWS\SYSTEM32\NOTEPAD.EXE %1
.txt - open - C:\WINDOWS\SYSTEM32\NOTEPAD.EXE %1

======List of files/folders created in the last 1 months======

2009-07-19 02:05:57 ----D---- C:\rsit
2009-07-19 02:05:01 ----SHD---- C:\RECYCLER
2009-07-19 01:58:04 ----A---- C:\ComboFix.txt
2009-07-17 14:31:15 ----D---- C:\_OTM
2009-07-16 03:03:42 ----HDC---- C:\WINDOWS\$NtUninstallKB973346$
2009-07-16 03:03:34 ----HDC---- C:\WINDOWS\$NtUninstallKB971633$
2009-07-16 03:01:57 ----A---- C:\WINDOWS\system32\MRT.exe
2009-07-16 03:01:41 ----HDC---- C:\WINDOWS\$NtUninstallKB961371$
2009-07-13 14:35:40 ----D---- C:\Program Files\trend micro
2009-07-10 19:33:21 ----A---- C:\Boot.bak
2009-07-10 19:33:10 ----RASHD---- C:\cmdcons
2009-07-10 19:30:54 ----A---- C:\WINDOWS\zip.exe
2009-07-10 19:30:54 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-07-10 19:30:54 ----A---- C:\WINDOWS\SWSC.exe
2009-07-10 19:30:54 ----A---- C:\WINDOWS\SWREG.exe
2009-07-10 19:30:54 ----A---- C:\WINDOWS\sed.exe
2009-07-10 19:30:54 ----A---- C:\WINDOWS\PEV.exe
2009-07-10 19:30:54 ----A---- C:\WINDOWS\NIRCMD.exe
2009-07-10 19:30:54 ----A---- C:\WINDOWS\grep.exe
2009-07-10 19:29:40 ----D---- C:\WINDOWS\ERDNT
2009-07-10 19:29:23 ----D---- C:\Qoobox
2009-07-10 18:03:47 ----D---- C:\Documents and Settings\John\Application Data\Malwarebytes
2009-07-10 17:22:21 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-07-10 17:22:20 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-07-10 14:08:50 ----D---- C:\VundoFix Backups
2009-07-10 14:08:50 ----A---- C:\VundoFix.txt
2009-07-10 13:34:11 ----D---- C:\Program Files\HijackThis
2009-07-09 03:13:19 ----SHD---- C:\WINDOWS\CSC
2009-07-09 03:13:05 ----A---- C:\WINDOWS\ntbtlog.txt
2009-07-09 02:14:11 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-07-09 02:14:06 ----D---- C:\Program Files\Common Files\PC Tools
2009-07-09 02:14:00 ----D---- C:\Program Files\Spyware Doctor
2009-07-09 02:14:00 ----D---- C:\Documents and Settings\John\Application Data\PC Tools
2009-07-09 02:14:00 ----D---- C:\Documents and Settings\All Users\Application Data\PC Tools
2009-07-09 02:02:55 ----D---- C:\Documents and Settings\John\Application Data\Messenger

======List of files/folders modified in the last 1 months======

2009-07-19 02:01:45 ----D---- C:\Program Files\Mozilla Firefox
2009-07-19 01:58:07 ----D---- C:\WINDOWS\system32\drivers
2009-07-19 01:58:07 ----D---- C:\WINDOWS\system32
2009-07-19 01:58:06 ----D---- C:\WINDOWS\Temp
2009-07-19 01:56:27 ----D---- C:\WINDOWS\system32\CatRoot2
2009-07-19 01:54:01 ----D---- C:\WINDOWS
2009-07-19 01:54:01 ----A---- C:\WINDOWS\system.ini
2009-07-19 01:50:44 ----D---- C:\WINDOWS\system32\config
2009-07-19 01:46:41 ----D---- C:\WINDOWS\AppPatch
2009-07-19 01:46:27 ----D---- C:\Program Files\Common Files
2009-07-19 01:40:04 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-07-19 01:39:22 ----D---- C:\WINDOWS\Prefetch
2009-07-19 01:31:57 ----D---- C:\Program Files\PokerStars
2009-07-17 14:32:20 ----RD---- C:\Program Files
2009-07-16 13:03:23 ----D---- C:\Program Files\BitTorrent
2009-07-16 03:03:44 ----HD---- C:\WINDOWS\inf
2009-07-16 03:03:40 ----HD---- C:\WINDOWS\$hf_mig$
2009-07-16 03:03:38 ----A---- C:\WINDOWS\imsins.BAK
2009-07-16 03:03:37 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-07-16 03:03:29 ----A---- C:\WINDOWS\system32\MRT.INI
2009-07-14 14:11:53 ----D---- C:\Documents and Settings\John\Application Data\MSN6
2009-07-10 19:59:33 ----SD---- C:\WINDOWS\Tasks
2009-07-10 19:33:22 ----RASH---- C:\boot.ini
2009-07-10 18:25:26 ----D---- C:\WINDOWS\Minidump
2009-07-10 17:44:20 ----D---- C:\Documents and Settings
2009-07-10 16:35:42 ----SHD---- C:\WINDOWS\Installer
2009-07-10 16:35:33 ----D---- C:\WINDOWS\WinSxS
2009-07-09 03:38:41 ----D---- C:\WINDOWS\system32\wbem
2009-07-09 03:00:54 ----D---- C:\Program Files\Common Files\Blizzard Entertainment

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 Cdr4_xp;Cdr4_xp; C:\WINDOWS\system32\drivers\Cdr4_xp.sys [2006-08-24 2432]
R1 Cdralw2k;Cdralw2k; C:\WINDOWS\system32\drivers\Cdralw2k.sys [2006-08-24 2560]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-14 36352]
R1 OMCI;OMCI WDM Device Driver; C:\WINDOWS\System32\DRIVERS\omci.sys [2004-02-20 17217]
R1 pctgntdi;pctgntdi; \??\C:\WINDOWS\system32\drivers\pctgntdi.sys []
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2003-07-16 12032]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\System32\DRIVERS\mdmxsdk.sys [2003-04-09 11043]
R3 ati2mtag;ati2mtag; C:\WINDOWS\System32\DRIVERS\ati2mtag.sys [2003-07-29 587264]
R3 b57w2k;Broadcom 570x Gigabit Integrated Controller; C:\WINDOWS\System32\DRIVERS\b57xp32.sys [2003-05-21 175360]
R3 BCM43XX;Dell Wireless WLAN Card Driver; C:\WINDOWS\System32\DRIVERS\bcmwl5.sys [2005-11-02 424320]
R3 catchme;catchme; \??\C:\DOCUME~1\John\LOCALS~1\Temp\catchme.sys []
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\System32\DRIVERS\CmBatt.sys [2008-04-14 13952]
R3 GEARAspiWDM;GEARAspiWDM; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2006-09-19 15664]
R3 HSF_DP;HSF_DP; C:\WINDOWS\System32\DRIVERS\HSF_DP.sys [2003-07-03 1063936]
R3 HSFHWICH;HSFHWICH; C:\WINDOWS\System32\DRIVERS\HSFHWICH.sys [2003-07-03 189056]
R3 O2SCBUS;O2Micro SmartCardBus Reader; C:\WINDOWS\System32\DRIVERS\ozscr.sys [2003-12-11 91395]
R3 STAC97;Audio Driver (WDM) - SigmaTel CODEC; C:\WINDOWS\system32\drivers\STAC97.sys [2004-11-15 264440]
R3 tapvpn;TAP VPN Adapter; C:\WINDOWS\system32\DRIVERS\tapvpn.sys [2008-01-23 27136]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2008-04-14 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-14 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-14 20608]
R3 winachsf;winachsf; C:\WINDOWS\System32\DRIVERS\HSF_CNXT.sys [2003-07-03 631680]
S2 heihypck;heihypck; C:\WINDOWS\system32\drivers\tikpcops.sys []
S2 orif;orif; C:\WINDOWS\system32\drivers\ihihx.sys []
S2 xienm;xienm; C:\WINDOWS\system32\drivers\uiaymrw.sys []
S3 pctplsg;pctplsg; \??\C:\WINDOWS\system32\drivers\pctplsg.sys []
S3 TfNetMon;TfNetMon; \??\C:\WINDOWS\system32\drivers\TfNetMon.sys []
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2007-10-31 30464]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
S3 wanatw;WAN Miniport (ATW); C:\WINDOWS\system32\DRIVERS\wanatw4.sys [2003-01-10 33588]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2007-10-31 110592]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\System32\Ati2evxx.exe [2003-07-29 323584]
R2 HotspotShieldService;Hotspot Shield Service; C:\Program Files\Hotspot Shield\bin\openvpnas.exe [2008-11-25 88024]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-04-14 152984]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-20 322120]
R2 pgsql-8.3;PostgreSQL Database Server 8.3; C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe [2008-09-19 65536]
R2 sdAuxService;PC Tools Auxiliary Service; C:\Program Files\Spyware Doctor\pctsAuxs.exe [2009-01-07 348752]
R2 SSIRuntimeService;SSIRuntimeService; C:\Program Files\Software Secure, Inc\SSIRuntimeService\SSIRuntimeService.exe [2007-05-21 45056]
R2 SSISvr32;Software Secure Service; C:\WINDOWS\system32\ssisvr32.exe [2007-01-16 200704]
R2 Viewpoint Manager Service;Viewpoint Manager Service; C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
R2 WebUpdate4;Web Update Wizard Service V4 by PowerProgrammer; C:\WINDOWS\system32\WebUpdateSvc4.exe [2007-03-23 229856]
R2 wltrysvc;Dell Wireless WLAN Tray Service; C:\WINDOWS\System32\WLTRYSVC.EXE [2005-12-19 18944]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2007-12-11 504104]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe [2006-10-20 36864]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2006-10-30 741376]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 sdCoreService;PC Tools Security Service; C:\Program Files\Spyware Doctor\pctsSvc.exe [2009-01-21 1095560]
S3 ThreatFire;ThreatFire; C:\Program Files\Spyware Doctor\TFEngine\TFService.exe [2009-03-31 70944]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2006-10-30 122880]

-----------------EOF-----------------
Metnut
Regular Member
 
Posts: 15
Joined: July 10th, 2009, 1:07 pm

Re: can't get rid of trojan.virtumonde please help

Unread postby Metnut » July 19th, 2009, 2:09 am

Here is info.txt

info.txt logfile of random's system information tool 1.06 2009-07-19 02:06:03

======Uninstall list======

-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
AC3Filter (remove only)-->C:\Program Files\AC3Filter\uninstall.exe
Ad-Aware SE Personal-->MsiExec.exe /I{101F2C64-5735-4B32-9E52-4CB85E5D8C93}
Adobe Download Manager 2.0 (Remove Only)-->"C:\Program Files\Common Files\Adobe\ESD\uninst.exe"
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0.5-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70500000002}
AOL Instant Messenger-->C:\Program Files\AIM\uninstll.exe -LOG= C:\Program Files\AIM\install.log -OEM=
Apple Mobile Device Support-->MsiExec.exe /I{B5C209B1-8DDB-4642-A573-375B951514CB}
Apple Software Update-->MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
ATI - Software Uninstall Utility-->C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Control Panel-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver-->rundll32 C:\WINDOWS\System32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Blocktrix 1.00-->C:\Program Files\Blocktrix\uninst.exe
Broadcom Gigabit Integrated Controller-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{BE6890C7-31EF-478C-812E-1E2899ABFCA9} /l1033
CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"
C-Major Audio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}\setup.exe" -l0x9 -remove -removeonly
Conexant D480 MDC V.9x Modem-->C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_8086&DEV_24x6&SUBSYS_542214F1\HXFSETUP.EXE -U -Idel5422k.inf
Critical Update for Windows Media Player 11 (KB959772)-->"C:\WINDOWS\$NtUninstallKB959772_WM11$\spuninst\spuninst.exe"
Dell ResourceCD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe"
Dell Wireless WLAN Card-->"C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwlu00.exe" verbose /rootkey="Software\Broadcom\802.11\UninstallInfo" /rootdir="C:\Program Files\Dell\Dell Wireless WLAN Card"
DivX Media Codec 4.2.1-->C:\WINDOWS\system32\uninstdivx.exe
DivX Player-->C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player-->C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
DivX-->C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
FLV Player 2.0 (build 25)-->C:\Program Files\FLV Player\uninst.exe
Full Tilt Poker-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D4C9692E-4EFA-4DA0-8B7F-9439466D9E31}\setup.exe" -l0x9 -removeonly
GSpot Codec Information Appliance-->C:\Program Files\GSpot\Uninstall.exe
HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall
Holdem Manager-->MsiExec.exe /I{42DE940E-8037-4266-9FBF-5A3AEDA39E96}
Hotfix for Windows Internet Explorer 7 (KB947864)-->"C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Format SDK (KB902344)-->"C:\WINDOWS\$NtUninstallKB902344$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Hotspot Shield 1.10-->C:\Program Files\Hotspot Shield\Uninstall.exe
InterActual Player-->C:\Program Files\InterActual\InterActual Player\inuninst.exe
InterVideo WinDVD-->"C:\Program Files\InstallShield Installation Information\{98E8A2EF-4EAE-43B8-A172-74842B764777}\setup.exe" REMOVEALL
iTunes-->MsiExec.exe /I{18388EF8-E0A3-442B-8BFE-E2F1B3D05C91}
J2SE Runtime Environment 5.0 Update 6-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
Java(TM) 6 Update 13-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216013FF}
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 1-->MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
Microsoft .NET Framework 3.0-->c:\WINDOWS\Microsoft.NET\Framework\v3.0\Microsoft .NET Framework 3.0\setup.exe
Microsoft .NET Framework 3.0-->MsiExec.exe /X{15095BF3-A3D7-4DDF-B193-3A496881E003}
Microsoft Base Smart Card Cryptographic Service Provider Package-->"C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Mozilla Firefox (3.0.11)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 6 Service Pack 2 (KB954459)-->MsiExec.exe /I{1A528690-6A2D-4BC5-B143-8C4AE8D19D96}
O2Micro Smartcard Driver-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{E1547FCE-F5DD-4D77-8C71-13B6A2B8F527} /l1033
PokerStars.net-->C:\Program Files\PokerStars.NET\Uninstall.EXE /u:"PokerStars.net"
PokerStars-->"C:\Program Files\PokerStars\PokerStarsUninstall.exe" /u:PokerStars
PostgreSQL 8.3-->MsiExec.exe /I{B823632F-3B72-4514-8861-B961CE263224}
PrimoPDF-->"C:\WINDOWS\PrimoPDF4\uninstall.exe" "/U:C:\Program Files\activePDF\PrimoPDF\Uninstall\uninstallPrimoPDF4.xml"
QuickTime-->MsiExec.exe /I{E0D51394-1D45-460A-B62D-383BC4F8B335}
RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Securexam Student-->"C:\Documents and Settings\All Users\Application Data\{5A4179C0-3F8D-49C3-810D-881C5BC3DED9}\SecurexamStudentInstaller.exe" REMOVE=TRUE MODIFY=FALSE
Securexam Student-->C:\Documents and Settings\All Users\Application Data\{5A4179C0-3F8D-49C3-810D-881C5BC3DED9}\SecurexamStudentInstaller.exe
Securexam Student-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C2BE55EC-8569-11D4-AADE-52544CC9E028}\Setup.exe" UNINSTALL
Security Update for Windows Internet Explorer 7 (KB928090)-->"C:\WINDOWS\ie7updates\KB928090-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB931768)-->"C:\WINDOWS\ie7updates\KB931768-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB933566)-->"C:\WINDOWS\ie7updates\KB933566-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB937143)-->"C:\WINDOWS\ie7updates\KB937143-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB939653)-->"C:\WINDOWS\ie7updates\KB939653-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB942615)-->"C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB944533)-->"C:\WINDOWS\ie7updates\KB944533-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB960714)-->"C:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB961260)-->"C:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB963027)-->"C:\WINDOWS\ie7updates\KB963027-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB969897)-->"C:\WINDOWS\ie7updates\KB969897-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 9 (KB911565)-->"C:\WINDOWS\$NtUninstallKB911565$\spuninst\spuninst.exe"
Security Update for Windows Media Player 9 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP9$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464-v2)-->"C:\WINDOWS\$NtUninstallKB938464-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961371)-->"C:\WINDOWS\$NtUninstallKB961371$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969898)-->"C:\WINDOWS\$NtUninstallKB969898$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971633)-->"C:\WINDOWS\$NtUninstallKB971633$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973346)-->"C:\WINDOWS\$NtUninstallKB973346$\spuninst\spuninst.exe"
SigmaTel AC97 Audio Drivers-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7959721D-8268-4565-9E0E-C41A9F4848A9}\setup.exe" -l0x9 -nodialog -uninstall
Smart Defrag 1.10-->"C:\Program Files\IObit\IObit SmartDefrag\unins000.exe"
SnG Power Tools v1.19b-->"C:\Program Files\Advantage Analysis\SnG Power Tools\unins000.exe"
SofTest-->MsiExec.exe /X{C430FD9C-FFDC-484F-ABF4-870101AE4C70}
Spybot - Search & Destroy 1.4-->MsiExec.exe /I{B8893BFE-D0EB-44A5-A2CE-4840AA0F5CA6}
Spyware Doctor 6.0-->C:\Program Files\Spyware Doctor\unins000.exe /LOG
Take Charge 2.1-->MsiExec.exe /I{AAB04B68-2596-4C2B-B237-D66BBC9B732D}
TetriNet2-->C:\Program Files\TetriNet2\uninstall.exe
Tourney Manager-->MsiExec.exe /I{33FF2328-8CE0-425E-AEDC-BEF9AED09153}
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Viewpoint Manager (Remove Only)-->C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgrInstaller.exe /u /k
Viewpoint Media Player-->C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Web Update Wizard (Redistributable) 4.0-->C:\WINDOWS\system32\wuwuninst.exe
Winamp (remove only)-->"C:\Program Files\Winamp\UninstWA.exe"
Windows Communication Foundation-->MsiExec.exe /X{491DD792-AD81-429C-9EB4-86DD3D22E333}
Windows Imaging Component-->"C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows Presentation Foundation-->MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows Workflow Foundation-->MsiExec.exe /I{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"

======Security center information======

AV: Spyware Doctor with AntiVirus (disabled)

======System event log======

Computer Name: JOHN-XYJV14Y551
Event Code: 4
Message: Broadcom 570x Gigabit Integrated Controller: The network link is down. Check to make sure the network cable is properly connected.

Record Number: 52
Source Name: b57w2k
Time Written: 20090710010740.000000-240
Event Type: warning
User:

Computer Name: JOHN-XYJV14Y551
Event Code: 7034
Message: The PC Tools Security Service service terminated unexpectedly. It has done this 1 time(s).

Record Number: 42
Source Name: Service Control Manager
Time Written: 20090710010246.000000-240
Event Type: error
User:

Computer Name: JOHN-XYJV14Y551
Event Code: 7000
Message: The Viewpoint Manager Service service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.


Record Number: 8
Source Name: Service Control Manager
Time Written: 20090709034427.000000-240
Event Type: error
User:

Computer Name: JOHN-XYJV14Y551
Event Code: 7009
Message: Timeout (30000 milliseconds) waiting for the Viewpoint Manager Service service to connect.

Record Number: 7
Source Name: Service Control Manager
Time Written: 20090709034427.000000-240
Event Type: error
User:

Computer Name: JOHN-XYJV14Y551
Event Code: 4
Message: Broadcom 570x Gigabit Integrated Controller: The network link is down. Check to make sure the network cable is properly connected.

Record Number: 5
Source Name: b57w2k
Time Written: 20090709034312.000000-240
Event Type: warning
User:

=====Application event log=====

Computer Name: JOHN-XYJV14Y551
Event Code: 20
Message:
Record Number: 70419
Source Name: Google Update
Time Written: 20090711004005.000000-240
Event Type: error
User: JOHN-XYJV14Y551\John

Computer Name: JOHN-XYJV14Y551
Event Code: 20
Message:
Record Number: 70418
Source Name: Google Update
Time Written: 20090710234005.000000-240
Event Type: error
User: JOHN-XYJV14Y551\John

Computer Name: JOHN-XYJV14Y551
Event Code: 1517
Message: Windows saved user JOHN-XYJV14Y551\John registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 70403
Source Name: Userenv
Time Written: 20090710195356.000000-240
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: JOHN-XYJV14Y551
Event Code: 1517
Message: Windows saved user JOHN-XYJV14Y551\John registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 70391
Source Name: Userenv
Time Written: 20090710194101.000000-240
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: JOHN-XYJV14Y551
Event Code: 1517
Message: Windows saved user JOHN-XYJV14Y551\John registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 70377
Source Name: Userenv
Time Written: 20090710185707.000000-240
Event Type: warning
User: NT AUTHORITY\SYSTEM

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\QuickTime\QTSystem
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 9 Stepping 5, GenuineIntel
"PROCESSOR_REVISION"=0905
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"FP_NO_HOST_CHECK"=NO
"CLASSPATH"=.;C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip

-----------------EOF-----------------
Metnut
Regular Member
 
Posts: 15
Joined: July 10th, 2009, 1:07 pm

Re: can't get rid of trojan.virtumonde please help

Unread postby Wingman » July 19th, 2009, 3:50 pm

Hi Metnut,
Please read the instructions carefully, before executing and perform the following steps in the order given.
lf, you have any questions about or problems with, executing these instructions, <STOP> do not proceed, post back with the question or problem.

Step 1.
It appears the latest ComboFix log was cutoff at the end... please re-post the full log.
You can locate the "log.txt" file in C:\ComboFix\log.txt

Step 2.
Please enable the Show Hidden Files and Folders option, like this:
  1. Click Start. Open My Computer.
  2. Select the Tools menu and click Folder Options.
  3. Select the View Tab. Under the Hidden files and folders heading select ... "Show hidden files and folders".
  4. Uncheck the Hide extensions for known file types. option.
  5. Uncheck the Hide protected operating system files (recommended) option.
  6. Click Apply to set. Click OK.

Step 3.
We need to search for some files.
Batch - Command line use
  1. Click on Start...select Run from the menu.
  2. Copy and paste the following commands into the box... pressing OK after each command:
    cmd /c dir C:\*.* /L /A /B /S|Find "tikpcops.sys" >> "%userprofile%\desktop\look.txt"
    cmd /c dir C:\*.* /L /A /B /S|Find "ihihx.sys" >> "%userprofile%\desktop\look.txt"
    cmd /c dir C:\*.* /L /A /B /S|Find "uiaymrw.sys" >> "%userprofile%\desktop\look.txt"
    A black command window will open... for each search, it will close when the search is done... each search may take several seconds.
  3. A file called "look.txt" should appear on your Desktop.
Please post the contents of "look.txt"... in your next reply. If the look.txt file is empty, just indicate that in your post.

Step 4.
Please include in your next reply:
  1. Any problem executing the instructions?
  2. Full ComboFix log
  3. look.txt file contents
  4. How is the computer behaving?
Thanks,
Wingman
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14347
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA

Re: can't get rid of trojan.virtumonde please help

Unread postby Metnut » July 19th, 2009, 5:17 pm

No changes in computer behavior. The look.txt file was empty. This should be the full combofix log.

ComboFix 09-07-14.08 - John 07/19/2009 1:41.3.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.282 [GMT -4:00]
Running from: c:\documents and settings\John\Desktop\ComboFix.exe
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SFXDRV


((((((((((((((((((((((((( Files Created from 2009-06-19 to 2009-07-19 )))))))))))))))))))))))))))))))
.

2009-07-18 03:40 . 2009-07-18 03:40 -------- d-----w- c:\documents and settings\John\Local Settings\Application Data\Temp
2009-07-17 18:43 . 2009-07-17 18:43 3775176 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-07-17 18:31 . 2009-07-17 18:31 -------- d-----w- C:\_OTM
2009-07-13 18:35 . 2009-07-16 17:07 -------- d-----w- c:\program files\trend micro
2009-07-13 18:35 . 2009-07-13 18:35 -------- d-----w- C:\rsit
2009-07-10 22:03 . 2009-07-10 22:03 -------- d-----w- c:\documents and settings\John\Application Data\Malwarebytes
2009-07-10 21:46 . 2009-07-10 21:46 -------- d-----w- c:\documents and settings\Administrator.JOHN-XYJV14Y551\Application Data\Malwarebytes
2009-07-10 21:22 . 2009-07-13 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-10 21:22 . 2009-07-13 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-10 21:22 . 2009-07-10 21:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-10 21:22 . 2009-07-17 18:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-10 20:32 . 2009-03-31 15:23 39200 ----a-w- c:\windows\system32\drivers\TfSysMon.sys
2009-07-10 20:32 . 2009-03-31 15:23 33056 ----a-w- c:\windows\system32\drivers\TfNetMon.sys
2009-07-10 20:32 . 2009-03-31 15:23 12576 ----a-w- c:\windows\system32\drivers\TfKbMon.sys
2009-07-10 20:32 . 2009-03-31 15:23 51488 ----a-w- c:\windows\system32\drivers\TfFsMon.sys
2009-07-10 18:08 . 2009-07-10 18:08 -------- d-----w- C:\VundoFix Backups
2009-07-09 06:14 . 2008-12-11 12:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-07-09 06:14 . 2009-04-03 15:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-07-09 06:14 . 2008-12-18 16:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-07-09 06:14 . 2009-07-10 21:16 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-09 06:14 . 2009-07-09 06:15 -------- d-----w- c:\program files\Common Files\PC Tools
2009-07-09 06:14 . 2008-12-10 15:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-07-09 06:14 . 2009-07-10 21:14 -------- d-----w- c:\program files\Spyware Doctor
2009-07-09 06:14 . 2009-07-10 20:35 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-07-09 06:14 . 2009-07-09 06:14 -------- d-----w- c:\documents and settings\John\Application Data\PC Tools
2009-07-09 06:02 . 2009-07-09 06:06 -------- d-----w- c:\documents and settings\John\Application Data\Messenger

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-19 05:31 . 2005-12-06 09:46 -------- d-----w- c:\program files\PokerStars
2009-07-16 17:03 . 2005-12-30 03:28 -------- d-----w- c:\program files\BitTorrent
2009-07-14 18:11 . 2005-12-14 05:06 -------- d-----w- c:\documents and settings\John\Application Data\MSN6
2009-07-09 07:00 . 2009-05-18 18:22 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2009-06-16 20:53 . 2007-05-22 17:38 -------- d-----w- c:\program files\Full Tilt Poker
2009-06-16 14:36 . 2003-07-16 16:41 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2003-07-16 16:22 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-03 19:09 . 2003-07-16 16:36 1291264 ------w- c:\windows\system32\quartz.dll
2009-05-13 16:29 . 2008-11-22 01:20 315390 ----a-w- c:\windows\jgzr.dat
2009-05-07 15:32 . 2003-07-16 16:26 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2003-07-16 16:45 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2005-11-16 19:23 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-12 22:54 . 2008-10-17 18:43 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-07-10_23.56.41 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-19 05:52 . 2009-07-19 05:52 16384 c:\windows\Temp\Perflib_Perfdata_340.dat
+ 2007-03-21 14:16 . 2008-07-08 13:02 17272 c:\windows\system32\spmsg.dll
- 2007-03-21 14:16 . 2008-07-09 07:38 17272 c:\windows\system32\spmsg.dll
+ 2009-06-16 14:36 . 2009-06-16 14:36 81920 c:\windows\system32\dllcache\fontsub.dll
+ 2009-06-16 14:36 . 2009-06-16 14:36 119808 c:\windows\system32\dllcache\t2embed.dll
+ 2008-05-07 05:12 . 2009-06-03 19:09 1291264 c:\windows\system32\dllcache\quartz.dll
+ 2009-07-16 07:01 . 2009-07-07 12:10 24539592 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]
2008-12-31 04:58 204248 ----a-w- c:\program files\Hotspot Shield\HssIE\HssIE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Google Update"="c:\documents and settings\John\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-09 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-07-29 335872]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-14 148888]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-12-11 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-12-11 267048]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-12-31 185872]
"ATIModeChange"="Ati2mdxx.exe" - c:\windows\system32\Ati2mdxx.exe [2001-09-05 28672]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"AllowMultipleTSSessions"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\ExamSoft\\SofTest\\SoftLnch.exe"= c:\\Program Files\\ExamSoft\\SoftLnch.exe
"c:\\Program Files\\ExamSoft\\SofTest\\softest.exe"= c:\\Program Files\\ExamSoft\\SofTest.exe

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [7/9/2009 2:14 AM 130936]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [7/10/2009 4:32 PM 51488]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [7/10/2009 4:32 PM 39200]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [7/9/2009 2:14 AM 159600]
R2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [9/19/2008 3:03 AM 65536]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [7/9/2009 2:14 AM 348752]
R2 SSIRuntimeService;SSIRuntimeService;c:\program files\Software Secure, Inc\SSIRunTimeService\SSIRuntimeService.exe [5/21/2007 7:55 AM 45056]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/10/2007 6:40 PM 24652]
R2 WebUpdate4;Web Update Wizard Service V4 by PowerProgrammer;c:\windows\system32\WebUpdateSvc4.exe [3/23/2007 6:24 AM 229856]
S2 heihypck;heihypck;c:\windows\system32\drivers\tikpcops.sys --> c:\windows\system32\drivers\tikpcops.sys [?]
S2 orif;orif;c:\windows\system32\drivers\ihihx.sys --> c:\windows\system32\drivers\ihihx.sys [?]
S2 xienm;xienm;c:\windows\system32\drivers\uiaymrw.sys --> c:\windows\system32\drivers\uiaymrw.sys [?]
S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [7/9/2009 2:14 AM 64392]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [7/10/2009 4:32 PM 33056]
S3 ThreatFire;ThreatFire;c:\program files\Spyware Doctor\TFEngine\TFService.exe service --> c:\program files\Spyware Doctor\TFEngine\TFService.exe service [?]
.
Contents of the 'Scheduled Tasks' folder

2009-07-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:57]

2009-07-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1708537768-507921405-854245398-1003Core.job
- c:\documents and settings\John\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-09 03:25]

2009-07-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1708537768-507921405-854245398-1003UA.job
- c:\documents and settings\John\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-09 03:25]

2009-07-19 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-12 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
FF - ProfilePath - c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\beuhytek.default\
FF - prefs.js: browser.search.selectedEngine - GoogleCOM
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://www.ffsearching.com/search/?ie=U ... &gfns=1&q=
FF - plugin: c:\documents and settings\John\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----

FF - user.js: browser.search.selectedEngine - GoogleCOM
FF - user.js: keyword.URL - hxxp://www.ffsearching.com/search/?ie=U ... &gfns=1&q=
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-19 01:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*]
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1036)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'lsass.exe'(1092)
c:\windows\System32\BCMLogon.dll
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll

- - - - - - - > 'explorer.exe'(2368)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\windows\system32\scardsvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Hotspot Shield\bin\openvpnas.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\windows\system32\ssisvr32.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\ati2evxx.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2009-07-19 1:58 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-19 05:57
ComboFix2.txt 2009-07-11 18:47
ComboFix3.txt 2009-07-11 00:00

Pre-Run: 5,862,977,536 bytes free
Post-Run: 5,913,300,992 bytes free

211 --- E O F --- 2009-07-16 07:03
Metnut
Regular Member
 
Posts: 15
Joined: July 10th, 2009, 1:07 pm

Re: can't get rid of trojan.virtumonde please help

Unread postby Wingman » July 20th, 2009, 8:48 am

Hi Metnut,
Please read the instructions carefully, before executing and perform the following steps in the order given.
lf, you have any questions about or problems with, executing these instructions, <STOP> do not proceed, post back with the question or problem.

You may want to print these instructions, because you will be closing your browser... no Internet connection. Also please note the difference
in the RSIT instructions, this time.

Step 1.
Update Adobe Reader
Your version of Adobe Reader is out-of-date. There are serious security issues with older versions of Adobe Reader.
I'm not asking you to update the Adobe Acrobat installation... this can be quite costly. I am going to insist that you update your Adobe Reader software.
Then use the Reader for viewing PDF files... you can use the Acrobat software for your other needs.

Please download the current version of Adobe Reader...Copyright © Adobe Systems Inc.
  1. Click the yellow "Download now"... button. If you don't already have Adobe DLM... you may recieve a prompt...
  2. If prompted to install "Adobe DLM" This software is not a requirement to obtain the latest Adobe Reader software...so the choice is yours.
    The Adobe (DLM) Download Manager... allows you to "pick up where you left off", if your download process is interrupted. A good idea if you are using dial-up.
    If you choose to install Adobe DLM, it will start the download automatically. Adobe DLM software removal instructions available here...if wanted.
  3. If not using Adobe DLM...click on the highlighted "click here to download" text, to begin the Reader download.
    Save the file to your desktop.
      Uninstall OLD Adobe Reader
    • Please uninstall Adobe Reader before installing the latest version... Go to Start > Control Panel
    • Double click on Add/Remove Programs... Locate:
      Adobe Reader...version to remove
    • Click on Change/Remove to uninstall it. Once uninstalled... Close and exit Control Panel.
  4. Click on the Adobe Acrobat Reader (AdbeRdrxx_en_US.exe) icon, on your desktop... to install the new (free) version.
    The Adobe Reader download file name will be different, depending on the language or OS chosen. xx in the name = version numbers.
  5. The Adobe installer will check your system and begin the installation process. Use the default installation parameters.

An alternate to the Adobe Reader, you could try the free (for personal use) Foxit PDF Reader. The download file is smaller and when installed,
uses less resources than Adobe Reader. Note: Do not install anything dealing with AskBar... presented as an installation option.

Step 2.
Java Update Needed!
Your Java is out of date.
Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
Please follow these steps to remove older versions of Java components and update:

Attention: Print these instructions or copy them. You will be closing your browser!!

DOWNLOAD UPDATED VERSION
  1. Get the latest version of Java Runtime Environment (JRE)... © Sun Microsystems, Inc.
  2. Look for "Java Runtime Environment (JRE)" JRE 6 Update 14.
  3. Click the "Download" button to the right.
  4. Select your Platform: "Windows".
  5. Select your Language: "Multi-language".
  6. Read the License Agreement, and then check the box that says: "Accept License Agreement".
  7. Click Continue and the page will refresh.
  8. Click on the link to download Windows Offline Installation and save the file to your desktop.
    <STOP> Do not install the new version of Java yet. We need to do some cleanup first!

REMOVE OLD JAVA VERSIONS
  1. Close any programs you may have running - especially your web browser.
  2. Go to Start > Settings > Control Panel.
  3. Double-click on Add/Remove Programs ...remove all older versions of Java.
  4. Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    J2SE Runtime Environment 5.0 Update 6
    Java(TM) 6 Update 13
  5. Click the Remove or Change/Remove button...follow any onscreen instructions for the Java uninstaller.
  6. Repeat steps 4-5, for each version of Java listed.
  7. When all Java components are removed... Exit Add/remove Programs and Control Panel.
    Delete old Java Folder
    • Right click on the Start...button.
    • Select Explore...from the menu.
    • Navigate to and find the following folder: if found, delete it.
      It's possible it may have been removed by the uninstall steps
      C:\Program Files\Java\ <==== delete this entire folder
    • When finished, close and exit Explorer.

INSTALL UPDATED VERSION
  1. Close all open applications (standard), especially your browser.
  2. From desktop... double-click on jre-6u14-windows-i586-p.exe to install the newest version.
  3. Follow the on-screen directions...when installation is completed successfully, reboot your computer normally.
  4. Once the computer has been restarted, you can delete the "downloaded" installation file from your desktop.

Step 3.
Spybot S&D
Your current version of Spybot (1.4) is out of date... current version is 1.6.
If you still want to use this... you should update it. (you have MBAM installed... which I prefer over Spybot, as a scanner) If you are using Spybot's
immunize feature... then you should update. The choice, of course, is yours.

Please download Spybot S&D ... Copyright © Safer Networking Ltd. All rights reserved.
Please double click the spybotsd???.exe icon on your desktop to install (??? = version number)
Accept the Default installation
Folow prompts to complete the install.

Step 4.
RSIT (Random's System Information Tool)
You should still have this program on your desktop. If so, just ignore the download instructions.
Please download RSIT by random/random... save it to your desktop.

In order for both info and log files to be produced again, I need you to delete the existing RSIT folder:
  1. C:\RSIT <-- delete this entire folder , then...
  2. Double click on RSIT.exe to run it.
  3. Please read the disclaimer... click on Continue.
    RSIT will start running. When done... 2 (Notepad) text files...will be produced.
    The first one, "C:\RSIT\log.txt", will be maximized... the second one, "C:\RSIT\info.txt", will be minimized.
  4. Please post both... "log.txt" and "info.txt", file contents in your next reply.
    (These logs can be lengthy, so post 1 log per reply please.)

Step 5.
Please include in your next reply:
  1. Any problem executing the instructions?
  2. New RSIT log and info file contents
  3. How is the computer behaving?
Thanks,
Wingman
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14347
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA

Re: can't get rid of trojan.virtumonde please help

Unread postby Metnut » July 20th, 2009, 1:50 pm

No changes in computer behavior. I deleted/removed the old versions of java and adobe and updated with the new versions. I did not update spybot as I will be using MBAM instead.

Here is log.txt

Logfile of random's system information tool 1.06 (written by random/random)
Run by John at 2009-07-20 13:48:19
Microsoft Windows XP Professional Service Pack 3
System drive C: has 5 GB (14%) free of 38 GB
Total RAM: 511 MB (36% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:48:24 PM, on 7/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Software Secure, Inc\SSIRuntimeService\SSIRuntimeService.exe
C:\WINDOWS\system32\ssisvr32.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\WebUpdateSvc4.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\John\Desktop\RSIT.exe
C:\Program Files\trend micro\John.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: Hotspot Shield Class - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files\Hotspot Shield\hssie\HssIE.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\John\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\openvpnas.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PostgreSQL Database Server 8.3 (pgsql-8.3) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SSIRuntimeService - Unknown owner - C:\Program Files\Software Secure, Inc\SSIRuntimeService\SSIRuntimeService.exe
O23 - Service: Software Secure Service (SSISvr32) - SoftwareSecure Inc - C:\WINDOWS\system32\ssisvr32.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Web Update Wizard Service V4 by PowerProgrammer (WebUpdate4) - Data Perceptions / PowerProgrammer - C:\WINDOWS\system32\WebUpdateSvc4.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7109 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1708537768-507921405-854245398-1003Core.job
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1708537768-507921405-854245398-1003UA.job
C:\WINDOWS\tasks\WGASetup.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3049C3E9-B461-4BC5-8870-4C09146192CA}]
RealPlayer Download and Record Plugin for Internet Explorer - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll [2008-12-31 304736]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 853672]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-07-20 41368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-07-20 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]
Hotspot Shield Class - C:\Program Files\Hotspot Shield\hssie\HssIE.dll [2008-12-31 204248]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"=C:\WINDOWS\system32\Ati2mdxx.exe [2001-09-04 28672]
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [2003-07-29 335872]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2007-12-11 286720]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2007-12-11 267048]
"Broadcom Wireless Manager UI"=C:\WINDOWS\system32\WLTRAY.exe [2005-12-19 1347584]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2008-12-31 185872]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-02-27 35696]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-07-20 148888]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-14 1695232]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"Google Update"=C:\Documents and Settings\John\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-08 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2003-07-29 86016]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2008-09-06 241704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdauxservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdcoreservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"AllowMultipleTSSessions"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Application Loader"
"C:\Program Files\AIM\aim.exe"="C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\ExamSoft\SofTest\SoftLnch.exe"="C:\Program Files\ExamSoft\SoftLnch.exe:*:Enabled:SofLaunch
"
"C:\Program Files\ExamSoft\SofTest\softest.exe"="C:\Program Files\ExamSoft\SofTest.exe:*:Enabled:SofTest
"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\AIM\aim.exe"="C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======File associations======

.ini - open - C:\WINDOWS\SYSTEM32\NOTEPAD.EXE %1
.txt - open - C:\WINDOWS\SYSTEM32\NOTEPAD.EXE %1

======List of files/folders created in the last 1 months======

2009-07-20 13:48:19 ----D---- C:\rsit
2009-07-20 13:13:47 ----A---- C:\WINDOWS\system32\javaws.exe
2009-07-20 13:13:47 ----A---- C:\WINDOWS\system32\javaw.exe
2009-07-20 13:13:47 ----A---- C:\WINDOWS\system32\java.exe
2009-07-20 13:13:20 ----D---- C:\Program Files\Java
2009-07-20 12:59:07 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2009-07-19 02:05:01 ----SHD---- C:\RECYCLER
2009-07-19 01:58:04 ----A---- C:\ComboFix.txt
2009-07-17 14:31:15 ----D---- C:\_OTM
2009-07-16 03:03:42 ----HDC---- C:\WINDOWS\$NtUninstallKB973346$
2009-07-16 03:03:34 ----HDC---- C:\WINDOWS\$NtUninstallKB971633$
2009-07-16 03:01:57 ----A---- C:\WINDOWS\system32\MRT.exe
2009-07-16 03:01:41 ----HDC---- C:\WINDOWS\$NtUninstallKB961371$
2009-07-13 14:35:40 ----D---- C:\Program Files\trend micro
2009-07-10 19:33:21 ----A---- C:\Boot.bak
2009-07-10 19:33:10 ----RASHD---- C:\cmdcons
2009-07-10 19:30:54 ----A---- C:\WINDOWS\zip.exe
2009-07-10 19:30:54 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-07-10 19:30:54 ----A---- C:\WINDOWS\SWSC.exe
2009-07-10 19:30:54 ----A---- C:\WINDOWS\SWREG.exe
2009-07-10 19:30:54 ----A---- C:\WINDOWS\sed.exe
2009-07-10 19:30:54 ----A---- C:\WINDOWS\PEV.exe
2009-07-10 19:30:54 ----A---- C:\WINDOWS\NIRCMD.exe
2009-07-10 19:30:54 ----A---- C:\WINDOWS\grep.exe
2009-07-10 19:29:40 ----D---- C:\WINDOWS\ERDNT
2009-07-10 19:29:23 ----D---- C:\Qoobox
2009-07-10 18:03:47 ----D---- C:\Documents and Settings\John\Application Data\Malwarebytes
2009-07-10 17:22:21 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-07-10 17:22:20 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-07-10 14:08:50 ----D---- C:\VundoFix Backups
2009-07-10 14:08:50 ----A---- C:\VundoFix.txt
2009-07-10 13:34:11 ----D---- C:\Program Files\HijackThis
2009-07-09 03:13:19 ----SHD---- C:\WINDOWS\CSC
2009-07-09 03:13:05 ----A---- C:\WINDOWS\ntbtlog.txt
2009-07-09 02:14:11 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-07-09 02:14:06 ----D---- C:\Program Files\Common Files\PC Tools
2009-07-09 02:14:00 ----D---- C:\Program Files\Spyware Doctor
2009-07-09 02:14:00 ----D---- C:\Documents and Settings\John\Application Data\PC Tools
2009-07-09 02:14:00 ----D---- C:\Documents and Settings\All Users\Application Data\PC Tools
2009-07-09 02:02:55 ----D---- C:\Documents and Settings\John\Application Data\Messenger

======List of files/folders modified in the last 1 months======

2009-07-20 13:48:25 ----D---- C:\WINDOWS\Prefetch
2009-07-20 13:45:57 ----D---- C:\Program Files\Mozilla Firefox
2009-07-20 13:19:36 ----D---- C:\WINDOWS\Temp
2009-07-20 13:19:05 ----D---- C:\WINDOWS
2009-07-20 13:17:49 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-07-20 13:13:54 ----SHD---- C:\WINDOWS\Installer
2009-07-20 13:13:47 ----D---- C:\WINDOWS\system32
2009-07-20 13:13:25 ----A---- C:\WINDOWS\system32\deploytk.dll
2009-07-20 13:13:20 ----RD---- C:\Program Files
2009-07-20 13:06:32 ----D---- C:\Program Files\Common Files
2009-07-20 12:59:23 ----D---- C:\Program Files\Common Files\Adobe
2009-07-20 12:58:43 ----D---- C:\Program Files\Adobe
2009-07-20 12:34:59 ----D---- C:\WINDOWS\system32\CatRoot2
2009-07-20 02:51:40 ----D---- C:\Program Files\PokerStars
2009-07-19 01:58:07 ----D---- C:\WINDOWS\system32\drivers
2009-07-19 01:54:01 ----A---- C:\WINDOWS\system.ini
2009-07-19 01:50:44 ----D---- C:\WINDOWS\system32\config
2009-07-19 01:46:41 ----D---- C:\WINDOWS\AppPatch
2009-07-16 13:03:23 ----D---- C:\Program Files\BitTorrent
2009-07-16 03:03:44 ----HD---- C:\WINDOWS\inf
2009-07-16 03:03:40 ----HD---- C:\WINDOWS\$hf_mig$
2009-07-16 03:03:38 ----A---- C:\WINDOWS\imsins.BAK
2009-07-16 03:03:37 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-07-16 03:03:29 ----A---- C:\WINDOWS\system32\MRT.INI
2009-07-14 14:11:53 ----D---- C:\Documents and Settings\John\Application Data\MSN6
2009-07-10 19:59:33 ----SD---- C:\WINDOWS\Tasks
2009-07-10 19:33:22 ----RASH---- C:\boot.ini
2009-07-10 18:25:26 ----D---- C:\WINDOWS\Minidump
2009-07-10 17:44:20 ----D---- C:\Documents and Settings
2009-07-10 16:35:33 ----D---- C:\WINDOWS\WinSxS
2009-07-09 03:38:41 ----D---- C:\WINDOWS\system32\wbem
2009-07-09 03:00:54 ----D---- C:\Program Files\Common Files\Blizzard Entertainment

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 Cdr4_xp;Cdr4_xp; C:\WINDOWS\system32\drivers\Cdr4_xp.sys [2006-08-24 2432]
R1 Cdralw2k;Cdralw2k; C:\WINDOWS\system32\drivers\Cdralw2k.sys [2006-08-24 2560]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-14 36352]
R1 OMCI;OMCI WDM Device Driver; C:\WINDOWS\System32\DRIVERS\omci.sys [2004-02-20 17217]
R1 pctgntdi;pctgntdi; \??\C:\WINDOWS\system32\drivers\pctgntdi.sys []
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2003-07-16 12032]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\System32\DRIVERS\mdmxsdk.sys [2003-04-09 11043]
R3 ati2mtag;ati2mtag; C:\WINDOWS\System32\DRIVERS\ati2mtag.sys [2003-07-29 587264]
R3 b57w2k;Broadcom 570x Gigabit Integrated Controller; C:\WINDOWS\System32\DRIVERS\b57xp32.sys [2003-05-21 175360]
R3 BCM43XX;Dell Wireless WLAN Card Driver; C:\WINDOWS\System32\DRIVERS\bcmwl5.sys [2005-11-02 424320]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\System32\DRIVERS\CmBatt.sys [2008-04-14 13952]
R3 GEARAspiWDM;GEARAspiWDM; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2006-09-19 15664]
R3 HSF_DP;HSF_DP; C:\WINDOWS\System32\DRIVERS\HSF_DP.sys [2003-07-03 1063936]
R3 HSFHWICH;HSFHWICH; C:\WINDOWS\System32\DRIVERS\HSFHWICH.sys [2003-07-03 189056]
R3 O2SCBUS;O2Micro SmartCardBus Reader; C:\WINDOWS\System32\DRIVERS\ozscr.sys [2003-12-11 91395]
R3 STAC97;Audio Driver (WDM) - SigmaTel CODEC; C:\WINDOWS\system32\drivers\STAC97.sys [2004-11-15 264440]
R3 tapvpn;TAP VPN Adapter; C:\WINDOWS\system32\DRIVERS\tapvpn.sys [2008-01-23 27136]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2008-04-14 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-14 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-14 20608]
R3 winachsf;winachsf; C:\WINDOWS\System32\DRIVERS\HSF_CNXT.sys [2003-07-03 631680]
S2 heihypck;heihypck; C:\WINDOWS\system32\drivers\tikpcops.sys []
S2 orif;orif; C:\WINDOWS\system32\drivers\ihihx.sys []
S2 xienm;xienm; C:\WINDOWS\system32\drivers\uiaymrw.sys []
S3 catchme;catchme; \??\C:\DOCUME~1\John\LOCALS~1\Temp\catchme.sys []
S3 pctplsg;pctplsg; \??\C:\WINDOWS\system32\drivers\pctplsg.sys []
S3 TfNetMon;TfNetMon; \??\C:\WINDOWS\system32\drivers\TfNetMon.sys []
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2007-10-31 30464]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
S3 wanatw;WAN Miniport (ATW); C:\WINDOWS\system32\DRIVERS\wanatw4.sys [2003-01-10 33588]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2007-10-31 110592]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\System32\Ati2evxx.exe [2003-07-29 323584]
R2 HotspotShieldService;Hotspot Shield Service; C:\Program Files\Hotspot Shield\bin\openvpnas.exe [2008-11-25 88024]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-07-20 152984]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-20 322120]
R2 pgsql-8.3;PostgreSQL Database Server 8.3; C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe [2008-09-19 65536]
R2 sdAuxService;PC Tools Auxiliary Service; C:\Program Files\Spyware Doctor\pctsAuxs.exe [2009-01-07 348752]
R2 SSIRuntimeService;SSIRuntimeService; C:\Program Files\Software Secure, Inc\SSIRuntimeService\SSIRuntimeService.exe [2007-05-21 45056]
R2 SSISvr32;Software Secure Service; C:\WINDOWS\system32\ssisvr32.exe [2007-01-16 200704]
R2 Viewpoint Manager Service;Viewpoint Manager Service; C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
R2 WebUpdate4;Web Update Wizard Service V4 by PowerProgrammer; C:\WINDOWS\system32\WebUpdateSvc4.exe [2007-03-23 229856]
R2 wltrysvc;Dell Wireless WLAN Tray Service; C:\WINDOWS\System32\WLTRYSVC.EXE [2005-12-19 18944]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2007-12-11 504104]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe [2006-10-20 36864]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2006-10-30 741376]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 sdCoreService;PC Tools Security Service; C:\Program Files\Spyware Doctor\pctsSvc.exe [2009-01-21 1095560]
S3 ThreatFire;ThreatFire; C:\Program Files\Spyware Doctor\TFEngine\TFService.exe [2009-03-31 70944]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2006-10-30 122880]

-----------------EOF-----------------
Metnut
Regular Member
 
Posts: 15
Joined: July 10th, 2009, 1:07 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 316 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware