Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Virtumonde Infected.

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Virtumonde Infected.

Unread postby robmix » February 6th, 2008, 6:56 pm

Uipopuphidden has been showing up for about a year now. I'm not sure if it's tied to AT&T but I've never installed Freedom AV.





ComboFix 08-02.05.3 - Robert Smith 2008-02-06 16:48:05.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.251 [GMT -6:00]
Running from: C:\Documents and Settings\Robert Smith\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Robert Smith\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://www.download.windowsupdate.com
.
((((((((((((((((((((((((( Files Created from 2008-01-06 to 2008-02-06 )))))))))))))))))))))))))))))))
.

2008-02-06 16:20 . 2008-02-06 16:20 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-06 16:20 . 2008-02-06 16:20 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-30 19:56 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-01-29 06:07 . 1999-12-17 09:13 86,016 --a------ C:\WINDOWS\unvise32.exe
2008-01-29 06:06 . 2008-01-29 06:07 <DIR> d-------- C:\Program Files\Master Tour Database
2008-01-27 20:22 . 2008-01-27 20:22 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-24 05:10 . 2008-01-24 05:10 <DIR> d-------- C:\Documents and Settings\Robert Smith\Application Data\Uniblue
2008-01-23 19:06 . 2008-01-23 19:07 <DIR> d-------- C:\Documents and Settings\Robert Smith\Application Data\PrevxCSI
2008-01-23 19:06 . 2008-01-23 19:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2008-01-13 19:52 . 2008-01-30 20:31 <DIR> d-------- C:\Documents and Settings\Robert Smith\Application Data\LimeWire
2008-01-10 15:27 . 2008-01-10 15:27 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-10 15:27 . 2008-01-10 15:27 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-05 22:02 --------- d-----w C:\Program Files\QuickTime
2008-02-03 07:15 --------- d-----w C:\Program Files\Microsoft IntelliPoint
2008-02-03 07:15 --------- d-----w C:\Program Files\iTunes
2008-01-29 02:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-29 02:13 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-01-29 00:57 --------- d-----w C:\Program Files\iPod
2008-01-28 02:50 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-27 13:58 --------- d-----w C:\Program Files\HiJack This
2008-01-24 00:39 --------- d-----w C:\Program Files\Windows Installer Clean Up
2008-01-02 01:30 --------- d-----w C:\Documents and Settings\Robert Smith\Application Data\AT&T
2008-01-02 01:25 --------- d-----w C:\Program Files\Common Files\Scanner
2008-01-02 01:18 --------- d-----w C:\Program Files\Common Files\Authentium
2008-01-02 01:17 --------- d-----w C:\Program Files\Raxco
2008-01-02 01:17 --------- d-----w C:\Program Files\CA
2008-01-02 01:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Raxco
2008-01-02 01:16 --------- d-----w C:\Program Files\AT&T
2008-01-02 01:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\AT&T
2008-01-02 01:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-01 23:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\CA
2007-12-31 01:36 15,360 ----a-w C:\WINDOWS\system32\ctfmon.exe
2007-12-30 20:11 77,891 ----a-w C:\WINDOWS\system32\USRmlnkA.exe
2007-12-30 20:02 --------- d-----w C:\Documents and Settings\Robert Smith\Application Data\Yahoo!
2007-12-30 20:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-12-29 14:18 --------- d-----w C:\Program Files\ATT
2007-12-29 03:57 --------- d-----w C:\Program Files\Yahoo!
2007-12-26 13:52 --------- d-----w C:\Program Files\AC3Filter
2007-12-26 13:18 --------- d-----w C:\Program Files\ahead
2007-12-26 13:13 --------- d-----w C:\Program Files\Common Files\Nero
2007-12-25 13:16 --------- d-----w C:\Program Files\Common Files\Voyetra
2007-12-22 15:48 --------- d-----w C:\Documents and Settings\Robert Smith\Application Data\Canon
2007-12-22 15:22 --------- d-----w C:\Program Files\Canon
2007-12-22 15:18 --------- d-----w C:\Program Files\Common Files\NewSoft
2007-12-22 15:17 --------- d-----w C:\Program Files\Common Files\ScanSoft Shared
2007-12-22 15:17 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-22 15:17 --------- d-----w C:\Documents and Settings\Robert Smith\Application Data\ScanSoft
2007-12-22 15:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\ScanSoft
2007-12-22 15:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\InstallShield
2007-12-22 15:16 --------- d-----w C:\Program Files\ScanSoft
2007-12-22 15:15 --------- d-----w C:\Program Files\Common Files\CANON
2007-12-22 15:12 --------- d--h--w C:\Documents and Settings\All Users\Application Data\CanonBJ
2007-12-22 15:11 --------- d--h--w C:\Program Files\CanonBJ
2007-12-20 10:54 --------- d-----w C:\Program Files\OfficeUpdate11
2007-12-20 10:54 --------- d-----w C:\Program Files\MP3Downloading
2007-12-20 10:54 --------- d-----w C:\Program Files\Microsoft AntiSpyware
2007-12-20 10:54 --------- d-----w C:\Program Files\Hewlett-Packard
2007-12-20 10:53 --------- d-----w C:\Program Files\Lexmark Fax Solutions
2007-12-20 10:53 --------- d-----w C:\Program Files\Common Files\AVSMedia
2007-12-20 10:53 --------- d-----w C:\Program Files\Apple Software Update
2007-12-20 10:53 --------- d-----w C:\Program Files\androidnews
2007-12-20 10:53 --------- d-----w C:\Program Files\Amazing DVD Player
2007-12-13 03:10 --------- d-----w C:\Documents and Settings\Robert Smith\Application Data\FaxCtr
2007-12-13 02:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\FaxCtr
2007-12-13 02:11 32,123 ----a-w C:\WINDOWS\PaperPortSave.reg
2007-12-13 02:11 --------- d-----w C:\Program Files\TweakNow RegCleaner Std
2007-12-13 02:09 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-12-13 01:56 --------- d-----w C:\Program Files\ATI Technologies
2007-12-12 11:42 --------- d-----w C:\Program Files\PrimaScan
2007-12-12 11:42 --------- d-----w C:\Program Files\Common Files\Panasonic
2007-11-24 18:28 654,920 ----a-w C:\mtinst.exe
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2004-12-16 18:50 8,273 ----a-w C:\Program Files\snylcd55.cat
2004-12-12 18:38 2,824 ----a-w C:\Program Files\HS75P_65.icm
2004-12-12 18:36 2,824 ----a-w C:\Program Files\HS75P_93.icm
2004-12-10 02:49 1,636 ----a-w C:\Program Files\SnyLCD55.inf
2004-05-19 15:16 20,854 ----a-w C:\Program Files\README-E.RTF
2002-02-17 22:52 8,584,973 ----a-w C:\Documents and Settings\Robert Smith\pcc2knt_76_1436.exe
2007-08-24 03:14 21,382,176 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-08-24 03:14 980,000 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2007-12-30 19:36 15360]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISW.exe"="C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" [2007-05-03 13:12 2061816]
"-FreedomNeedsReboot"="C:\Program Files\AT&T\AT&T Internet Security Suite\ZkRunOnceR.exe" [2007-06-28 16:09 13552]
"AT&T Internet Security Suite"="C:\Program Files\AT&T\AT&T Internet Security Suite\RPS.exe" [2007-06-28 16:09 310000]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-29 10:10 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-30 19:36 267064]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-05-29 19:34 5419008]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"HydarVisionViewport"=viewport.exe
"BJCFD"=C:\Program Files\BroadJump\Client Foundation\CFD.exe
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"DeviceDiscovery"=C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
"NeroCheck"=C:\WINDOWS\system32\NeroCheck.exe
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
"HPDJ Taskbar Utility"=C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
"USRpdA"=C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA

R0 amdagpxp;AMD NB AGP Bus Filter;C:\WINDOWS\system32\DRIVERS\amdagpxp.sys [2001-12-11 14:52]
R2 ppsio2;PPDevice;C:\WINDOWS\system32\drivers\ppsio2.sys [1999-04-01 18:16]
R3 MN130;Microsoft(R) PCI Adapter MN-130;C:\WINDOWS\system32\DRIVERS\MN130-51.sys [2002-05-29 12:25]
R3 tbcspud;Santa Cruz Driver;C:\WINDOWS\system32\drivers\tbcspud.sys [2001-12-15 22:42]
R3 tbcwdm;Santa Cruz WDM Driver;C:\WINDOWS\system32\drivers\tbcwdm.sys [2001-12-16 03:27]
S2 IcRecUsb;IC Recorder Driver;C:\WINDOWS\system32\Drivers\IcRecUsb.sys [2001-10-01 22:37]
S3 Amps2prt;PS/2 Port Wheel Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\Amps2prt.sys [2000-11-03 20:37]
S3 cirrus;cirrus;C:\WINDOWS\system32\DRIVERS\cirrus.sys [2001-08-17 07:57]
S3 NUVision;NUVision II Video Service;C:\WINDOWS\system32\DRIVERS\nuvvid2.sys [2001-10-28 15:34]
S3 Radialpoint Security Services;AT&T Internet Security Suite;C:\WINDOWS\system32\dllhost.exe [2004-08-04 01:56]
S3 USR7900;U.S. Robotics 10/100 PCI NIC TX;C:\WINDOWS\system32\DRIVERS\USR7900.SYS [2001-12-03 09:41]
S3 USRpdA;U.S. Robotics 56K PCI Faxmodem Driver;C:\WINDOWS\system32\DRIVERS\USRpdA.sys [2001-08-17 15:28]
S3 vtdg46xx;vtdg46xx;C:\PROGRA~1\TURTLE~1\SANTAC~1\CONTRO~1\vtdg46xx.sys [2001-12-13 18:42]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-06 16:51:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-06 16:52:44
ComboFix-quarantined-files.txt 2008-02-06 22:52:17
ComboFix2.txt 2008-02-05 22:05:04
.
2008-01-09 11:23:59 --- E O F ---
robmix
Active Member
 
Posts: 13
Joined: January 25th, 2008, 9:58 pm
Advertisement
Register to Remove

Re: Virtumonde Infected.

Unread postby DFW » February 7th, 2008, 10:08 am

I am going to look in the uipopuphidden message some more ,found this in the CF log, so I think I am on the path

"-FreedomNeedsReboot"="C:\Program Files\AT&T\AT&T Internet Security Suite\ZkRunOnceR.exe" [2007-06-28 16:09 13552]

Can you check what version you have of AT&T Internet Security Suite????






In the mean time can you please run this online scan, but please run the cleaner first.




Please download ATF Cleaner here by Atribune. This program is for XP and Windows 2000 only.
It does not require any installation and uses minimal system resources.
It is set up to clean IE, FireFox and Opera, and detects the browsers you have and grays out the other(s.[/b]

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Recommend UNCHECKING COOKIES if you rely on system remembered passwords.
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All EXCEPT FIREFOX SAVED PASSWORDS
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All EXCEPT COOKIES AND SAVED PASSWORDS
Click the Empty Selected button.
NOTE: If you would like to keep your cookies and saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.






Kaspersky Online Scanner .

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence,
click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Go Here http://www.kaspersky.com/kos/english/kavwebscan.html

Read the Requirements and limitations before you click Accept.
Allow the ActiveX download if necessary
Once the database has downloaded, click Next.
Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
Click on "My Computer" and then put the kettle on!
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

Copy and paste the report into your next reply along with a fresh HJT log and a description of how your PC is behaving.




Please post back the Online scan log and a new HJT log


.
User avatar
DFW
MRU Honors Grad Emeritus
 
Posts: 3229
Joined: September 28th, 2006, 12:23 pm
Location: UK

Re: Virtumonde Infected.

Unread postby robmix » February 8th, 2008, 12:26 am

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
2008-02-07 10:16:24 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 7/02/2008
Kaspersky Anti-Virus database records: 553618
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 69164
Number of viruses found: 6
Number of infected objects: 93
Number of suspicious objects: 0
Duration of the scan process: 02:16:49

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\AT&T\AT&T Internet Security Suite\Logs\FirewallService02-07-2008--06-38-30.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc.zip/ygamqvws.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc1.zip/vqqbqhxb.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc10.zip/bwxbjhik.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc10.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc11.zip/bbqmidwh.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc11.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc12.zip/wqvnkrui.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc12.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc13.zip/rlhakqkg.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc13.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc14.zip/npsrnvwq.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc14.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc15.zip/joxtjeok.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc15.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc16.zip/clmnuxoo.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc16.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc17.zip/wgddqbks.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc17.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc18.zip/kqvqxwyk.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc18.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc19.zip/eqrqapgh.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc19.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc2.zip/uacqvvux.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc2.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc20.zip/bjqudhrw.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc20.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc21.zip/awybeyfu.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc21.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc22.zip/sitotwsa.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc22.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc23.zip/gucwmhqt.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc23.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc3.zip/ufqcwyvj.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc3.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc4.zip/uacqvvux.exe_tobedeleted_old Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc4.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc5.zip/tnclahup.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc5.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc6.zip/rxiccfvo.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc6.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc7.zip/ruybxqqt.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc7.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc8.zip/lmthiosv.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc8.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc9.zip/feebkpkr.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc9.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll.zip/geedb.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll1.zip/geedb.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll10.zip/geedb.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll10.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll11.zip/geedb.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll11.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll12.zip/geedb.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll12.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll13.zip/geedb.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll13.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll14.zip/geedb.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll14.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll2.zip/geedb.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll2.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll3.zip/geedb.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll3.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll4.zip/geedb.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll4.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll5.zip/geedb.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll5.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll6.zip/geedb.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll6.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll7.zip/geedb.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll7.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll8.zip/geedb.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll8.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll9.zip/geedb.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll9.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentcmn.zip/00jj99uuii66ddxxqqq.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentcmn.zip/00jj99uuii66ddxxqqq.zip Infected: Trojan.Win32.Agent.cmn skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentcmn.zip ZIP: infected - 2 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentcmn1.zip/svchost.exe Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentcmn1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Robert Smith\Application Data\AT&T\Internet Security Wizard\client_gateway.log Object is locked skipped
C:\Documents and Settings\Robert Smith\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Robert Smith\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Robert Smith\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Robert Smith\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Robert Smith\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Robert Smith\Local Settings\History\History.IE5\MSHist012008020720080208\index.dat Object is locked skipped
C:\Documents and Settings\Robert Smith\Local Settings\Temp\~DF24A6.tmp Object is locked skipped
C:\Documents and Settings\Robert Smith\Local Settings\Temp\~DF24B3.tmp Object is locked skipped
C:\Documents and Settings\Robert Smith\Local Settings\Temp\~DFEEE6.tmp Object is locked skipped
C:\Documents and Settings\Robert Smith\Local Settings\Temp\~DFEEFC.tmp Object is locked skipped
C:\Documents and Settings\Robert Smith\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Robert Smith\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Robert Smith\My Documents\Setup.exe Infected: not-a-virus:AdWare.Win32.Agent.zk skipped
C:\Documents and Settings\Robert Smith\ntuser.dat Object is locked skipped
C:\Documents and Settings\Robert Smith\ntuser.dat.LOG Object is locked skipped
C:\Program Files\CA\PPRT\logs\2008-02-07.csv Object is locked skipped
C:\Program Files\HiJack This\backups\backup-20080122-222552-483.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Program Files\HiJack This\backups\backup-20080122-222552-985.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Program Files\HiJack This\backups\backup-20080123-181031-334.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Program Files\HiJack This\backups\backup-20080123-181636-463.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Program Files\HiJack This\backups\backup-20080125-194732-635.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Program Files\HiJack This\backups\backup-20080125-194732-847.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Program Files\HiJack This\backups\backup-20080125-195427-559.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Program Files\HiJack This\backups\backup-20080125-195438-767.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{36C847EB-70C1-4914-9124-D776F4437618}\RP2023\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\ardCo18\ardCo182328.exe Infected: Trojan-Downloader.Win32.VB.caw skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
F:\System Volume Information\_restore{36C847EB-70C1-4914-9124-D776F4437618}\RP2023\change.log Object is locked skipped

Scan process completed.





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:19:40 PM, on 2008-02-07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AT&T\AT&T Internet Security Suite\Fws.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AT&T\AT&T Internet Security Suite\rpsupdaterR.exe
C:\Program Files\AT&T\Internet Security Wizard\ISW.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\Notepad.exe
C:\Program Files\Trend Micro\HijackThis\seemeknow.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\AT&T\AT&T Internet Security Suite\pkR.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O4 - HKLM\..\Run: [ISW.exe] "C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" /AUTORUN
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\AT&T\AT&T Internet Security Suite\ZkRunOnceR.exe"
O4 - HKLM\..\Run: [AT&T Internet Security Suite] C:\Program Files\AT&T\AT&T Internet Security Suite\RPS.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: AT&T Internet Security Suite Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\AT&T\AT&T Internet Security Suite\rpsupdaterR.exe
O23 - Service: AT&T Internet Security Suite AT&T Firewall (RP_FWS) - AT&T - C:\Program Files\AT&T\AT&T Internet Security Suite\Fws.exe

--
End of file - 3743 bytes

My Computer has been acting fine, no popups, or virus warnings. The internet is still slow at times. AT&T Security Suite is Product Version: 6.0.1.19994
robmix
Active Member
 
Posts: 13
Joined: January 25th, 2008, 9:58 pm

Re: Virtumonde Infected.

Unread postby DFW » February 8th, 2008, 1:52 pm

Can you please check on your ISP web site if a program update is available for AT&T Internet Security Suite???,

http://www.att.net/s/mkt.dll?ep=51&ProductID=1

Is it the demo or the full program you use???

http://support.att.net/bellsouth/asp/co ... a45c0724ac

I have tried but you need account details to log in on the download page, if there is please download it and just save it for now.
Also I see that AT&T Internet Security Suite also has a Anti virus, are you running the Anti virus???, the reason I ask is that your log show you
are also running Authentium Anti Virus.

Anti-virus programs take up an enormous amount of your computer's resources when they are actively scanning your computer. Having two anti-virus programs
running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash.







Click Start, then All Programs, then Spybot - Search & Destroy and then Spybot - Search & Destroy.
2. On the left side, click "Recovery".
3. Select (place a check) beside ALL the backup files that contain quarantined items.
4. Click on the Purge Selected Items button.
5. A dialog will appear, stating that the backup will be removed. Click Yes.
6. When the Recovery window is empty, Exit Spybot.



  • Now please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    File::
    C:\Documents and Settings\Robert Smith\My Documents\Setup.exe 
    
    Folder:: 
    C:\WINDOWS\system32\ardCo18
    
    

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.


    Image


  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.


CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



In your next reply, please post:Combofix log (C:\Combofix.txt), and the answers to the above questions
User avatar
DFW
MRU Honors Grad Emeritus
 
Posts: 3229
Joined: September 28th, 2006, 12:23 pm
Location: UK

Re: Virtumonde Infected.

Unread postby robmix » February 8th, 2008, 6:20 pm

ComboFix 08-02.05.3 - Robert Smith 2008-02-08 16:11:24.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.218 [GMT -6:00]
Running from: C:\Documents and Settings\Robert Smith\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Robert Smith\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\Documents and Settings\Robert Smith\My Documents\Setup.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Robert Smith\My Documents\Setup.exe
C:\WINDOWS\system32\ardCo18
C:\WINDOWS\system32\ardCo18\ardCo182328.exe

.
((((((((((((((((((((((((( Files Created from 2008-01-08 to 2008-02-08 )))))))))))))))))))))))))))))))
.

2008-02-07 16:35 . 2008-02-07 16:35 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-07 16:35 . 2008-02-07 16:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-30 19:56 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-01-29 06:07 . 1999-12-17 09:13 86,016 --a------ C:\WINDOWS\unvise32.exe
2008-01-29 06:06 . 2008-01-29 06:07 <DIR> d-------- C:\Program Files\Master Tour Database
2008-01-27 20:22 . 2008-01-27 20:22 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-24 05:10 . 2008-01-24 05:10 <DIR> d-------- C:\Documents and Settings\Robert Smith\Application Data\Uniblue
2008-01-23 19:06 . 2008-01-23 19:07 <DIR> d-------- C:\Documents and Settings\Robert Smith\Application Data\PrevxCSI
2008-01-23 19:06 . 2008-01-23 19:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2008-01-13 19:52 . 2008-01-30 20:31 <DIR> d-------- C:\Documents and Settings\Robert Smith\Application Data\LimeWire
2008-01-10 15:27 . 2008-01-10 15:27 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-10 15:27 . 2008-01-10 15:27 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-05 22:02 --------- d-----w C:\Program Files\QuickTime
2008-02-03 07:15 --------- d-----w C:\Program Files\Microsoft IntelliPoint
2008-02-03 07:15 --------- d-----w C:\Program Files\iTunes
2008-01-29 02:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-29 02:13 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-01-29 00:57 --------- d-----w C:\Program Files\iPod
2008-01-28 02:50 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-27 13:58 --------- d-----w C:\Program Files\HiJack This
2008-01-24 00:39 --------- d-----w C:\Program Files\Windows Installer Clean Up
2008-01-02 01:30 --------- d-----w C:\Documents and Settings\Robert Smith\Application Data\AT&T
2008-01-02 01:25 --------- d-----w C:\Program Files\Common Files\Scanner
2008-01-02 01:18 --------- d-----w C:\Program Files\Common Files\Authentium
2008-01-02 01:17 --------- d-----w C:\Program Files\Raxco
2008-01-02 01:17 --------- d-----w C:\Program Files\CA
2008-01-02 01:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Raxco
2008-01-02 01:16 --------- d-----w C:\Program Files\AT&T
2008-01-02 01:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\AT&T
2008-01-02 01:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-01 23:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\CA
2007-12-31 01:36 15,360 ----a-w C:\WINDOWS\system32\ctfmon.exe
2007-12-30 20:11 77,891 ----a-w C:\WINDOWS\system32\USRmlnkA.exe
2007-12-30 20:02 --------- d-----w C:\Documents and Settings\Robert Smith\Application Data\Yahoo!
2007-12-30 20:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-12-29 14:18 --------- d-----w C:\Program Files\ATT
2007-12-29 03:57 --------- d-----w C:\Program Files\Yahoo!
2007-12-26 13:52 --------- d-----w C:\Program Files\AC3Filter
2007-12-26 13:18 --------- d-----w C:\Program Files\ahead
2007-12-26 13:13 --------- d-----w C:\Program Files\Common Files\Nero
2007-12-25 13:16 --------- d-----w C:\Program Files\Common Files\Voyetra
2007-12-22 15:48 --------- d-----w C:\Documents and Settings\Robert Smith\Application Data\Canon
2007-12-22 15:22 --------- d-----w C:\Program Files\Canon
2007-12-22 15:18 --------- d-----w C:\Program Files\Common Files\NewSoft
2007-12-22 15:17 --------- d-----w C:\Program Files\Common Files\ScanSoft Shared
2007-12-22 15:17 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-22 15:17 --------- d-----w C:\Documents and Settings\Robert Smith\Application Data\ScanSoft
2007-12-22 15:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\ScanSoft
2007-12-22 15:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\InstallShield
2007-12-22 15:16 --------- d-----w C:\Program Files\ScanSoft
2007-12-22 15:15 --------- d-----w C:\Program Files\Common Files\CANON
2007-12-22 15:12 --------- d--h--w C:\Documents and Settings\All Users\Application Data\CanonBJ
2007-12-22 15:11 --------- d--h--w C:\Program Files\CanonBJ
2007-12-20 10:54 --------- d-----w C:\Program Files\OfficeUpdate11
2007-12-20 10:54 --------- d-----w C:\Program Files\MP3Downloading
2007-12-20 10:54 --------- d-----w C:\Program Files\Microsoft AntiSpyware
2007-12-20 10:54 --------- d-----w C:\Program Files\Hewlett-Packard
2007-12-20 10:53 --------- d-----w C:\Program Files\Lexmark Fax Solutions
2007-12-20 10:53 --------- d-----w C:\Program Files\Common Files\AVSMedia
2007-12-20 10:53 --------- d-----w C:\Program Files\Apple Software Update
2007-12-20 10:53 --------- d-----w C:\Program Files\androidnews
2007-12-20 10:53 --------- d-----w C:\Program Files\Amazing DVD Player
2007-12-13 03:10 --------- d-----w C:\Documents and Settings\Robert Smith\Application Data\FaxCtr
2007-12-13 02:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\FaxCtr
2007-12-13 02:11 32,123 ----a-w C:\WINDOWS\PaperPortSave.reg
2007-12-13 02:11 --------- d-----w C:\Program Files\TweakNow RegCleaner Std
2007-12-13 02:09 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-12-13 01:56 --------- d-----w C:\Program Files\ATI Technologies
2007-12-12 11:42 --------- d-----w C:\Program Files\PrimaScan
2007-12-12 11:42 --------- d-----w C:\Program Files\Common Files\Panasonic
2007-11-24 18:28 654,920 ----a-w C:\mtinst.exe
2004-12-16 18:50 8,273 ----a-w C:\Program Files\snylcd55.cat
2004-12-12 18:38 2,824 ----a-w C:\Program Files\HS75P_65.icm
2004-12-12 18:36 2,824 ----a-w C:\Program Files\HS75P_93.icm
2004-12-10 02:49 1,636 ----a-w C:\Program Files\SnyLCD55.inf
2004-05-19 15:16 20,854 ----a-w C:\Program Files\README-E.RTF
2002-02-17 22:52 8,584,973 ----a-w C:\Documents and Settings\Robert Smith\pcc2knt_76_1436.exe
2007-08-24 03:14 21,382,176 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-08-24 03:14 980,000 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2007-12-30 19:36 15360]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISW.exe"="C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" [2007-05-03 13:12 2061816]
"-FreedomNeedsReboot"="C:\Program Files\AT&T\AT&T Internet Security Suite\ZkRunOnceR.exe" [2007-06-28 16:09 13552]
"AT&T Internet Security Suite"="C:\Program Files\AT&T\AT&T Internet Security Suite\RPS.exe" [2007-06-28 16:09 310000]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-29 10:10 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-30 19:36 267064]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-05-29 19:34 5419008]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"HydarVisionViewport"=viewport.exe
"BJCFD"=C:\Program Files\BroadJump\Client Foundation\CFD.exe
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"DeviceDiscovery"=C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
"NeroCheck"=C:\WINDOWS\system32\NeroCheck.exe
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
"HPDJ Taskbar Utility"=C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
"USRpdA"=C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA

R0 amdagpxp;AMD NB AGP Bus Filter;C:\WINDOWS\system32\DRIVERS\amdagpxp.sys [2001-12-11 14:52]
R2 ppsio2;PPDevice;C:\WINDOWS\system32\drivers\ppsio2.sys [1999-04-01 18:16]
R3 MN130;Microsoft(R) PCI Adapter MN-130;C:\WINDOWS\system32\DRIVERS\MN130-51.sys [2002-05-29 12:25]
R3 tbcspud;Santa Cruz Driver;C:\WINDOWS\system32\drivers\tbcspud.sys [2001-12-15 22:42]
R3 tbcwdm;Santa Cruz WDM Driver;C:\WINDOWS\system32\drivers\tbcwdm.sys [2001-12-16 03:27]
S2 IcRecUsb;IC Recorder Driver;C:\WINDOWS\system32\Drivers\IcRecUsb.sys [2001-10-01 22:37]
S3 Amps2prt;PS/2 Port Wheel Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\Amps2prt.sys [2000-11-03 20:37]
S3 cirrus;cirrus;C:\WINDOWS\system32\DRIVERS\cirrus.sys [2001-08-17 07:57]
S3 NUVision;NUVision II Video Service;C:\WINDOWS\system32\DRIVERS\nuvvid2.sys [2001-10-28 15:34]
S3 Radialpoint Security Services;AT&T Internet Security Suite;C:\WINDOWS\system32\dllhost.exe [2004-08-04 01:56]
S3 USR7900;U.S. Robotics 10/100 PCI NIC TX;C:\WINDOWS\system32\DRIVERS\USR7900.SYS [2001-12-03 09:41]
S3 USRpdA;U.S. Robotics 56K PCI Faxmodem Driver;C:\WINDOWS\system32\DRIVERS\USRpdA.sys [2001-08-17 15:28]
S3 vtdg46xx;vtdg46xx;C:\PROGRA~1\TURTLE~1\SANTAC~1\CONTRO~1\vtdg46xx.sys [2001-12-13 18:42]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-08 16:14:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-08 16:15:41
ComboFix-quarantined-files.txt 2008-02-08 22:15:13
ComboFix2.txt 2008-02-06 22:52:45
ComboFix3.txt 2008-02-05 22:05:04
.
2008-01-09 11:23:59 --- E O F ---


There are no updates for AT&T Security Suite. I am running the full version. I am running the AT&T virus program and no other virus programs that I am aware of.
robmix
Active Member
 
Posts: 13
Joined: January 25th, 2008, 9:58 pm

Re: Virtumonde Infected.

Unread postby DFW » February 11th, 2008, 1:30 pm

Ok things are looking much better now, can you please post a new HJT log,
and use HJT to post a uninstall list



To start with Make a uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.

Image

Click on the Save list... button and specify where you would like to save this file.

When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad here on your next reply.
User avatar
DFW
MRU Honors Grad Emeritus
 
Posts: 3229
Joined: September 28th, 2006, 12:23 pm
Location: UK

Re: Virtumonde Infected.

Unread postby robmix » February 11th, 2008, 1:59 pm

AC3Filter (remove only)
Adobe Flash Player ActiveX
Adobe Reader 8.1.1
Apple Mobile Device Support
AT&T Internet Security Suite
AT&T Internet Security Wizard 1.5.11
Authentium AntiVirus SDK - 2
Canon IJ Network Scan Utility
Canon IJ Network Tool
Canon MP Navigator EX 1.0
Canon MX700 series
Canon MX700 series User Registration
Canon My Printer
Canon Utilities Easy-PhotoPrint EX
Canon Utilities Solution Menu
Google Earth
HijackThis 2.0.2
iTunes
Kaspersky Online Scanner
Master Tour Database
Microsoft .NET Framework 2.0 Service Pack 1
PerfectDisk
QuickTime
Radialpoint Security Services
RPS Ad Blocker
RPS AntiFraud
RPS AntiSpyware
RPS AntiVirus
RPS App Detector
RPS AsRealtime
RPS Backup
RPS Burn
RPS Diagnostic Utility
RPS Firewall
RPS ParentalControl
RPS Performance Tool
RPS PopupBlocker
RPS Privacy Manager
RPS RpsCore
RPS Security Cleanup
RPS Zip
ScanSoft OmniPage SE 4
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB943485)
Spybot - Search & Destroy
Windows Installer Clean Up
robmix
Active Member
 
Posts: 13
Joined: January 25th, 2008, 9:58 pm

Re: Virtumonde Infected.

Unread postby robmix » February 11th, 2008, 2:01 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:00:57 PM, on 2008-02-11
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AT&T\AT&T Internet Security Suite\Fws.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\AT&T\AT&T Internet Security Suite\RPS.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AT&T\Internet Security Wizard\ISWComHandler.exe
C:\Program Files\AT&T\AT&T Internet Security Suite\rpsupdaterR.exe
C:\Program Files\AT&T\Internet Security Wizard\ISW.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Program Files\Trend Micro\HijackThis\seemeknow.exe
C:\WINDOWS\system32\notepad.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\AT&T\AT&T Internet Security Suite\pkR.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O4 - HKLM\..\Run: [ISW.exe] "C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" /AUTORUN
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\AT&T\AT&T Internet Security Suite\ZkRunOnceR.exe"
O4 - HKLM\..\Run: [AT&T Internet Security Suite] C:\Program Files\AT&T\AT&T Internet Security Suite\RPS.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 2445211787
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: AT&T Internet Security Suite Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\AT&T\AT&T Internet Security Suite\rpsupdaterR.exe
O23 - Service: AT&T Internet Security Suite AT&T Firewall (RP_FWS) - AT&T - C:\Program Files\AT&T\AT&T Internet Security Suite\Fws.exe

--
End of file - 4211 bytes
robmix
Active Member
 
Posts: 13
Joined: January 25th, 2008, 9:58 pm

Re: Virtumonde Infected.

Unread postby DFW » February 12th, 2008, 10:53 am

Hi robmix

It shows in the uninstall list that you do have Authentium AntiVirus installed, and you HJT log shows it as running, along
side with AT&T Internet Security Suite which also has a Antivirus, Having two anti-virus programs running at the same time can cause your
computer to run very slow, become unstable and even, in rare cases, crash, you need to disable the realtime protection of one of them.


You also have these installed, are they connected to AT&T Internet Security Suite in some way??, were they downloaded or installed from
your ISP,???, do you use them??.

Radialpoint Security Services
RPS Ad Blocker
RPS AntiFraud
RPS AntiSpyware
RPS AntiVirus
RPS App Detector
RPS AsRealtime
RPS Backup
RPS Burn
RPS Diagnostic Utility
RPS Firewall
RPS ParentalControl
RPS Performance Tool
RPS PopupBlocker
RPS Privacy Manager
RPS RpsCore
RPS Security Cleanup
RPS Zip


I am sure that the uipopuphidden message is coming from one of the installed programs, please post back with the one's you use,
or would like to keep, it does your system no good having all these installed at the same time..


.
User avatar
DFW
MRU Honors Grad Emeritus
 
Posts: 3229
Joined: September 28th, 2006, 12:23 pm
Location: UK

Re: Virtumonde Infected.

Unread postby 'KotaGuy » February 20th, 2008, 1:16 pm

This topic is now closed due to inactivity. If you wish it to be reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

If it has been 10 days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, this topic will not be reopened. If you still require help, please start a new topic and include a fresh HijackThis log and a link to this thread in your new topic.

You can help support this site from this link :
Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
'KotaGuy
Admin/Teacher Emeritus
 
Posts: 12472
Joined: April 7th, 2005, 7:06 pm
Location: Alberta, Canada
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 287 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware