Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Board index Malware Removal ForumsInfected? Virus, malware, adware, ransomware, oh my!

Can Not Remove Virtumonde

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.
Topic locked

Can Not Remove Virtumonde

Unread postby dab6181 » March 27th, 2008, 9:43 pm

Hello and thank you for your help.

I have spent $60 so far on spyware doctor and ad aware, neither of which can remove my trojan.

Here is my hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:43:30 PM, on 3/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

F3 - REG:win.ini: load=C:\WINDOWS\system32\gebyv.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 6657940390
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcecoms.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 2454 bytes


Thanks for the help
dab6181
Active Member
 
Posts: 10
Joined: March 27th, 2008, 9:41 pm
Top
Advertisement
Register to Remove

Re: Can Not Remove Virtumonde

Unread postby dan12 » March 28th, 2008, 2:10 am

Hi, dab6181, and welcome to malwareremoval forums

I'm dan12, I'll be glad to help you with your computer problems.

Please observe these rules while we work:
  • Perform all actions in the order given.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Stick with it till you're given the all clear.
  • REMEMBER, ABSENCE OF SYMPTOMS DOES NOT MEAN THE INFECTION IS ALL GONE.
If you can do these things, everything should go smoothly.
  • Please note you'll need to have Administrator priviledges to perform the fixes. (XP accounts are Administrator by default)
  • Please let me know if you are using a computer with multiple accounts, as this can affect the instructions given.
It may be helpful to you to print out or take a copy of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

I'm presently looking over your log and hope not to be too long.
Will be back with you as soon as I can.
Thanks dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire
Top

Re: Can Not Remove Virtumonde

Unread postby dan12 » March 28th, 2008, 3:39 am

I believe we have some files hiding from us, I'm going to flush them out.

Please go to the C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
. Right click on the HijackThis.exe file and select "Rename". Rename it removal.exe,

Then run HijackThis again and post a new log please.

Thanks dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire
Top

Re: Can Not Remove Virtumonde

Unread postby dab6181 » March 28th, 2008, 7:55 am

Hello Dan, and thank you for your time.

I renamed the file to Removal.exe, here is the new log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:54:16 AM, on 3/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Spyware Doctor\pctsTray .exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\Removal.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

F3 - REG:win.ini: load=C:\WINDOWS\system32\gebyv.exe
O2 - BHO: (no name) - {389242FF-532B-418A-B559-89A78F364352} - C:\WINDOWS\system32\gebyv.dll
O2 - BHO: (no name) - {FB9DAC37-ED47-4EBC-AEA1-7F6860E6A41A} - (no file)
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 6657940390
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcecoms.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 2755 bytes
dab6181
Active Member
 
Posts: 10
Joined: March 27th, 2008, 9:41 pm
Top

Re: Can Not Remove Virtumonde

Unread postby dan12 » March 28th, 2008, 1:11 pm

Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofi ... e-combofix

Link 1
Link 2
Link 3


**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
    When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

Dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire
Top

Re: Can Not Remove Virtumonde

Unread postby dab6181 » March 29th, 2008, 12:14 am

Thanks Dan, I went ahead and ran the combofix, here are the two logs:

ComboFix 08-03-27.2 - Derek 2008-03-28 23:04:45.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1549 [GMT -6:00]
Running from: C:\Documents and Settings\Derek\Desktop\Derek's Stuff\New Downloaded\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\BM435c559b.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\fomecewk.ini
C:\WINDOWS\system32\gebyv.dll
C:\WINDOWS\system32\gebyv.exe
C:\WINDOWS\system32\kwecemof.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nfbepbdy.ini
C:\WINDOWS\system32\tcipipat.dll
C:\WINDOWS\system32\vkolhpqj.dll
C:\WINDOWS\system32\vybeg.ini
C:\WINDOWS\system32\vybeg.ini2
C:\WINDOWS\system32\ydbpebfn.dll
C:\WINDOWS\system32\ydtppuir.dll

----- BITS: Possible infected sites -----

hxxp://85.12.43.74
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_npf


((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-29 )))))))))))))))))))))))))))))))
.

2008-03-28 23:04 . 2008-03-28 23:04 2,048 --a------ C:\Documents and Settings\Derek\Mcshield.exe
2008-03-27 20:50 . 2008-03-27 20:50 346,112 --a------ C:\WINDOWS\system32\RCX11.tmp
2008-03-27 20:50 . 2008-03-27 20:50 76 --a------ C:\WINDOWS\system32\ikhcore.cfg
2008-03-27 19:53 . 2008-03-27 19:53 346,112 --a------ C:\WINDOWS\system32\RCX10.tmp
2008-03-27 19:44 . 2008-03-27 19:44 346,112 --a------ C:\WINDOWS\system32\RCXF.tmp
2008-03-27 18:40 . 2008-03-27 20:50 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-03-27 18:40 . 2008-03-27 18:40 <DIR> d-------- C:\Documents and Settings\Derek\Application Data\PC Tools
2008-03-27 18:40 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-03-27 18:40 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-03-27 18:40 . 2008-02-01 12:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-03-27 18:40 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-03-27 16:48 . 2008-03-27 16:48 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-03-27 16:46 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2008-03-27 16:46 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-03-27 16:46 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-03-27 16:46 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-03-27 16:46 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-03-27 13:05 . 2008-03-27 13:05 106,560 --a------ C:\WINDOWS\system32\gdfuhmju.exe
2008-03-27 13:05 . 2008-03-27 13:05 60,928 --a------ C:\WINDOWS\system32\ppnst.dll
2008-03-26 13:08 . 2008-03-27 06:52 294 --ahs---- C:\WINDOWS\system32\mbjpbytn.ini
2008-03-25 16:25 . 2008-03-25 16:25 <DIR> d-------- C:\Logs
2008-03-25 13:13 . 2008-03-25 13:01 354 --ahs---- C:\WINDOWS\system32\urpejwlu.ini
2008-03-25 13:10 . 2008-03-25 18:01 414 --ahs---- C:\WINDOWS\system32\iswujybt.ini
2008-03-24 13:13 . 2008-03-25 12:13 294 --ahs---- C:\WINDOWS\system32\qwphsrnx.ini
2008-03-23 17:59 . 2008-03-23 17:59 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-23 17:59 . 2008-03-23 18:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-23 13:11 . 2008-03-23 13:11 414 --ahs---- C:\WINDOWS\system32\btsebbsb.ini
2008-03-22 13:11 . 2008-03-22 13:11 354 --ahs---- C:\WINDOWS\system32\vnjewtkx.ini
2008-03-21 13:08 . 2008-03-22 13:08 294 --ahs---- C:\WINDOWS\system32\mkgcdmog.ini
2008-03-20 19:46 . 2008-03-27 07:15 920 --a------ C:\WINDOWS\wininit.ini
2008-03-20 19:30 . 2008-03-27 17:49 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-20 19:30 . 2008-03-27 17:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-20 13:10 . 2008-03-20 20:23 354 --ahs---- C:\WINDOWS\system32\ujdanjwu.ini
2008-03-19 13:10 . 2008-03-19 13:10 294 --ahs---- C:\WINDOWS\system32\tehqgyey.ini
2008-03-18 13:55 . 2008-03-18 13:02 1,525,957 --ahs---- C:\WINDOWS\system32\oyilybew.ini
2008-03-18 13:13 . 2008-03-18 13:14 1,526,017 --ahs---- C:\WINDOWS\system32\vswifcts.ini
2008-03-17 13:52 . 2008-03-17 13:52 1,358,887 --ahs---- C:\WINDOWS\system32\grojhueo.ini
2008-03-16 13:51 . 2008-03-16 13:51 1,339,536 --ahs---- C:\WINDOWS\system32\ymuhuxvq.ini
2008-03-15 13:48 . 2008-03-16 13:48 1,339,476 --ahs---- C:\WINDOWS\system32\wrvoqifa.ini
2008-03-15 13:35 . 2008-03-28 23:02 0 --ah----- C:\BIT126.tmp
2008-03-14 13:48 . 2008-03-14 13:48 1,339,416 --ahs---- C:\WINDOWS\system32\byysmdyc.ini
2008-03-13 13:45 . 2008-03-14 13:46 1,368,292 --ahs---- C:\WINDOWS\system32\asxdaqrb.ini
2008-03-12 13:51 . 2008-03-13 09:51 1,320,095 --ahs---- C:\WINDOWS\system32\tmjgkjce.ini
2008-03-12 12:33 . 2008-03-12 12:33 <DIR> d-------- C:\Program Files\iPod
2008-03-11 20:41 . 2008-03-11 20:41 346,112 --a------ C:\WINDOWS\system32\RCXA.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-29 05:03 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-28 02:44 158,208 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\MSConfig .exe
2008-03-27 06:34 --------- d-----w C:\Program Files\Winamp
2008-03-25 21:56 --------- d-----w C:\Program Files\World of Warcraft
2008-03-23 23:59 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-21 00:47 --------- d-----w C:\Documents and Settings\Derek\Application Data\LimeWire
2008-03-13 15:51 --------- d-----w C:\Program Files\iTunes
2008-03-13 15:51 --------- d-----w C:\Program Files\Curse
2008-02-25 03:37 --------- d-----w C:\Documents and Settings\Derek\Application Data\GetRightToGo
2008-02-25 03:17 --------- d-----w C:\Documents and Settings\Derek\Application Data\Turbine
2008-02-25 02:51 --------- d-----w C:\Program Files\Turbine
2008-02-13 04:24 --------- d-----w C:\Documents and Settings\Derek\Application Data\IGN_DLM
2008-02-08 17:47 --------- d-----w C:\Program Files\Google
2008-02-02 04:52 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-02 04:52 --------- d-----w C:\Program Files\Sony
2007-12-18 17:08 4,346,084 ----a-w C:\Documents and Settings\Derek\WoW-2.3.0.7561-to-0.3.2.7627-enUS-patch.exe
2007-08-30 01:06 17,528 ----a-w C:\Documents and Settings\Derek\Application Data\GDIPFONTCACHEV1.DAT
.
Code: Select all
<pre>
----a-w            77,824 2007-12-24 19:32:22  C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt .exe
----a-w           729,088 2007-12-24 19:32:22  C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
----a-w            90,112 2007-12-24 19:32:22  C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart .exe
----a-w         2,321,600 2008-03-13 15:51:29  C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater .exe
----a-w           477,696 2008-03-26 00:02:19  C:\Program Files\Curse\CurseClient .exe
----a-w         1,103,480 2008-03-13 15:51:29  C:\Program Files\FilePlanet\Download Manager\dlm .exe
----a-w            94,208 2007-12-24 19:32:23  C:\Program Files\Lexmark 4300 Series\ezprint .exe
----a-w           192,512 2007-12-24 19:32:23  C:\Program Files\Lexmark 4300 Series\lxcemon .exe
----a-w         5,146,448 2008-03-27 23:44:23  C:\Program Files\Spybot - Search & Destroy\SpybotSD .exe
----a-w         2,097,488 2008-03-21 03:08:41  C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w         1,103,240 2008-03-28 02:50:18  C:\Program Files\Spyware Doctor\pctsTray .exe
----a-w           158,208 2007-12-25 20:00:40  C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\MSConfig  .exe
----a-w           158,208 2008-03-28 02:44:14  C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\MSConfig .exe
----a-w            15,360 2007-12-26 02:04:31  C:\WINDOWS\system32\ctfmon .exe
</pre>



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Derek^Start Menu^Programs^Startup^Spruce - Auto Update.lnk]
path=C:\Documents and Settings\Derek\Start Menu\Programs\Startup\Spruce - Auto Update.lnk
backup=C:\WINDOWS\pss\Spruce - Auto Update.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Derek^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\Derek\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\406f6607]
C:\WINDOWS\system32\ydbpebfn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-05-11 02:06 40048 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
--a------ 2008-03-01 13:35 2699264 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-06-27 18:03 152872 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM435c559b]
C:\WINDOWS\system32\vkolhpqj.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bssa]
C:\WINDOWS\system32\ECURIT~1\notepad.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 01:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CurseClient]
--a------ 2008-03-11 20:41 876544 C:\Program Files\Curse\CurseClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
--a------ 2008-03-01 13:35 1489920 C:\Program Files\FilePlanet\Download Manager\dlm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\io43mvuiw4kj]
C:\WINDOWS\io43mvuiw4kj.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-13 09:51 704512 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\system32\gebyv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSConfig]
--a------ 2008-03-27 20:44 158208 C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 14:57 153136 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NetService]
--a------ 2008-03-27 13:05 60928 C:\WINDOWS\system32\ppnst.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-11-14 23:43 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\mrofinu1000106.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spa_start]
C:\WINDOWS\system32\spads.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSnD]
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
C:\Program Files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-03-14 02:43 83608 C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
C:\Program Files\Web Buying\v1.8.6\webbuying.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webHancer Agent]
C:\Program Files\webHancer\Programs\whagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2008-01-15 16:54 37376 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winshow]
C:\WINDOWS\winshow.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{F6-66-6A-A8-ZN}]
C:\DOCUME~1\Derek\LOCALS~1\Temp\T0CHD001.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NMIndexingService"=3 (0x3)
"NBService"=3 (0x3)
"iPod Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Turbine\\The Lord of the Rings Online\\lotroclient.exe"=

[HKLM\~\Services\\mlnet.exe"=]


.
Contents of the 'Scheduled Tasks' folder
"2008-03-29 02:58:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-28 23:07:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
.
**************************************************************************
.
Completion time: 2008-03-28 23:12:09 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-29 05:11:51
ComboFix2.txt 2007-12-26 02:49:34
Pre-Run: 62,712,246,272 bytes free
Post-Run: 63,631,904,768 bytes free

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:12:26 PM, on 3/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\Removal.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 6657940390
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcecoms.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 2466 bytes
dab6181
Active Member
 
Posts: 10
Joined: March 27th, 2008, 9:41 pm
Top

Re: Can Not Remove Virtumonde

Unread postby dan12 » March 29th, 2008, 7:55 am

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System

Image


Download the file & save it as it's originally named, next to ComboFix.exe.



Image


Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

Please do not reboot your machine until we have reviewed the log.
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire
Top

Re: Can Not Remove Virtumonde

Unread postby dab6181 » March 29th, 2008, 10:04 am

Here ya go:

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn /usepmtimer
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
dab6181
Active Member
 
Posts: 10
Joined: March 27th, 2008, 9:41 pm
Top

Re: Can Not Remove Virtumonde

Unread postby dan12 » March 29th, 2008, 1:28 pm

That's fine. back with you soon. :)
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire
Top

Re: Can Not Remove Virtumonde

Unread postby dan12 » March 29th, 2008, 1:36 pm

Sooner than I thought :D

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

Code: Select all
   File::
C:\WINDOWS\system32\RCX11.tmp
C:\WINDOWS\system32\ikhcore.cfg
C:\WINDOWS\system32\RCX10.tmp
C:\WINDOWS\system32\RCXF.tmp
C:\WINDOWS\system32\gdfuhmju.exe
C:\WINDOWS\system32\ppnst.dll
C:\WINDOWS\system32\mbjpbytn.ini
C:\WINDOWS\system32\urpejwlu.ini
C:\WINDOWS\system32\iswujybt.ini
C:\WINDOWS\system32\qwphsrnx.ini
C:\WINDOWS\system32\btsebbsb.ini
C:\WINDOWS\system32\vnjewtkx.ini
C:\WINDOWS\system32\mkgcdmog.ini
C:\WINDOWS\system32\ujdanjwu.ini
C:\WINDOWS\system32\tehqgyey.ini
C:\WINDOWS\system32\oyilybew.ini
C:\WINDOWS\system32\vswifcts.ini
C:\WINDOWS\system32\grojhueo.ini
C:\WINDOWS\system32\ymuhuxvq.ini
C:\WINDOWS\system32\wrvoqifa.ini
C:\WINDOWS\system32\byysmdyc.ini
C:\WINDOWS\system32\asxdaqrb.ini
C:\WINDOWS\system32\tmjgkjce.ini
C:\WINDOWS\system32\RCXA.tmp
C:\WINDOWS\system32\ydbpebfn.dll
C:\WINDOWS\system32\vkolhpqj.dll
C:\WINDOWS\io43mvuiw4kj.exe
C:\WINDOWS\system32\gebyv.exe
C:\WINDOWS\system32\ppnst.dll
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\system32\spads.dll
C:\WINDOWS\winshow.exe
C:\DOCUME~1\Derek\LOCALS~1\Temp\T0CHD001.exe

Folder::
C:\Program Files\Web Buying
C:\Program Files\webHancer


Registry::

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\406f6607]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM435c559b]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\io43mvuiw4kj]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NetService]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spa_start]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webHancer Agent]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winshow]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{F6-66-6A-A8-ZN}]

RenV::
C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart .exe
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater .exe
C:\Program Files\Curse\CurseClient .exe
C:\Program Files\FilePlanet\Download Manager\dlm .exe
C:\Program Files\Lexmark 4300 Series\ezprint .exe
C:\Program Files\Lexmark 4300 Series\lxcemon .exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD .exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
C:\Program Files\Spyware Doctor\pctsTray .exe
C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\MSConfig  .exe
C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\MSConfig .exe
C:\WINDOWS\system32\ctfmon .exe


Save this as CFScript.txt, in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


: Malwarebytes' Anti-Malware :

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\\Documents and Settings\\Username\\Application Data\\Malwarebytes\\Malwarebytes' Anti-Malware\\Logs\\mbam-log-date (time).txt

Please include in your next post:
  • Combofix log txt
  • Malwarebytes log
  • New highjackthis log

Thanks dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire
Top

Re: Can Not Remove Virtumonde

Unread postby dab6181 » March 29th, 2008, 3:43 pm

ComboFix 08-03-27.2 - Derek 2008-03-29 13:30:02.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1578 [GMT -6:00]
Running from: C:\Documents and Settings\Derek\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Derek\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\DOCUME~1\Derek\LOCALS~1\Temp\T0CHD001.exe
C:\WINDOWS\io43mvuiw4kj.exe
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\system32\asxdaqrb.ini
C:\WINDOWS\system32\btsebbsb.ini
C:\WINDOWS\system32\byysmdyc.ini
C:\WINDOWS\system32\gdfuhmju.exe
C:\WINDOWS\system32\gebyv.exe
C:\WINDOWS\system32\grojhueo.ini
C:\WINDOWS\system32\ikhcore.cfg
C:\WINDOWS\system32\iswujybt.ini
C:\WINDOWS\system32\mbjpbytn.ini
C:\WINDOWS\system32\mkgcdmog.ini
C:\WINDOWS\system32\oyilybew.ini
C:\WINDOWS\system32\ppnst.dll
C:\WINDOWS\system32\qwphsrnx.ini
C:\WINDOWS\system32\RCX10.tmp
C:\WINDOWS\system32\RCX11.tmp
C:\WINDOWS\system32\RCXA.tmp
C:\WINDOWS\system32\RCXF.tmp
C:\WINDOWS\system32\spads.dll
C:\WINDOWS\system32\tehqgyey.ini
C:\WINDOWS\system32\tmjgkjce.ini
C:\WINDOWS\system32\ujdanjwu.ini
C:\WINDOWS\system32\urpejwlu.ini
C:\WINDOWS\system32\vkolhpqj.dll
C:\WINDOWS\system32\vnjewtkx.ini
C:\WINDOWS\system32\vswifcts.ini
C:\WINDOWS\system32\wrvoqifa.ini
C:\WINDOWS\system32\ydbpebfn.dll
C:\WINDOWS\system32\ymuhuxvq.ini
C:\WINDOWS\winshow.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\system32\asxdaqrb.ini
C:\WINDOWS\system32\btsebbsb.ini
C:\WINDOWS\system32\byysmdyc.ini
C:\WINDOWS\system32\ceayejlx.dll
C:\WINDOWS\system32\gdfuhmju.exe
C:\WINDOWS\system32\gebyv.dll
C:\WINDOWS\system32\gebyv.exe
C:\WINDOWS\system32\grojhueo.ini
C:\WINDOWS\system32\ikhcore.cfg
C:\WINDOWS\system32\iswujybt.ini
C:\WINDOWS\system32\mbjpbytn.ini
C:\WINDOWS\system32\mkgcdmog.ini
C:\WINDOWS\system32\ogqyfako.dll
C:\WINDOWS\system32\okafyqgo.ini
C:\WINDOWS\system32\oyilybew.ini
C:\WINDOWS\system32\ppnst.dll
C:\WINDOWS\system32\qwphsrnx.ini
C:\WINDOWS\system32\RCX10.tmp
C:\WINDOWS\system32\RCX11.tmp
C:\WINDOWS\system32\RCX1E.tmp
C:\WINDOWS\system32\RCXA.tmp
C:\WINDOWS\system32\RCXF.tmp
C:\WINDOWS\system32\tehqgyey.ini
C:\WINDOWS\system32\tmjgkjce.ini
C:\WINDOWS\system32\ujdanjwu.ini
C:\WINDOWS\system32\urpejwlu.ini
C:\WINDOWS\system32\vnjewtkx.ini
C:\WINDOWS\system32\vswifcts.ini
C:\WINDOWS\system32\vybeg.ini
C:\WINDOWS\system32\vybeg.ini2
C:\WINDOWS\system32\wrvoqifa.ini
C:\WINDOWS\system32\ymuhuxvq.ini

----- BITS: Possible infected sites -----

hxxp://85.12.43.74
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_npf


((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-29 )))))))))))))))))))))))))))))))
.

2008-03-28 23:15 . 2008-03-29 13:21 0 --ah----- C:\BIT6.tmp
2008-03-27 18:40 . 2008-03-29 13:31 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-03-27 18:40 . 2008-03-27 18:40 <DIR> d-------- C:\Documents and Settings\Derek\Application Data\PC Tools
2008-03-27 18:40 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-03-27 18:40 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-03-27 18:40 . 2008-02-01 12:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-03-27 18:40 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-03-27 16:48 . 2008-03-27 16:48 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-03-27 16:46 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2008-03-27 16:46 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-03-27 16:46 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-03-27 16:46 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-03-27 16:46 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-03-25 16:25 . 2008-03-25 16:25 <DIR> d-------- C:\Logs
2008-03-23 17:59 . 2008-03-23 17:59 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-23 17:59 . 2008-03-23 18:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-20 19:46 . 2008-03-27 07:15 920 --a------ C:\WINDOWS\wininit.ini
2008-03-20 19:30 . 2008-03-29 13:29 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-20 19:30 . 2008-03-27 17:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-15 13:35 . 2008-03-28 23:02 0 --ah----- C:\BIT126.tmp
2008-03-12 12:33 . 2008-03-12 12:33 <DIR> d-------- C:\Program Files\iPod

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-29 19:33 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-29 19:29 --------- d-----w C:\Program Files\Lexmark 4300 Series
2008-03-29 19:29 --------- d-----w C:\Program Files\Curse
2008-03-28 02:44 158,208 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\MSConfig.exe
2008-03-27 06:34 --------- d-----w C:\Program Files\Winamp
2008-03-25 21:56 --------- d-----w C:\Program Files\World of Warcraft
2008-03-23 23:59 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-21 00:47 --------- d-----w C:\Documents and Settings\Derek\Application Data\LimeWire
2008-03-13 15:51 --------- d-----w C:\Program Files\iTunes
2008-02-25 03:37 --------- d-----w C:\Documents and Settings\Derek\Application Data\GetRightToGo
2008-02-25 03:17 --------- d-----w C:\Documents and Settings\Derek\Application Data\Turbine
2008-02-25 02:51 --------- d-----w C:\Program Files\Turbine
2008-02-13 04:24 --------- d-----w C:\Documents and Settings\Derek\Application Data\IGN_DLM
2008-02-08 17:47 --------- d-----w C:\Program Files\Google
2008-02-02 04:52 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-02 04:52 --------- d-----w C:\Program Files\Sony
2007-12-18 17:08 4,346,084 ----a-w C:\Documents and Settings\Derek\WoW-2.3.0.7561-to-0.3.2.7627-enUS-patch.exe
2007-08-30 01:06 17,528 ----a-w C:\Documents and Settings\Derek\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-03-28 23:44 1103240]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Derek^Start Menu^Programs^Startup^Spruce - Auto Update.lnk]
path=C:\Documents and Settings\Derek\Start Menu\Programs\Startup\Spruce - Auto Update.lnk
backup=C:\WINDOWS\pss\Spruce - Auto Update.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Derek^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\Derek\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-05-11 02:06 40048 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
--a------ 2008-03-13 09:51 2321600 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-06-27 18:03 152872 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bssa]
C:\WINDOWS\system32\ECURIT~1\notepad.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2007-12-25 20:04 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CurseClient]
--a------ 2008-03-25 18:02 477696 C:\Program Files\Curse\CurseClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
--a------ 2008-03-13 09:51 1103480 C:\Program Files\FilePlanet\Download Manager\dlm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-13 09:51 704512 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSConfig]
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 14:57 153136 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-11-14 23:43 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
--a------ 2008-03-20 21:08 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSnD]
--a------ 2008-03-27 17:44 5146448 C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
C:\Program Files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-03-14 02:43 83608 C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2008-01-15 16:54 37376 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NMIndexingService"=3 (0x3)
"NBService"=3 (0x3)
"iPod Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Turbine\\The Lord of the Rings Online\\lotroclient.exe"=

[HKLM\~\Services\\mlnet.exe"=]


.
Contents of the 'Scheduled Tasks' folder
"2008-03-29 02:58:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-29 13:33:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.

Malwarebytes' Anti-Malware 1.09
Database version: 566

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 73755
Time elapsed: 15 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Typelib\{50ccd00a-66b6-4d95-aaef-8ee959498f92} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\stfngdvw.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\2.608889E-02.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:15, on 2008-03-29
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\Removal.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 6657940390
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcecoms.exe

--
End of file - 2364 bytes
dab6181
Active Member
 
Posts: 10
Joined: March 27th, 2008, 9:41 pm
Top

Re: Can Not Remove Virtumonde

Unread postby dan12 » March 29th, 2008, 6:40 pm

Open notepad and copy and paste text in the text in the code box :

Code: Select all
regedit /e peek1.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg"
regedit /e peek2.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder"
type peek1.txt >> startup.txt
type peek2.txt >> startup.txt
del peek*.txt
start notepad startup.txt


Save this as look.bat , choose to save as *all files and place it on your desktop.
This is how the batch should look after you created it.
Doubleclick on look.bat and post the contents of it in your next reply.

please do an online scan with Kaspersky Online Scanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Extended (If available otherwise Standard)
  • Scan Options:
  • Scan Archives
  • Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Please include in your next post:
  • look.bat text
  • Kaspersky scan log
  • New highjackthis log

Thanks dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire
Top

Re: Can Not Remove Virtumonde

Unread postby dab6181 » March 29th, 2008, 8:03 pm

Here is the look.bat txt:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Adobe Reader Speed Launcher]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Reader_sl"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AdobeUpdater]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AdobeUpdater"
"hkey"="HKCU"
"command"="C:\\Program Files\\Common Files\\Adobe\\Updater5\\AdobeUpdater.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NMBgMonitor"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Common Files\\Ahead\\Lib\\NMBgMonitor.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Bssa]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="notepad"
"hkey"="HKCU"
"command"="\"C:\\WINDOWS\\system32\\ECURIT~1\\notepad.exe\" -vt yazb"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ctfmon.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\ctfmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\CurseClient]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CurseClient"
"hkey"="HKCU"
"command"="C:\\Program Files\\Curse\\CurseClient.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\igndlm.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dlm"
"hkey"="HKCU"
"command"="C:\\Program Files\\FilePlanet\\Download Manager\\dlm.exe /windowsstart /startifwork"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ISTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="pctsTray"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Spyware Doctor\\pctsTray.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MSConfig]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MSConfig "
"hkey"="HKLM"
"command"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\MSConfig .exe /auto"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="QTTask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\QTTask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SpybotSD TeaTimer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TeaTimer"
"hkey"="HKCU"
"command"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SpybotSnD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SpybotSD"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Spybot - Search & Destroy\\SpybotSD.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Steam]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Steam"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Steam\\Steam.exe\" -silent"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WinampAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winampa"
"hkey"="HKLM"
"command"="C:\\Program Files\\Winamp\\winampa.exe"
"inimapping"="0"

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~2\\Office10\\OSA.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Derek^Start Menu^Programs^Startup^Spruce - Auto Update.lnk]
"path"="C:\\Documents and Settings\\Derek\\Start Menu\\Programs\\Startup\\Spruce - Auto Update.lnk"
"backup"="C:\\WINDOWS\\pss\\Spruce - Auto Update.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\Spruce\\Spruce.exe /DELAY=120"
"item"="Spruce - Auto Update"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Derek^Start Menu^Programs^Startup^TA_Start.lnk]
"path"="C:\\Documents and Settings\\Derek\\Start Menu\\Programs\\Startup\\TA_Start.lnk"
"backup"="C:\\WINDOWS\\pss\\TA_Start.lnkStartup"
"location"="Startup"
"command"="C:\\DOCUME~1\\Derek\\LOCALS~1\\Temp\\T0CHD001.exe CHD001"
"item"="TA_Start"

Here is the Kapersky log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
2008-03-29 19:01
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 29/03/2008
Kaspersky Anti-Virus database records: 672629
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 48916
Number of viruses found: 7
Number of infected objects: 102
Number of suspicious objects: 0
Duration of the scan process: 00:32:37

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Derek\Application Data\Mozilla\Firefox\Profiles\dn8pvz4m.default\cert8.db Object is locked skipped
C:\Documents and Settings\Derek\Application Data\Mozilla\Firefox\Profiles\dn8pvz4m.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Derek\Application Data\Mozilla\Firefox\Profiles\dn8pvz4m.default\history.dat Object is locked skipped
C:\Documents and Settings\Derek\Application Data\Mozilla\Firefox\Profiles\dn8pvz4m.default\key3.db Object is locked skipped
C:\Documents and Settings\Derek\Application Data\Mozilla\Firefox\Profiles\dn8pvz4m.default\parent.lock Object is locked skipped
C:\Documents and Settings\Derek\Application Data\Mozilla\Firefox\Profiles\dn8pvz4m.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Derek\Application Data\Mozilla\Firefox\Profiles\dn8pvz4m.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Derek\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Derek\Desktop\Derek's Stuff\New Downloaded\setup.exe/data0011/stream/data0004 Infected: not-a-virus:AdWare.Win32.TrafficSol.m skipped
C:\Documents and Settings\Derek\Desktop\Derek's Stuff\New Downloaded\setup.exe/data0011/stream Infected: not-a-virus:AdWare.Win32.TrafficSol.m skipped
C:\Documents and Settings\Derek\Desktop\Derek's Stuff\New Downloaded\setup.exe/data0011 Infected: not-a-virus:AdWare.Win32.TrafficSol.m skipped
C:\Documents and Settings\Derek\Desktop\Derek's Stuff\New Downloaded\setup.exe/data0012/stream/data0005 Infected: not-a-virus:AdWare.Win32.BHO.jj skipped
C:\Documents and Settings\Derek\Desktop\Derek's Stuff\New Downloaded\setup.exe/data0012/stream Infected: not-a-virus:AdWare.Win32.BHO.jj skipped
C:\Documents and Settings\Derek\Desktop\Derek's Stuff\New Downloaded\setup.exe/data0012 Infected: not-a-virus:AdWare.Win32.BHO.jj skipped
C:\Documents and Settings\Derek\Desktop\Derek's Stuff\New Downloaded\setup.exe NSIS: infected - 6 skipped
C:\Documents and Settings\Derek\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Derek\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Derek\Local Settings\Application Data\Mozilla\Firefox\Profiles\dn8pvz4m.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Derek\Local Settings\Application Data\Mozilla\Firefox\Profiles\dn8pvz4m.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Derek\Local Settings\Application Data\Mozilla\Firefox\Profiles\dn8pvz4m.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Derek\Local Settings\Application Data\Mozilla\Firefox\Profiles\dn8pvz4m.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Derek\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Derek\Local Settings\Temp\Av-test.txt Infected: EICAR-Test-File skipped
C:\Documents and Settings\Derek\Local Settings\Temp\RCX4.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\Derek\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Derek\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Derek\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Analog Devices\Core\smax4pnp.exe Infected: Virus.Win32.Trats.d skipped
C:\Program Files\iTunes\iTunesHelper.exe Infected: Virus.Win32.Trats.d skipped
C:\Program Files\Trend Micro\HijackThis\backups\backup-20071225-202636-925-source.html Infected: Trojan-Clicker.HTML.IFrame.dn skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ctfmon.exe.tmp.vir Infected: Virus.Win32.Trats.d skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\gebyv.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\gebyv.exe.vir Infected: Virus.Win32.Trats.d skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\RCX10.tmp.vir Infected: Virus.Win32.Trats.d skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\RCX11.tmp.vir Infected: Virus.Win32.Trats.d skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\RCX1E.tmp.vir Infected: Virus.Win32.Trats.d skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\RCXA.tmp.vir Infected: Virus.Win32.Trats.d skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\RCXF.tmp.vir Infected: Virus.Win32.Trats.d skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\vkolhpqj.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ydbpebfn.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\catchme2008-03-28_230728.64.zip/gebyv.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\catchme2008-03-28_230728.64.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{A8EDD35D-3ACE-4C32-8F1A-701573ED6A3C}\RP102\A0006300.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{A8EDD35D-3ACE-4C32-8F1A-701573ED6A3C}\RP102\A0006301.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{A8EDD35D-3ACE-4C32-8F1A-701573ED6A3C}\RP102\A0006308.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{A8EDD35D-3ACE-4C32-8F1A-701573ED6A3C}\RP102\A0006332.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{A8EDD35D-3ACE-4C32-8F1A-701573ED6A3C}\RP102\A0006337.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{A8EDD35D-3ACE-4C32-8F1A-701573ED6A3C}\RP102\A0006338.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{A8EDD35D-3ACE-4C32-8F1A-701573ED6A3C}\RP102\A0006340.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{A8EDD35D-3ACE-4C32-8F1A-701573ED6A3C}\RP102\A0006341.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{A8EDD35D-3ACE-4C32-8F1A-701573ED6A3C}\RP102\A0006342.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{A8EDD35D-3ACE-4C32-8F1A-701573ED6A3C}\RP102\A0006343.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{A8EDD35D-3ACE-4C32-8F1A-701573ED6A3C}\RP102\A0006344.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{A8EDD35D-3ACE-4C32-8F1A-701573ED6A3C}\RP102\A0006345.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{A8EDD35D-3ACE-4C32-8F1A-701573ED6A3C}\RP102\A0006354.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{A8EDD35D-3ACE-4C32-8F1A-701573ED6A3C}\RP103\A0006364.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{A8EDD35D-3ACE-4C32-8F1A-701573ED6A3C}\RP103\A0006367.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{A8EDD35D-3ACE-4C32-8F1A-701573ED6A3C}\RP103\A0006369.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{A8EDD35D-3ACE-4C32-8F1A-701573ED6A3C}\RP103\A0006423.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{A8EDD35D-3ACE-4C32-8F1A-701573ED6A3C}\RP104\A0006565.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{A8EDD35D-3ACE-4C32-8F1A-701573ED6A3C}\RP105\A0006578.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{A8EDD35D-3ACE-4C32-8F1A-701573ED6A3C}\RP105\A0006581.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{A8EDD35D-3ACE-4C32-8F1A-701573ED6A3C}\RP106\A0006864.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{A8EDD35D-3ACE-4C32-8F1A-701573ED6A3C}\RP106\A0006885.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{A8EDD35D-3ACE-4C32-8F1A-701573ED6A3C}\RP106\A0006886.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{A8EDD35D-3ACE-4C32-8F1A-701573ED6A3C}\RP106\A0006976.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{A8EDD35D-3ACE-4C32-8F1A-701573ED6A3C}\RP106\A0007009.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{A8EDD35D-3ACE-4C32-8F1A-701573ED6A3C}\RP106\A0007019.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{A8EDD35D-3ACE-4C32-8F1A-701573ED6A3C}\RP106\A0007027.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{A8EDD35D-3ACE-4C32-8F1A-701573ED6A3C}\RP106\A0007030.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{A8EDD35D-3ACE-4C32-8F1A-701573ED6A3C}\RP106\A0009042.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{A8EDD35D-3ACE-4C32-8F1A-701573ED6A3C}\RP106\A0009045.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{A8EDD35D-3ACE-4C32-8F1A-701573ED6A3C}\RP106\A0009054.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{A8EDD35D-3ACE-4C32-8F1A-701573ED6A3C}\RP108\A0009064.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{A8EDD35D-3ACE-4C32-8F1A-701573ED6A3C}\RP108\A0009068.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{A8EDD35D-3ACE-4C32-8F1A-701573ED6A3C}\RP108\A0009069.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{A8EDD35D-3ACE-4C32-8F1A-701573ED6A3C}\RP108\A0009125.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{A8EDD35D-3ACE-4C32-8F1A-701573ED6A3C}\RP111\A0009214.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{A8EDD35D-3ACE-4C32-8F1A-701573ED6A3C}\RP111\A0009215.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{A8EDD35D-3ACE-4C32-8F1A-701573ED6A3C}\RP111\A0009216.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{A8EDD35D-3ACE-4C32-8F1A-701573ED6A3C}\RP111\A0009217.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{A8EDD35D-3ACE-4C32-8F1A-701573ED6A3C}\RP111\A0009218.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{A8EDD35D-3ACE-4C32-8F1A-701573ED6A3C}\RP111\A0009219.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{A8EDD35D-3ACE-4C32-8F1A-701573ED6A3C}\RP111\A0009220.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{A8EDD35D-3ACE-4C32-8F1A-701573ED6A3C}\RP111\A0009221.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{A8EDD35D-3ACE-4C32-8F1A-701573ED6A3C}\RP111\A0009222.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{A8EDD35D-3ACE-4C32-8F1A-701573ED6A3C}\RP111\A0009223.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{A8EDD35D-3ACE-4C32-8F1A-701573ED6A3C}\RP111\A0009233.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{A8EDD35D-3ACE-4C32-8F1A-701573ED6A3C}\RP111\A0009251.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{A8EDD35D-3ACE-4C32-8F1A-701573ED6A3C}\RP112\change.log Object is locked skipped
C:\System Volume Information\_restore{A8EDD35D-3ACE-4C32-8F1A-701573ED6A3C}\RP95\A0005122.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{A8EDD35D-3ACE-4C32-8F1A-701573ED6A3C}\RP95\A0005129.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{A8EDD35D-3ACE-4C32-8F1A-701573ED6A3C}\RP95\A0005135.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{A8EDD35D-3ACE-4C32-8F1A-701573ED6A3C}\RP95\A0005136.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{A8EDD35D-3ACE-4C32-8F1A-701573ED6A3C}\RP96\A0005144.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{A8EDD35D-3ACE-4C32-8F1A-701573ED6A3C}\RP96\A0005150.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{A8EDD35D-3ACE-4C32-8F1A-701573ED6A3C}\RP96\A0005157.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{A8EDD35D-3ACE-4C32-8F1A-701573ED6A3C}\RP96\A0005162.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{A8EDD35D-3ACE-4C32-8F1A-701573ED6A3C}\RP96\A0005164.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{A8EDD35D-3ACE-4C32-8F1A-701573ED6A3C}\RP96\A0005172.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{A8EDD35D-3ACE-4C32-8F1A-701573ED6A3C}\RP96\A0006170.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{A8EDD35D-3ACE-4C32-8F1A-701573ED6A3C}\RP96\A0006172.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{A8EDD35D-3ACE-4C32-8F1A-701573ED6A3C}\RP98\A0006209.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{A8EDD35D-3ACE-4C32-8F1A-701573ED6A3C}\RP98\A0006210.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{A8EDD35D-3ACE-4C32-8F1A-701573ED6A3C}\RP98\A0006212.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{A8EDD35D-3ACE-4C32-8F1A-701573ED6A3C}\RP98\A0006213.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{A8EDD35D-3ACE-4C32-8F1A-701573ED6A3C}\RP98\A0006214.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{A8EDD35D-3ACE-4C32-8F1A-701573ED6A3C}\RP98\A0006215.dll Infected: not-a-virus:AdWare.Win32.Agent.asj skipped
C:\System Volume Information\_restore{A8EDD35D-3ACE-4C32-8F1A-701573ED6A3C}\RP98\A0006216.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{A8EDD35D-3ACE-4C32-8F1A-701573ED6A3C}\RP98\A0006217.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{A8EDD35D-3ACE-4C32-8F1A-701573ED6A3C}\RP98\A0006218.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{A8EDD35D-3ACE-4C32-8F1A-701573ED6A3C}\RP98\A0006219.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{A8EDD35D-3ACE-4C32-8F1A-701573ED6A3C}\RP98\A0006220.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{A8EDD35D-3ACE-4C32-8F1A-701573ED6A3C}\RP98\A0006221.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{A8EDD35D-3ACE-4C32-8F1A-701573ED6A3C}\RP98\A0006222.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{A8EDD35D-3ACE-4C32-8F1A-701573ED6A3C}\RP98\A0006223.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{A8EDD35D-3ACE-4C32-8F1A-701573ED6A3C}\RP98\A0006224.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{A8EDD35D-3ACE-4C32-8F1A-701573ED6A3C}\RP98\A0006225.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{A8EDD35D-3ACE-4C32-8F1A-701573ED6A3C}\RP98\A0006226.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{A8EDD35D-3ACE-4C32-8F1A-701573ED6A3C}\RP98\A0006227.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{A8EDD35D-3ACE-4C32-8F1A-701573ED6A3C}\RP98\A0006236.exe Infected: Virus.Win32.Trats.d skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


And here is the latest Hijack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:02, on 2008-03-29
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\Removal.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 6657940390
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcecoms.exe

--
End of file - 2123 bytes
dab6181
Active Member
 
Posts: 10
Joined: March 27th, 2008, 9:41 pm
Top

Re: Can Not Remove Virtumonde

Unread postby dan12 » March 29th, 2008, 8:28 pm

Thanks for returned logs, I have a little to do on them, were getting there :) .
mean time can you get these uploaded for me:

Submit a File For Analysis
We need to have the files below Scanned by Uploading them/it to Jotti

Please visit Jotti
Copy/paste the the following file path into the window
C:\BIT126.tmp
Click Submit/Send File
Please post back, to let me know the results.

Please do the same for the following file
C:\BIT6.tmp

If Jotti is too busy please try Virustotal
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire
Top

Re: Can Not Remove Virtumonde

Unread postby dab6181 » March 29th, 2008, 10:50 pm

Thanks for all the help, so far so good.

As for the two files, it told me that a piece of malware is preventing me from uploading them for scanning.

Any way around this or is this something you expected?

After taking another look at it, both files show that they are 0 bytes.
dab6181
Active Member
 
Posts: 10
Joined: March 27th, 2008, 9:41 pm
Top
Advertisement
Register to Remove
Next
Topic locked
  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 437 guests

The teamDelete all board cookiesAll times are UTC - 5 hours [ DST ]

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware

Board index