Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Virumondo recurring when using Spy Sweeper

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Virumondo recurring when using Spy Sweeper

Unread postby Chris45 » December 4th, 2008, 12:46 am

I have been desperately trying to clean my computer for the past couple weeks. The problem I noticed was an unusual amount of popups while browsing the internet, mostly consisting of spyware ads. I've used McAfee, Spy Sweeper and Spyware Doctor which neither have been able to cure my issues. Spy Sweeper does find the Virtumondo adware and it saids it's being removed, but the sympotom return. Spy Sweeper then again finds the adware which it previously had removed. Your help will be greatly appreciate and thanks in advance.


********************************************************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:27:37 PM, on 12/3/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Webroot\WebrootSecurity\SSU.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {ba10900e-6414-4038-8d09-9a51f5e95fc3} - C:\WINDOWS\system32\ruketuno.dll (file missing)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [BCMSMMSG] "C:\WINDOWS\BCMSMMSG.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1102280339\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DelayShred] "C:\Program Files\McAfee\MSHR\ShrCL.EXE" /P7 /q C:\DOCUME~1\Evelyn\LOCALS~1\Temp\TEMPOR~1\Content.SH! C:\DOCUME~1\Evelyn\LOCALS~1\Temp\TEMPOR~1.SH! C:\DOCUME~1\Evelyn\LOCALS~1\Temp\History\History.SH! C:\DOCUME~1\Evelyn\LOCALS~1\Temp\History.SH! C:\DOCUME~1\Evelyn\LOCALS~1\Temp\Cookies.SH! C:\DOCUME~1\Evelyn\LOCALS~1\Temp\TEMPOR~1.SH!\Content.SH!\ZMWRJT4X.SH! C:\DOCUME~1\Evelyn\LOCALS~1\Temp\TEMPOR~1.SH!\Content.SH!\WRJ3U4DH.SH! C:\DOCUME~1\Evelyn\LOCALS~1\Temp\TEMPOR~1.SH!\Content.SH!\W56R01QB.SH! C:\DOCUME~1\Evelyn\LOCALS~1\Temp\TEMPOR~1.SH!\Content.SH!\VLWWHF39.SH! C:\DOCUME~1\Evelyn\LOCALS~1\Temp\TEMPOR~1.SH!\Content.SH!\TXCJ2G78.SH! C:\DOCUME~1\Evelyn\LOCALS~1\Temp\TEMPOR~1.SH!\Content.SH!\TPFBI4ML.SH! C:\DOCUME~1\Evelyn\LOCALS~1\Temp\TEMPOR~1.SH!\Content.SH!\TNVVX182.SH! C:\DOCUME~1\Evelyn\LOCALS~1\Temp\TEMPOR~1.SH!\Content.SH!\TES5WLDZ.SH! C:\DOCUME~1\Evelyn\LOCALS~1\Temp\TEMPOR~1.SH!\Content.SH!\SLM741UN.SH! C:\DOCUME~1\Evelyn\LOCALS~1\Temp\TEMPOR~1.SH!\Content.SH!\SDQZG
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKUS\S-1-5-19\..\Run: [majowuhole] Rundll32.exe "C:\WINDOWS\system32\wavoyolu.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [majowuhole] Rundll32.exe "C:\WINDOWS\system32\wavoyolu.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [majowuhole] Rundll32.exe "C:\WINDOWS\system32\wavoyolu.dll",s (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [majowuhole] Rundll32.exe "C:\WINDOWS\system32\wavoyolu.dll",s (User 'Default user')
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\botapepe.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file)
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (http://www.webroot.com) - C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe

--
End of file - 10969 bytes
Chris45
Active Member
 
Posts: 8
Joined: December 4th, 2008, 12:31 am
Advertisement
Register to Remove

Re: Virumondo recurring when using Spy Sweeper

Unread postby Sharagoz » December 4th, 2008, 6:57 pm

Hello Chris45, welcome to MWR.
Please take note of the following before we begin the cleaning process:
  • The whole process will often take several days to complete, so please stay patient
  • Hang in there until I give you the 'All clean'. If you leave prematurely because your computer seems to be back to its old self, the risk of re-infection will be very high
  • Perform all actions in the order given
  • The instructions I give expect that you're using an account with administrator privileges and that the language of your operating system is English.
  • Dont be afraid to ask questions if something is unclear or you run into issues during cleaning steps
  • I recommend you read through each set of instructions before you actually perform them

1) Create an uninstall list
  • Launch Hijackthis
  • Click the Open the Misc Tools section button
  • Click the Open Uninstall Manager button.
  • Click the Save list button.
  • Include this log in your next reply

2) Get a new HiJackThis log
  • Launch Hijackthis
  • Click on the Do a system scan and save a logfile button
  • HJT will run a scan and a log will open in Notepad
  • Include this log in your next reply
User avatar
Sharagoz
Retired Graduate
 
Posts: 985
Joined: February 22nd, 2008, 4:31 pm
Location: Norway

Re: Virumondo recurring when using Spy Sweeper

Unread postby Chris45 » December 4th, 2008, 10:51 pm

Hi Sharagoz, thanks for responding.

**************************************
Uninstall List
**************************************
A960ENG3
ABBYY FineReader 5.0 Sprint Plus
AC3Filter (remove only)
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Flash Player 10 ActiveX
Adobe Reader 8.1.2
Adobe® Photoshop® Album Starter Edition 3.0
AnswerWorks 4.0 Runtime - English
AOL Coach Version 1.0(Build:20030807.3)
AOL Coach Version 2.0(Build:20041026.5 en)
AOL Toolbar
AOL Uninstaller (Choose which Products to Remove)
AOL You've Got Pictures Screensaver
Apple Mobile Device Support
Apple Software Update
BCM V.92 56K Modem
BellSouth® FastAccess® DSL Help Center 4.0
Bonjour
Dell AIO Printer A960
Dell Digital Jukebox Driver
Dell Media Experience
Dell Solution Center
Dell Support
Dell Support Center (Support Software)
DellSupport
DivX Codec
DivX Converter
DivX Player
DivX Web Player
Documents To Go
Drivers Install For Linksys Easylink Advisor
DVDSentry
FL Studio 5
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Intel(R) Extreme Graphics 2 Driver
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet
Internet Explorer Default Page
ItsDeductible Express
iTunes
J2SE Development Kit 5.0 Update 6
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Jasc Paint Shop Photo Album
Jasc Paint Shop Pro 8 Dell Edition
Java DB 10.3.1.4
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 6
Java(TM) 6 Update 7
Java(TM) SE Development Kit 6 Update 6
Java(TM) SE Runtime Environment 6 Update 1
Linksys EasyLink Advisor 1.6 (0044)
Macromedia Extension Manager
Macromedia Flash 8
Macromedia Flash 8 Video Encoder
Macromedia Flash Player 8 Plugin
McAfee SecurityCenter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Connection Manager
Microsoft Data Access Components KB870669
Microsoft Device Emulator version 1.0 - ENU
Microsoft Document Explorer 2005
Microsoft Document Explorer 2005
Microsoft Encarta Encyclopedia Standard 2004
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2004
Microsoft Money 2004 System Pack
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Office XP Professional with FrontPage
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)
Microsoft SQL Server 2005 Mobile [ENU] Developer Tools
Microsoft SQL Server 2005 Tools Express Edition
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual J# 2.0 Redistributable Package
Microsoft Visual Studio 2005 Professional Edition - ENU
MobileMe Control Panel
Modem Helper
MSDN Library for Visual Studio 2005
MSDN Library for Visual Studio 2005
MSN Music Assistant
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 and SOAP Toolkit 3.0
MSXML 6.0 Parser (KB933579)
MUSICMATCH® Jukebox
palmOne
PowerDVD
Pure Networks Port Magic
Python 2.4.2
QuickTime
RealPlayer
Safari
Security Task Manager 1.7
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Shockwave
Sonic DLA
Sonic RecordNow!
Sonic Update Manager
Spy Sweeper
Spy Sweeper Core
TurboTax Basic 2003
TurboTax Deluxe 2004
TurboTax Deluxe 2005
TurboTax Deluxe 2007
TurboTax Deluxe Deduction Maximizer 2006
TurboTax ItsDeductible 2005
TurboTax ItsDeductible 2006
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Viewpoint Manager (Remove Only)
Viewpoint Media Player
WavePad Uninstall
WexTech AnswerWorks
Windows Genuine Advantage v1.3.0254.0
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10 Hotfix - KB894476
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
WinSCP 3.7.4
WordPerfect Office 11

**********************************
Hijackthis Log
**********************************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:45:35 PM, on 12/4/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\Webroot\WebrootSecurity\SSU.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\notepad.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {ba10900e-6414-4038-8d09-9a51f5e95fc3} - C:\WINDOWS\system32\ruketuno.dll (file missing)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [BCMSMMSG] "C:\WINDOWS\BCMSMMSG.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1102280339\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [majowuhole] Rundll32.exe "C:\WINDOWS\system32\wavoyolu.dll",s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DelayShred] "C:\Program Files\McAfee\MSHR\ShrCL.EXE" /P7 /q C:\DOCUME~1\Evelyn\LOCALS~1\Temp\TEMPOR~1\Content.SH! C:\DOCUME~1\Evelyn\LOCALS~1\Temp\TEMPOR~1.SH! C:\DOCUME~1\Evelyn\LOCALS~1\Temp\History\History.SH! C:\DOCUME~1\Evelyn\LOCALS~1\Temp\History.SH! C:\DOCUME~1\Evelyn\LOCALS~1\Temp\Cookies.SH! C:\DOCUME~1\Evelyn\LOCALS~1\Temp\TEMPOR~1.SH!\Content.SH!\ZMWRJT4X.SH! C:\DOCUME~1\Evelyn\LOCALS~1\Temp\TEMPOR~1.SH!\Content.SH!\WRJ3U4DH.SH! C:\DOCUME~1\Evelyn\LOCALS~1\Temp\TEMPOR~1.SH!\Content.SH!\W56R01QB.SH! C:\DOCUME~1\Evelyn\LOCALS~1\Temp\TEMPOR~1.SH!\Content.SH!\VLWWHF39.SH! C:\DOCUME~1\Evelyn\LOCALS~1\Temp\TEMPOR~1.SH!\Content.SH!\TXCJ2G78.SH! C:\DOCUME~1\Evelyn\LOCALS~1\Temp\TEMPOR~1.SH!\Content.SH!\TPFBI4ML.SH! C:\DOCUME~1\Evelyn\LOCALS~1\Temp\TEMPOR~1.SH!\Content.SH!\TNVVX182.SH! C:\DOCUME~1\Evelyn\LOCALS~1\Temp\TEMPOR~1.SH!\Content.SH!\TES5WLDZ.SH! C:\DOCUME~1\Evelyn\LOCALS~1\Temp\TEMPOR~1.SH!\Content.SH!\SLM741UN.SH! C:\DOCUME~1\Evelyn\LOCALS~1\Temp\TEMPOR~1.SH!\Content.SH!\SDQZG
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [majowuhole] Rundll32.exe "C:\WINDOWS\system32\wavoyolu.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [majowuhole] Rundll32.exe "C:\WINDOWS\system32\wavoyolu.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [majowuhole] Rundll32.exe "C:\WINDOWS\system32\wavoyolu.dll",s (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [majowuhole] Rundll32.exe "C:\WINDOWS\system32\wavoyolu.dll",s (User 'Default user')
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\botapepe.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file)
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (http://www.webroot.com) - C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe

--
End of file - 11112 bytes
Chris45
Active Member
 
Posts: 8
Joined: December 4th, 2008, 12:31 am

Re: Virumondo recurring when using Spy Sweeper

Unread postby Sharagoz » December 5th, 2008, 3:59 pm

I have prepared a fix for you and posted it for approval.
As I am only an undergrad at this uni I need to have all my fixes approved by a teacher before they can be posted.
The downside with this is that things take a little more time. The upside is that you'll have two set of eyes checking your logs, so you can be sure nothing will be missed, and the teachers here are among the best malware removers you'll find anywhere, online or not, so you can feel confident you are in the right hands.
The initial waiting time can take up to 48hrs, depending on how busy the teachers are, so please stay patient.
Once a teacher finds a free slot we'll be on our way to a clean computer, and the subsequent replies will usually be faster.
In the top left corner of your opening post there is a link called Subscribe topic. If you click it you will be subscribed to this thread and will receive instant email notification of new replies. For most people this works better than periodically checking back here to see if there's any new posts.
User avatar
Sharagoz
Retired Graduate
 
Posts: 985
Joined: February 22nd, 2008, 4:31 pm
Location: Norway

Re: Virumondo recurring when using Spy Sweeper

Unread postby Sharagoz » December 6th, 2008, 3:21 pm

1) Disable SpySweeper
SpySweeper needs to be disabled durning the cleaning process as it will interfere with some of the tools we use.
  • Open SpySweeper
  • Select Options and then Program Options
  • Uncheck the option Load at Windows Startup
  • Select Shields and uncheck all there
  • Uncheck Home page shield
  • Uncheck automatically restore default without notification
  • Reboot your machine to complete the process
Note:
We'll re-enable Spysweeper after we're done cleaning your computer.

You also need to temprorarily disable McAfee before the next two steps.
Right-click on the McAfee icon in the system tray next to the clock and chose Exit.
Click Yes on the warning prompt.

2) Uninstall through Add/Remove Programs
  • Press the windows key and the R key at the same time to open the Run dialog box
    (The windows key is usually located to the left of the space bar and is labled with a windows logo)
  • A dialog box will Open. Type appwiz.cpl and press enter
  • This will take you to Add/Remove Programs
    (Optionally you can locate Add/Remove Programs through the control panel)
  • Locate and uninstall the below program:

    Internet Explorer Default Page

Note:
You uninstall by selecting the program and then clicking the button named Remove or Uninstall

3) Download and Run ComboFix
  • Visit this webpage for download links and and instructions on how to properly run ComboFix:
    http://www.bleepingcomputer.com/combofix/how-to-use-combofix
    Make sure you install the recovery consol as instructed beforehand
    The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time and can be a lifesaver later.
    Once installed, you should see a blue screen prompt that says:
    The Recovery Console was successfully installed.
  • Run ComboFix as instructed by the tutorial. When ComboFix is finished running, a log will be opened. Include this log in your next reply.

4) Get a new HiJackThis log
  • Launch Hijackthis
  • Click on the Do a system scan and save a logfile button
  • HJT will run a scan and a log will open in Notepad
  • Include this log in your next reply

Logs I need:
ComboFix log
New HJT log

How is the computer running after these steps?
User avatar
Sharagoz
Retired Graduate
 
Posts: 985
Joined: February 22nd, 2008, 4:31 pm
Location: Norway

Re: Virumondo recurring when using Spy Sweeper

Unread postby Chris45 » December 6th, 2008, 4:25 pm

Hi Sharagoz,

Thanks again for the help but unfortunately i was unable to complete step number 2. I searched though Add/Remove programs and have been unable to locate Internet Explorer Default page. I will continue with the rest of your instructions unless you advise me otherwise.
Chris45
Active Member
 
Posts: 8
Joined: December 4th, 2008, 12:31 am

Re: Virumondo recurring when using Spy Sweeper

Unread postby Chris45 » December 6th, 2008, 5:38 pm

I've just completed the steps you gave me and so far I havent received any popups as of yet. Here are the logs you requested.

**************************************************************
ComboFix log file
**************************************************************
ComboFix 08-12-06.03 - Evelyn 2008-12-06 16:08:15.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.801 [GMT -5:00]
Running from: c:\documents and settings\Evelyn\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Evelyn\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\IE4 Error Log.txt
c:\windows\system32\ahepavos.ini
c:\windows\system32\akupemih.ini
c:\windows\system32\dawuyoha.dll
c:\windows\system32\enimadel.ini
c:\windows\system32\ewanomer.ini
c:\windows\system32\famupoda.dll
c:\windows\system32\himepuka.dll
c:\windows\system32\hizelizu.dll
c:\windows\system32\idodumen.ini
c:\windows\system32\iduvojat.ini
c:\windows\system32\igozolaf.ini
c:\windows\system32\iyonesuz.ini
c:\windows\system32\jayidigo.dll
c:\windows\system32\juvamonu.dll
c:\windows\system32\kiramega.dll
c:\windows\system32\ledamine.dll
c:\windows\system32\loluwuke.dll
c:\windows\system32\mdm.exe
c:\windows\system32\mejiyolo.dll
c:\windows\system32\mihitibo.dll
c:\windows\system32\murodaji.dll
c:\windows\system32\nemudodi.dll
c:\windows\system32\noyijoyo.dll
c:\windows\system32\oloyijem.ini
c:\windows\system32\pivejehu.dll
c:\windows\system32\remonawe.dll
c:\windows\system32\sawibinu.dll
c:\windows\system32\sirodave.dll
c:\windows\system32\sovapeha.dll
c:\windows\system32\tajovudi.dll
c:\windows\system32\tedefibu.dll
c:\windows\system32\totodele.dll
c:\windows\system32\tujiyivu.dll
c:\windows\system32\uhejevip.ini
c:\windows\system32\ukovogef.ini
c:\windows\system32\unibiwas.ini
c:\windows\system32\utesoyag.ini
c:\windows\system32\uviyijut.ini
c:\windows\system32\zagugijo.dll
c:\documents and settings\Evelyn\Cookies\????????????????????? . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-11-06 to 2008-12-06 )))))))))))))))))))))))))))))))
.

2008-12-04 10:40 . 2008-12-04 10:40 2,713 ---hs---- c:\windows\SYSTEM32\sapemogi.exe
2008-12-03 21:59 . 2008-12-03 21:59 <DIR> d-------- c:\program files\Trend Micro
2008-12-03 21:27 . 2008-12-03 21:27 <DIR> d-------- C:\VundoFix Backups
2008-12-03 16:39 . 2008-12-03 16:39 2,713 ---hs---- c:\windows\SYSTEM32\sunapija.exe
2008-12-02 07:57 . 2008-11-03 16:10 17,318,336 --a------ c:\windows\SYSTEM32\removal.exe
2008-12-01 20:09 . 2008-12-01 20:09 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Webroot
2008-12-01 19:59 . 2004-03-12 03:02 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Sonic
2008-12-01 19:59 . 2004-03-12 03:05 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Jasc Software Inc
2008-12-01 19:59 . 2008-03-23 10:19 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Gtek
2008-12-01 19:59 . 2008-12-01 19:59 <DIR> d-------- c:\documents and settings\Administrator
2008-11-30 22:52 . 2008-11-30 22:52 <DIR> d-------- C:\Binaries
2008-11-30 22:51 . 2008-11-30 22:51 <DIR> d-------- c:\program files\Webroot
2008-11-30 22:51 . 2008-11-30 22:51 <DIR> d-------- c:\documents and settings\Evelyn\Application Data\Webroot
2008-11-30 22:51 . 2008-11-30 23:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\Webroot
2008-11-30 22:51 . 2008-11-13 17:11 1,553,272 --a------ c:\windows\WRSetup.dll
2008-11-30 22:49 . 2008-12-01 21:27 164 --a------ C:\install.dat
2008-11-28 16:08 . 2008-12-01 21:13 <DIR> d-------- c:\program files\Spyware Doctor
2008-11-28 16:08 . 2008-12-01 21:13 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-11-22 13:41 . 2008-11-22 13:41 <DIR> d-------- c:\program files\iPod
2008-11-22 13:40 . 2008-11-22 13:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-12 16:02 . 2008-11-12 16:02 170,608 --a------ c:\windows\SYSTEM32\DRIVERS\ssidrv.sys
2008-11-12 16:02 . 2008-11-12 16:02 29,808 --a------ c:\windows\SYSTEM32\DRIVERS\ssfs0bbc.sys
2008-11-12 16:02 . 2008-11-12 16:02 23,152 --a------ c:\windows\SYSTEM32\DRIVERS\sshrmd.sys
2008-11-11 16:59 . 2008-09-04 12:15 1,106,944 --------- c:\windows\SYSTEM32\DLLCACHE\msxml3.dll
2008-11-11 16:59 . 2008-10-24 06:21 455,296 --------- c:\windows\SYSTEM32\DLLCACHE\mrxsmb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-06 01:36 --------- d-----w c:\program files\Safari
2008-12-03 02:38 --------- d-----w c:\documents and settings\Evelyn\Application Data\SiteAdvisor
2008-12-02 01:34 --------- d-----w c:\program files\Azureus
2008-11-29 01:37 --------- d-----w c:\program files\Security Task Manager
2008-11-27 14:24 --------- d-----w c:\documents and settings\Evelyn\Application Data\Azureus
2008-11-22 18:41 --------- d-----w c:\program files\iTunes
2008-11-22 18:38 --------- d-----w c:\program files\QuickTime
2008-11-22 18:37 --------- d-----w c:\program files\Common Files\Apple
2008-11-16 14:58 --------- d-----w c:\program files\McAfee
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-02-21 15:37 60,968 ----a-w c:\documents and settings\Evelyn\GoToAssistDownloadHelper.exe
2004-10-19 20:19 46,688 ----a-w c:\documents and settings\Evelyn\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 57,344 2005-06-07 04:46:24 c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak\apdproxy.exe

----a-w 39,792 2007-10-11 00:51:55 c:\program files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe
----a-w 39,792 2008-01-12 02:16:38 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

----a-w 192,512 2006-10-30 16:00:56 c:\program files\Bellsouth\HelpCenter\bin\bak\sprtcmd.exe

----a-w 50,792 2006-04-13 20:36:53 c:\program files\Common Files\AOL\1102280339\EE\bak\AOLSoftware.exe

----a-r 71,256 2005-04-18 18:38:59 c:\program files\Common Files\AOL\ACS\bak\AOLDial.exe

----a-w 126,104 2006-03-27 15:57:12 c:\program files\Common Files\AOL\IPHSend\bak\IPHSend.exe

----a-w 180,269 2006-05-15 16:41:52 c:\program files\Common Files\Real\Update_OB\bak\realsched.exe

----a-w 110,592 2003-08-19 06:01:00 c:\program files\Common Files\Sonic\Update Manager\bak\sgtray.exe

----a-w 204,800 2003-08-27 01:47:34 c:\program files\Dell\Media Experience\bak\PCMService.exe

----a-w 270,336 2003-09-21 21:21:16 c:\program files\Dell AIO Printer A960\bak\dlbfbmgr.exe

----a-w 16,384 2007-11-15 14:24:00 c:\program files\Dell Support Center\gs_agent\custom\bak\dsca.exe
----a-w 16,384 2007-11-15 13:24:00 c:\program files\Dell Support Center\gs_agent\custom\dsca.exe

----a-w 460,784 2007-03-15 15:09:36 c:\program files\DellSupport\bak\DSAgnt.exe

----a-w 267,048 2008-01-15 08:22:56 c:\program files\iTunes\bak\iTunesHelper.exe
----a-w 290,088 2008-11-20 18:20:54 c:\program files\iTunes\iTunesHelper.exe

----a-w 132,496 2007-09-25 05:11:35 c:\program files\Java\jre1.6.0_03\bin\bak\jusched.exe

----a-w 582,992 2007-08-04 06:33:14 c:\program files\McAfee.com\Agent\bak\mcagent.exe
----a-w 641,208 2008-07-11 22:48:54 c:\program files\McAfee.com\Agent\mcagent.exe

----a-w 53,248 2003-10-06 16:05:40 c:\program files\MUSICMATCH\MUSICMATCH Jukebox\bak\mmtask.exe

----a-w 118,784 2003-10-06 16:05:40 c:\program files\MUSICMATCH\MUSICMATCH Jukebox\bak\mm_tray.exe

----a-w 99,480 2004-04-05 21:33:54 c:\program files\Pure Networks\Port Magic\bak\PortAOL.exe

----a-w 385,024 2008-01-10 20:27:36 c:\program files\QuickTime\bak\qttask.exe
----a-w 413,696 2008-11-04 15:30:50 c:\program files\QuickTime\QTTask.exe

----a-w 36,904 2007-01-17 19:24:46 c:\program files\SiteAdvisor\6172\bak\SiteAdv.exe

----a-w 28,672 2003-08-13 16:27:40 c:\windows\SYSTEM32\bak\DSentry.exe

----a-w 77,824 2005-09-20 13:32:24 c:\windows\SYSTEM32\bak\hkcmd.exe

----a-w 114,688 2005-09-20 13:36:20 c:\windows\SYSTEM32\bak\igfxpers.exe

----a-w 94,208 2005-09-20 13:35:40 c:\windows\SYSTEM32\bak\igfxtray.exe

----a-w 114,741 2003-08-06 07:04:00 c:\windows\SYSTEM32\dla\bak\tfswctrl.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId]
@="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}"
[HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}]
2008-11-13 17:04 238968 --a------ c:\program files\Webroot\WebrootSecurity\Backup\CtxMenu_1_0_0_10.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [N/A]
"AOL Fast Start"="c:\program files\America Online 9.0a\AOL.EXE" [2005-07-12 50776]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Sonic RecordNow!"="" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="c:\windows\BCMSMMSG.exe" [2003-08-29 122880]
"HostManager"="c:\program files\Common Files\AOL\1102280339\ee\AOLSoftware.exe" [N/A]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2008-07-11 641208]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"CPMf73a840e"="c:\windows\system32\luruwono.dll" [N/A]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"majowuhole"="c:\windows\system32\loluwuke.dll" [N/A]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
DataViz Inc Messenger.lnk - c:\program files\Common Files\DataViz\DvzIncMsgr.exe [2006-05-14 28672]
HotSync Manager.lnk - c:\program files\palmOne\Hotsync.exe [2004-06-09 471040]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0a\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1102280339\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\DRIVERS\ssfs0bbc.sys [2008-11-12 29808]
R2 WRConsumerService;Webroot Client Service;"c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe" [2008-11-30 1086840]
S3 PCD5SRVC{FBEA8B78-1B22F121-05040000};PCD5SRVC{FBEA8B78-1B22F121-05040000} - PCDR Kernel Mode Service Helper Driver;\??\c:\progra~1\DELLSU~2\HWDiag\bin\PCD5SRVC.pkms [2007-12-05 20640]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 [2005-09-23 2799808]
.
Contents of the 'Scheduled Tasks' folder

2008-12-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-11-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2008-07-09 17:10]

2008-12-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2008-07-09 17:10]
.
- - - - ORPHANS REMOVED - - - -

BHO-{ba10900e-6414-4038-8d09-9a51f5e95fc3} - c:\windows\system32\jayidigo.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://home.bellsouth.net/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
.
.
------- File Associations -------
.
VBSFile="c:\program files\uniblue\spyeraser\spyeraser.exe" "%1" .vb1
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-06 16:12:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCD5SRVC{FBEA8B78-1B22F121-05040000}]
"ImagePath"="\??\c:\progra~1\DELLSU~2\HWDiag\bin\PCD5SRVC.pkms"
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\LEXBCES.EXE
c:\windows\SYSTEM32\LEXPPS.EXE
c:\program files\Common Files\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\program files\America Online 9.0a\waol.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\wanmpsvc.exe
c:\program files\Webroot\WebrootSecurity\SpySweeper.exe
c:\windows\SYSTEM32\fxssvc.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\SYSTEM32\wscntfy.exe
c:\program files\America Online 9.0a\shellmon.exe
.
**************************************************************************
.
Completion time: 2008-12-06 16:26:10 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-06 21:24:51

Pre-Run: 40,791,678,976 bytes free
Post-Run: 40,878,878,720 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

267 --- E O F --- 2008-11-12 08:03:58

******************************************************************
Lates Hijackthis log
******************************************************************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:38:24 PM, on 12/6/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\WINDOWS\system32\ctfmon.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\palmOne\Hotsync.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\America Online 9.0a\shellmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [BCMSMMSG] "C:\WINDOWS\BCMSMMSG.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1102280339\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CPMf73a840e] Rundll32.exe "c:\windows\system32\luruwono.dll",a
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [majowuhole] Rundll32.exe "C:\WINDOWS\system32\loluwuke.dll",s (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [majowuhole] Rundll32.exe "C:\WINDOWS\system32\loluwuke.dll",s (User 'Default user')
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe

--
End of file - 9202 bytes
Chris45
Active Member
 
Posts: 8
Joined: December 4th, 2008, 12:31 am

Re: Virumondo recurring when using Spy Sweeper

Unread postby Sharagoz » December 7th, 2008, 11:03 am

You need to temprorarily disable McAfee before the next step.
Right-click on the McAfee icon in the system tray next to the clock and chose Exit.
Click Yes on the warning prompt.

1) Run ComboFix with CFScript
  • Right-click on your desktop, select New -> Text file
  • Name the file CFScript.txt
  • Open CFScript.txt and copy the contents of the code box below into it, save and close
    Code: Select all
    File::
    c:\windows\SYSTEM32\sapemogi.exe
    c:\windows\SYSTEM32\sunapija.exe
    
    Folder::
    c:\program files\Azureus
    c:\documents and settings\Evelyn\Application Data\Azureus
    
    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CPMf73a840e"=-
    
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "majowuhole"=-
    
    [HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run]
    "majowuhole"=-
    
    DirLook::
    C:\Binaries
    
  • Drag CFScript.txt on top of the ComboFix.exe icon and release
  • ComboFix will start if you did this correctly
  • When ComboFix has finished scanning, a log will open
  • Include this log in your next reply

ComboFix may reboot your computer.
If it does, McAfee needs to be disabled again before you do the next two steps.

2) Download and run CCleaner
  • Download CCleaner from here
  • Install and launch CCleaner
  • Click the Options button and select Advanced
  • Uncheck the option "Only delete files in Windows Temp folders older than 48 hours"
  • Click the Cleaner button
  • If you wish to avoid being logged out of all websites you're currently logged into, make sure Cookies are unchecked for the web browser(s) you use. Internet Explorer is located under the Windows tab, other browsers are located under the Applications tab
  • Click the Run Cleaner button at the bottom right of the window
  • Click Yes at the prompt and let the cleaner finish
Note:
If there are more than one user account on this computer, run CCleaner using this procedure on all other user accounts as well

3) Download and Run Malwarebytes Anti-Malware
  • Download Malwarebytes' Anti-Malware and install the program
  • At the end, make sure a checkmark is placed next to:
    o Update Malwarebytes' Anti-Malware
    o Launch Malwarebytes' Anti-Malware
  • Click Finish
  • If an update is found, it will download and install the latest version
  • Once the program has loaded, click Check for updates
  • Click select Perform full scan, then click Scan to start scanning
  • When the scan is complete, click OK, then Show Results to view the results
  • Make sure that everything is checked, and click Remove Selected
  • When completed, a log will open in Notepad. Include this log in your next reply
Note:
If you for some reason lose the log, it can be retrieved manually from this location:
C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Optional Removal: Viewpoint
You have Viewpoint Manager installed.
Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM).
Viewpoint Manager is considered foistware since it is installed without the user's approval. Anything that is installed without your consent is suspect.
If you wish to uninstall Viewpoint, go to Add/Remove Programs and uninstall the following:
Viewpoint Manager (Remove Only)
Viewpoint Media Player

4) Updating Java
Your version of Java is outdated. I strongly recommend you update, since many applications depend on java and a lot of malware exploits security holes present in old versions of Java.
  • First uninstall the old versions through Add/Remove Programs:

    J2SE Development Kit 5.0 Update 6
    J2SE Runtime Environment 5.0 Update 10
    J2SE Runtime Environment 5.0 Update 6
    J2SE Runtime Environment 5.0 Update 9
    Java(TM) 6 Update 2
    Java(TM) 6 Update 3
    Java(TM) 6 Update 6
    Java(TM) 6 Update 7
    Java(TM) SE Development Kit 6 Update 6
    Java(TM) SE Runtime Environment 6 Update 1

  • After the old versions are uninstalled, download and install the newest versions of JRE and JDK from here:
    http://java.sun.com/javase/downloads/index.jsp
  • You need the two packages on top of the list, Java SE Runtime Environment (JRE) 6 Update 11 and Java SE Development Kit (JDK) 6 Update 11

5) Get a new HiJackThis log
  • Launch Hijackthis
  • Click on the Do a system scan and save a logfile button
  • HJT will run a scan and a log will open in Notepad
  • Include this log in your next reply

Logs I need:
ComboFix log
Malwarebytes log
New HJT log

Questions:
Do you know what this file is or what it belongs to?
C:\windows\system32\removal.exe
It was created in the beginning of November..

Several of the security center monitoring features have been turned off.
(This means the messages it gives regarding no firewall, firewall turned off, no AV, av outdated, etc)
Did you do this yourself?
User avatar
Sharagoz
Retired Graduate
 
Posts: 985
Joined: February 22nd, 2008, 4:31 pm
Location: Norway

Re: Virumondo recurring when using Spy Sweeper

Unread postby Chris45 » December 7th, 2008, 12:26 pm

Hi, that removal.exe was simply my attempt to outsmart whatever was blocking me from running the windows malicious software removal tool (mrt.exe). It was being terminated by the malware on my machine and I wasn't able to run it until the file had been renamed. Also, I had to turn off the various features of security center in order to disable McAfee. The version I'm running did not have the option to exit when I right clicked the icon in the system tray. I will go ahead begins the steps you have outlined you advise not to.
Chris45
Active Member
 
Posts: 8
Joined: December 4th, 2008, 12:31 am

Re: Virumondo recurring when using Spy Sweeper

Unread postby Chris45 » December 7th, 2008, 8:03 pm

Hi Sharagoz, sorry it took so long but everything went well and it looks like I'm clean from what i can tell. Here are the logs you requested.

-----------------------------------------------------------------------------------
ComboFix log
-----------------------------------------------------------------------------------
ComboFix 08-12-06.06 - Evelyn 2008-12-07 15:51:01.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.758 [GMT -5:00]
Running from: c:\documents and settings\Evelyn\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Evelyn\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\SYSTEM32\sapemogi.exe
c:\windows\SYSTEM32\sunapija.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Evelyn\Application Data\Azureus
c:\documents and settings\Evelyn\Application Data\Azureus\.certs
c:\documents and settings\Evelyn\Application Data\Azureus\.keystore
c:\documents and settings\Evelyn\Application Data\Azureus\.lock
c:\documents and settings\Evelyn\Application Data\Azureus\active\2E01E001FB4C7DDDDCCDB5D0C829EDD279F896C9.dat
c:\documents and settings\Evelyn\Application Data\Azureus\active\2E01E001FB4C7DDDDCCDB5D0C829EDD279F896C9.dat.bak
c:\documents and settings\Evelyn\Application Data\Azureus\active\92161081A80B57440C39B3305E383D266AA0574A.dat
c:\documents and settings\Evelyn\Application Data\Azureus\active\92161081A80B57440C39B3305E383D266AA0574A.dat.bak
c:\documents and settings\Evelyn\Application Data\Azureus\active\cache.dat
c:\documents and settings\Evelyn\Application Data\Azureus\active\F5C201C9CD58CAE131BA42A68DCE352A73A851D2.dat
c:\documents and settings\Evelyn\Application Data\Azureus\active\F5C201C9CD58CAE131BA42A68DCE352A73A851D2.dat.bak
c:\documents and settings\Evelyn\Application Data\Azureus\azureus.config
c:\documents and settings\Evelyn\Application Data\Azureus\azureus.config.bak
c:\documents and settings\Evelyn\Application Data\Azureus\azureus.statistics
c:\documents and settings\Evelyn\Application Data\Azureus\azureus.statistics.bak
c:\documents and settings\Evelyn\Application Data\Azureus\banips.config
c:\documents and settings\Evelyn\Application Data\Azureus\banips.config.bak
c:\documents and settings\Evelyn\Application Data\Azureus\dht\addresses.dat
c:\documents and settings\Evelyn\Application Data\Azureus\dht\contacts.dat
c:\documents and settings\Evelyn\Application Data\Azureus\dht\diverse.dat
c:\documents and settings\Evelyn\Application Data\Azureus\dht\general.dat
c:\documents and settings\Evelyn\Application Data\Azureus\dht\version.dat
c:\documents and settings\Evelyn\Application Data\Azureus\downloads.config
c:\documents and settings\Evelyn\Application Data\Azureus\downloads.config.bak
c:\documents and settings\Evelyn\Application Data\Azureus\friends.config
c:\documents and settings\Evelyn\Application Data\Azureus\friends.config.bak
c:\documents and settings\Evelyn\Application Data\Azureus\ipfilter.cache
c:\documents and settings\Evelyn\Application Data\Azureus\logs\alerts_1.log
c:\documents and settings\Evelyn\Application Data\Azureus\logs\AutoSpeed_1.log
c:\documents and settings\Evelyn\Application Data\Azureus\logs\AutoSpeed_2.log
c:\documents and settings\Evelyn\Application Data\Azureus\logs\AutoSpeedSearchHistory_1.log
c:\documents and settings\Evelyn\Application Data\Azureus\logs\clientid_1.log
c:\documents and settings\Evelyn\Application Data\Azureus\logs\debug_1.log
c:\documents and settings\Evelyn\Application Data\Azureus\logs\Friends_1.log
c:\documents and settings\Evelyn\Application Data\Azureus\logs\MetaSearch_1.log
c:\documents and settings\Evelyn\Application Data\Azureus\logs\MetaSearch_Engine_3.txt
c:\documents and settings\Evelyn\Application Data\Azureus\logs\MetaSearch_Engine_4.txt
c:\documents and settings\Evelyn\Application Data\Azureus\logs\MetaSearch_Engine_5.txt
c:\documents and settings\Evelyn\Application Data\Azureus\logs\MetaSearch_Engine_6.txt
c:\documents and settings\Evelyn\Application Data\Azureus\logs\MetaSearch_Engine_9.txt
c:\documents and settings\Evelyn\Application Data\Azureus\logs\NetStatus_1.log
c:\documents and settings\Evelyn\Application Data\Azureus\logs\seltrace_1.log
c:\documents and settings\Evelyn\Application Data\Azureus\logs\seltrace_2.log
c:\documents and settings\Evelyn\Application Data\Azureus\logs\SpeedMan_1.log
c:\documents and settings\Evelyn\Application Data\Azureus\logs\SpeedMan_2.log
c:\documents and settings\Evelyn\Application Data\Azureus\logs\Subscriptions_1.log
c:\documents and settings\Evelyn\Application Data\Azureus\logs\thread_1.log
c:\documents and settings\Evelyn\Application Data\Azureus\logs\thread_2.log
c:\documents and settings\Evelyn\Application Data\Azureus\logs\v3.ads_1.log
c:\documents and settings\Evelyn\Application Data\Azureus\logs\v3.CMsgr_1.log
c:\documents and settings\Evelyn\Application Data\Azureus\logs\v3.emp_1.log
c:\documents and settings\Evelyn\Application Data\Azureus\logs\v3.Friends_1.log
c:\documents and settings\Evelyn\Application Data\Azureus\logs\v3.MD_1.log
c:\documents and settings\Evelyn\Application Data\Azureus\logs\v3.PMsgr_1.log
c:\documents and settings\Evelyn\Application Data\Azureus\logs\v3.Stream_1.log
c:\documents and settings\Evelyn\Application Data\Azureus\metasearch.config
c:\documents and settings\Evelyn\Application Data\Azureus\metasearch.config.bak
c:\documents and settings\Evelyn\Application Data\Azureus\net\pm_6197.dat
c:\documents and settings\Evelyn\Application Data\Azureus\net\pm_6389.dat
c:\documents and settings\Evelyn\Application Data\Azureus\plugins\azemp\azemp_1.8.4.jar
c:\documents and settings\Evelyn\Application Data\Azureus\plugins\azemp\azemp_1.8.4.zip
c:\documents and settings\Evelyn\Application Data\Azureus\plugins\azemp\azemp_1.9.0.jar
c:\documents and settings\Evelyn\Application Data\Azureus\plugins\azemp\azemp_1.9.0.zip
c:\documents and settings\Evelyn\Application Data\Azureus\plugins\azemp\azemp_1.9.10.jar
c:\documents and settings\Evelyn\Application Data\Azureus\plugins\azemp\azemp_1.9.10.zip
c:\documents and settings\Evelyn\Application Data\Azureus\plugins\azemp\azemp_1.9.11.jar
c:\documents and settings\Evelyn\Application Data\Azureus\plugins\azemp\azemp_1.9.11.zip
c:\documents and settings\Evelyn\Application Data\Azureus\plugins\azemp\azemp_1.9.6.jar
c:\documents and settings\Evelyn\Application Data\Azureus\plugins\azemp\azemp_1.9.6.zip
c:\documents and settings\Evelyn\Application Data\Azureus\plugins\azemp\azemp_2.0.11.jar
c:\documents and settings\Evelyn\Application Data\Azureus\plugins\azemp\azemp_2.0.11.zip
c:\documents and settings\Evelyn\Application Data\Azureus\plugins\azemp\azemp_2.0.14.jar
c:\documents and settings\Evelyn\Application Data\Azureus\plugins\azemp\azemp_2.0.14.zip
c:\documents and settings\Evelyn\Application Data\Azureus\plugins\azemp\azemp_2.0.16.jar
c:\documents and settings\Evelyn\Application Data\Azureus\plugins\azemp\azemp_2.0.16.zip
c:\documents and settings\Evelyn\Application Data\Azureus\plugins\azemp\azemp_2.0.28.jar
c:\documents and settings\Evelyn\Application Data\Azureus\plugins\azemp\azemp_2.0.28.zip
c:\documents and settings\Evelyn\Application Data\Azureus\plugins\azemp\azemp_2.0.30.jar
c:\documents and settings\Evelyn\Application Data\Azureus\plugins\azemp\azemp_2.0.30.zip
c:\documents and settings\Evelyn\Application Data\Azureus\plugins\azemp\azmplay.exe
c:\documents and settings\Evelyn\Application Data\Azureus\plugins\azemp\azmplay.exe.bak
c:\documents and settings\Evelyn\Application Data\Azureus\plugins\azemp\cp1250-a.raw
c:\documents and settings\Evelyn\Application Data\Azureus\plugins\azemp\cp1250-a.raw.bak
c:\documents and settings\Evelyn\Application Data\Azureus\plugins\azemp\cp1250-b.raw
c:\documents and settings\Evelyn\Application Data\Azureus\plugins\azemp\cp1250-b.raw.bak
c:\documents and settings\Evelyn\Application Data\Azureus\plugins\azemp\font.desc
c:\documents and settings\Evelyn\Application Data\Azureus\plugins\azemp\font.desc.bak
c:\documents and settings\Evelyn\Application Data\Azureus\plugins\azemp\libInfoGetter.dll
c:\documents and settings\Evelyn\Application Data\Azureus\plugins\azemp\mplayer\config
c:\documents and settings\Evelyn\Application Data\Azureus\plugins\azemp\osd-mplayer-a.raw
c:\documents and settings\Evelyn\Application Data\Azureus\plugins\azemp\osd-mplayer-a.raw.bak
c:\documents and settings\Evelyn\Application Data\Azureus\plugins\azemp\osd-mplayer-b.raw
c:\documents and settings\Evelyn\Application Data\Azureus\plugins\azemp\osd-mplayer-b.raw.bak
c:\documents and settings\Evelyn\Application Data\Azureus\plugins\azemp\plugin.properties
c:\documents and settings\Evelyn\Application Data\Azureus\plugins\azemp\plugin.properties_1.8.4
c:\documents and settings\Evelyn\Application Data\Azureus\plugins\azemp\plugin.properties_1.9.0
c:\documents and settings\Evelyn\Application Data\Azureus\plugins\azemp\plugin.properties_1.9.10
c:\documents and settings\Evelyn\Application Data\Azureus\plugins\azemp\plugin.properties_1.9.11
c:\documents and settings\Evelyn\Application Data\Azureus\plugins\azemp\plugin.properties_1.9.6
c:\documents and settings\Evelyn\Application Data\Azureus\plugins\azemp\plugin.properties_2.0.11
c:\documents and settings\Evelyn\Application Data\Azureus\plugins\azemp\plugin.properties_2.0.14
c:\documents and settings\Evelyn\Application Data\Azureus\plugins\azemp\plugin.properties_2.0.16
c:\documents and settings\Evelyn\Application Data\Azureus\plugins\azemp\plugin.properties_2.0.28
c:\documents and settings\Evelyn\Application Data\Azureus\plugins\azemp\plugin.properties_2.0.30
c:\documents and settings\Evelyn\Application Data\Azureus\plugins\azupnpav\azupnpav_0.1.2.jar
c:\documents and settings\Evelyn\Application Data\Azureus\plugins\azupnpav\azupnpav_0.1.2.zip
c:\documents and settings\Evelyn\Application Data\Azureus\plugins\azupnpav\azupnpav_0.1.3.jar
c:\documents and settings\Evelyn\Application Data\Azureus\plugins\azupnpav\azupnpav_0.1.3.zip
c:\documents and settings\Evelyn\Application Data\Azureus\plugins\azupnpav\azupnpav_0.1.6.jar
c:\documents and settings\Evelyn\Application Data\Azureus\plugins\azupnpav\azupnpav_0.1.6.zip
c:\documents and settings\Evelyn\Application Data\Azureus\plugins\azupnpav\azupnpav_0.1.7.jar
c:\documents and settings\Evelyn\Application Data\Azureus\plugins\azupnpav\azupnpav_0.1.7.zip
c:\documents and settings\Evelyn\Application Data\Azureus\plugins\azupnpav\azupnpav_0.2.0.jar
c:\documents and settings\Evelyn\Application Data\Azureus\plugins\azupnpav\azupnpav_0.2.0.zip
c:\documents and settings\Evelyn\Application Data\Azureus\plugins\azupnpav\azupnpav_0.2.1.jar
c:\documents and settings\Evelyn\Application Data\Azureus\plugins\azupnpav\azupnpav_0.2.1.zip
c:\documents and settings\Evelyn\Application Data\Azureus\plugins\azupnpav\azupnpav_0.2.2.jar
c:\documents and settings\Evelyn\Application Data\Azureus\plugins\azupnpav\azupnpav_0.2.2.zip
c:\documents and settings\Evelyn\Application Data\Azureus\plugins\azupnpav\plugin.properties
c:\documents and settings\Evelyn\Application Data\Azureus\plugins\azupnpav\plugin.properties_0.1.2
c:\documents and settings\Evelyn\Application Data\Azureus\plugins\azupnpav\plugin.properties_0.1.3
c:\documents and settings\Evelyn\Application Data\Azureus\plugins\azupnpav\plugin.properties_0.1.6
c:\documents and settings\Evelyn\Application Data\Azureus\plugins\azupnpav\plugin.properties_0.1.7
c:\documents and settings\Evelyn\Application Data\Azureus\plugins\azupnpav\plugin.properties_0.2.0
c:\documents and settings\Evelyn\Application Data\Azureus\plugins\azupnpav\plugin.properties_0.2.1
c:\documents and settings\Evelyn\Application Data\Azureus\plugins\azupnpav\plugin.properties_0.2.2
c:\documents and settings\Evelyn\Application Data\Azureus\sidebarauto.config
c:\documents and settings\Evelyn\Application Data\Azureus\sidebarauto.config.bak
c:\documents and settings\Evelyn\Application Data\Azureus\subs\8604680C6C0217A05619.vuze
c:\documents and settings\Evelyn\Application Data\Azureus\subs\C732D6BA9C09C29B2FA3.vuze
c:\documents and settings\Evelyn\Application Data\Azureus\subs\FF0EBBE21CEC049A539D.vuze
c:\documents and settings\Evelyn\Application Data\Azureus\subscriptions.config
c:\documents and settings\Evelyn\Application Data\Azureus\subscriptions.config.bak
c:\documents and settings\Evelyn\Application Data\Azureus\tables.config
c:\documents and settings\Evelyn\Application Data\Azureus\tables.config.bak
c:\documents and settings\Evelyn\Application Data\Azureus\timingstats.dat
c:\documents and settings\Evelyn\Application Data\Azureus\tmp\AZU41363.tmp
c:\documents and settings\Evelyn\Application Data\Azureus\tmp\AZU41364.tmp
c:\documents and settings\Evelyn\Application Data\Azureus\tmp\AZU41365.tmp
c:\documents and settings\Evelyn\Application Data\Azureus\tmp\AZU41366.tmp
c:\documents and settings\Evelyn\Application Data\Azureus\tmp\AZU41367.tmp
c:\documents and settings\Evelyn\Application Data\Azureus\tmp\AZU41368.tmp
c:\documents and settings\Evelyn\Application Data\Azureus\tmp\AZU41369.tmp
c:\documents and settings\Evelyn\Application Data\Azureus\tmp\AZU41370.tmp
c:\documents and settings\Evelyn\Application Data\Azureus\tmp\AZU41374.tmp
c:\documents and settings\Evelyn\Application Data\Azureus\tmp\AZU41375.tmp
c:\documents and settings\Evelyn\Application Data\Azureus\tmp\AZU41376.tmp
c:\documents and settings\Evelyn\Application Data\Azureus\tmp\AZU41377.tmp
c:\documents and settings\Evelyn\Application Data\Azureus\torrents\[isoHunt]_The_Chronic.torrent
c:\documents and settings\Evelyn\Application Data\Azureus\torrents\AZ_54842.torrent
c:\documents and settings\Evelyn\Application Data\Azureus\torrents\AZU1034.tmp
c:\documents and settings\Evelyn\Application Data\Azureus\torrents\AZU12601.tmp
c:\documents and settings\Evelyn\Application Data\Azureus\torrents\AZU12604.tmp
c:\documents and settings\Evelyn\Application Data\Azureus\torrents\AZU13711.tmp
c:\documents and settings\Evelyn\Application Data\Azureus\torrents\AZU16163.tmp
c:\documents and settings\Evelyn\Application Data\Azureus\torrents\AZU16165.tmp
c:\documents and settings\Evelyn\Application Data\Azureus\torrents\AZU16167.tmp
c:\documents and settings\Evelyn\Application Data\Azureus\torrents\AZU16171.tmp
c:\documents and settings\Evelyn\Application Data\Azureus\torrents\AZU20028.tmp
c:\documents and settings\Evelyn\Application Data\Azureus\torrents\AZU24161.tmp
c:\documents and settings\Evelyn\Application Data\Azureus\torrents\AZU27191.tmp
c:\documents and settings\Evelyn\Application Data\Azureus\torrents\AZU27194.tmp
c:\documents and settings\Evelyn\Application Data\Azureus\torrents\AZU30873.tmp
c:\documents and settings\Evelyn\Application Data\Azureus\torrents\AZU30877.tmp
c:\documents and settings\Evelyn\Application Data\Azureus\torrents\AZU39338.tmp
c:\documents and settings\Evelyn\Application Data\Azureus\torrents\AZU39419.tmp
c:\documents and settings\Evelyn\Application Data\Azureus\torrents\AZU39888.tmp
c:\documents and settings\Evelyn\Application Data\Azureus\torrents\AZU41266.tmp
c:\documents and settings\Evelyn\Application Data\Azureus\torrents\AZU41371.tmp
c:\documents and settings\Evelyn\Application Data\Azureus\torrents\AZU4781.tmp
c:\documents and settings\Evelyn\Application Data\Azureus\torrents\AZU48178.tmp
c:\documents and settings\Evelyn\Application Data\Azureus\torrents\AZU48183.tmp
c:\documents and settings\Evelyn\Application Data\Azureus\torrents\AZU56715.tmp
c:\documents and settings\Evelyn\Application Data\Azureus\torrents\AZU5751.tmp
c:\documents and settings\Evelyn\Application Data\Azureus\torrents\AZU62150.tmp
c:\documents and settings\Evelyn\Application Data\Azureus\torrents\AZU62152.tmp
c:\documents and settings\Evelyn\Application Data\Azureus\torrents\AZU62782.tmp
c:\documents and settings\Evelyn\Application Data\Azureus\torrents\AZU62785.tmp
c:\documents and settings\Evelyn\Application Data\Azureus\torrents\AZU63074.tmp
c:\documents and settings\Evelyn\Application Data\Azureus\torrents\AZU63284.tmp
c:\documents and settings\Evelyn\Application Data\Azureus\torrents\AZU63288.tmp
c:\documents and settings\Evelyn\Application Data\Azureus\torrents\Destinys_Child_-_The_Writings_on_the_Wall_-_By_[ANOUS].3910273.TPB_-[mininova.org]-_[mininova].torrent
c:\documents and settings\Evelyn\Application Data\Azureus\torrents\Lil_Wayne___DJ_Drama_-_Dedication_3_[Gangsta_Grillz_Edition].4509128.TPB.torrent
c:\documents and settings\Evelyn\Application Data\Azureus\tracker.config
c:\documents and settings\Evelyn\Application Data\Azureus\tracker.config.bak
c:\documents and settings\Evelyn\Application Data\Azureus\unsentdata.config
c:\documents and settings\Evelyn\Application Data\Azureus\unsentdata.config.bak
c:\documents and settings\Evelyn\Application Data\Azureus\update.log
c:\documents and settings\Evelyn\Application Data\Azureus\update.properties
c:\documents and settings\Evelyn\Application Data\Azureus\v3.Friends.dat
c:\documents and settings\Evelyn\Application Data\Azureus\v3.Friends.dat.bak
c:\documents and settings\Evelyn\Application Data\Azureus\VuzeActivities.config
c:\documents and settings\Evelyn\Application Data\Azureus\VuzeActivities.config.bak
c:\program files\Azureus
c:\program files\Azureus\AzureusUpdater.exe
c:\program files\Azureus\plugins\azupdater\azupdater_1.8.5.zip
c:\program files\Azureus\plugins\azupdater\azupdater_1.8.8.zip
c:\program files\Azureus\plugins\azupdater\azupdaterpatcher_1.8.5.jar
c:\program files\Azureus\plugins\azupdater\azupdaterpatcher_1.8.8.jar
c:\program files\Azureus\plugins\azupdater\plugin.properties_1.8.5
c:\program files\Azureus\plugins\azupdater\plugin.properties_1.8.8
c:\program files\Azureus\plugins\azupdater\Updater.jar.bak
c:\windows\SYSTEM32\sapemogi.exe
c:\windows\SYSTEM32\sunapija.exe

.
((((((((((((((((((((((((( Files Created from 2008-11-07 to 2008-12-07 )))))))))))))))))))))))))))))))
.

2008-12-03 21:59 . 2008-12-03 21:59 <DIR> d-------- c:\program files\Trend Micro
2008-12-03 21:27 . 2008-12-03 21:27 <DIR> d-------- C:\VundoFix Backups
2008-12-02 07:57 . 2008-11-03 16:10 17,318,336 --a------ c:\windows\SYSTEM32\removal.exe
2008-12-01 20:09 . 2008-12-01 20:09 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Webroot
2008-12-01 19:59 . 2004-03-12 03:02 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Sonic
2008-12-01 19:59 . 2004-03-12 03:05 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Jasc Software Inc
2008-12-01 19:59 . 2008-03-23 10:19 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Gtek
2008-12-01 19:59 . 2008-12-01 19:59 <DIR> d-------- c:\documents and settings\Administrator
2008-11-30 22:52 . 2008-11-30 22:52 <DIR> d-------- C:\Binaries
2008-11-30 22:51 . 2008-11-30 22:51 <DIR> d-------- c:\program files\Webroot
2008-11-30 22:51 . 2008-11-30 22:51 <DIR> d-------- c:\documents and settings\Evelyn\Application Data\Webroot
2008-11-30 22:51 . 2008-11-30 23:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\Webroot
2008-11-30 22:51 . 2008-11-13 17:11 1,553,272 --a------ c:\windows\WRSetup.dll
2008-11-30 22:49 . 2008-12-01 21:27 164 --a------ C:\install.dat
2008-11-28 16:08 . 2008-12-01 21:13 <DIR> d-------- c:\program files\Spyware Doctor
2008-11-28 16:08 . 2008-12-01 21:13 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-11-22 13:41 . 2008-11-22 13:41 <DIR> d-------- c:\program files\iPod
2008-11-22 13:40 . 2008-11-22 13:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-12 16:02 . 2008-11-12 16:02 170,608 --a------ c:\windows\SYSTEM32\DRIVERS\ssidrv.sys
2008-11-12 16:02 . 2008-11-12 16:02 29,808 --a------ c:\windows\SYSTEM32\DRIVERS\ssfs0bbc.sys
2008-11-12 16:02 . 2008-11-12 16:02 23,152 --a------ c:\windows\SYSTEM32\DRIVERS\sshrmd.sys
2008-11-11 16:59 . 2008-09-04 12:15 1,106,944 --------- c:\windows\SYSTEM32\DLLCACHE\msxml3.dll
2008-11-11 16:59 . 2008-10-24 06:21 455,296 --------- c:\windows\SYSTEM32\DLLCACHE\mrxsmb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-06 01:36 --------- d-----w c:\program files\Safari
2008-12-03 02:38 --------- d-----w c:\documents and settings\Evelyn\Application Data\SiteAdvisor
2008-11-29 01:37 --------- d-----w c:\program files\Security Task Manager
2008-11-22 18:41 --------- d-----w c:\program files\iTunes
2008-11-22 18:38 --------- d-----w c:\program files\QuickTime
2008-11-22 18:37 --------- d-----w c:\program files\Common Files\Apple
2008-11-16 14:58 --------- d-----w c:\program files\McAfee
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 19:13 202,776 ----a-w c:\windows\SYSTEM32\wuweb.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\SYSTEM32\wuaueng.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\SYSTEM32\wuapi.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\SYSTEM32\wucltui.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\SYSTEM32\DLLCACHE\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\SYSTEM32\DLLCACHE\cdm.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\SYSTEM32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\SYSTEM32\wuauclt.exe
2008-10-16 19:09 51,224 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\SYSTEM32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\SYSTEM32\wups.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\SYSTEM32\DLLCACHE\wups.dll
2008-10-15 16:34 337,408 ------w c:\windows\SYSTEM32\DLLCACHE\netapi32.dll
2008-10-03 17:41 6,066,176 ------w c:\windows\SYSTEM32\DLLCACHE\ieframe.dll
2008-09-30 21:43 1,286,152 ----a-w c:\windows\SYSTEM32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\SYSTEM32\win32k.sys
2008-09-15 12:12 1,846,400 ------w c:\windows\SYSTEM32\DLLCACHE\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\SYSTEM32\msxml6.dll
2008-09-10 01:14 1,307,648 ------w c:\windows\SYSTEM32\DLLCACHE\msxml6.dll
2008-09-08 10:41 333,824 ------w c:\windows\SYSTEM32\DLLCACHE\srv.sys
2008-02-21 15:37 60,968 ----a-w c:\documents and settings\Evelyn\GoToAssistDownloadHelper.exe
2004-10-19 20:19 46,688 ----a-w c:\documents and settings\Evelyn\Application Data\GDIPFONTCACHEV1.DAT
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Binaries ----

2002-06-27 13:22 75 --a------ c:\binaries\SOAPVDIR.CMD
2002-06-27 13:22 11729 --a------ c:\binaries\_svdir.VBS


((((((((((((((((((((((((((((( snapshot@2008-12-06_16.20.32.81 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-06 19:47:29 32,768 ----a-w c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
+ 2008-12-07 20:06:46 32,768 ----a-w c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
- 2008-12-06 19:47:29 32,768 ----a-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
+ 2008-12-07 20:06:46 32,768 ----a-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 57,344 2005-06-07 04:46:24 c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak\apdproxy.exe

----a-w 39,792 2007-10-11 00:51:55 c:\program files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe
----a-w 39,792 2008-01-12 02:16:38 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

----a-w 192,512 2006-10-30 16:00:56 c:\program files\Bellsouth\HelpCenter\bin\bak\sprtcmd.exe

----a-w 50,792 2006-04-13 20:36:53 c:\program files\Common Files\AOL\1102280339\EE\bak\AOLSoftware.exe

----a-r 71,256 2005-04-18 18:38:59 c:\program files\Common Files\AOL\ACS\bak\AOLDial.exe

----a-w 126,104 2006-03-27 15:57:12 c:\program files\Common Files\AOL\IPHSend\bak\IPHSend.exe

----a-w 180,269 2006-05-15 16:41:52 c:\program files\Common Files\Real\Update_OB\bak\realsched.exe

----a-w 110,592 2003-08-19 06:01:00 c:\program files\Common Files\Sonic\Update Manager\bak\sgtray.exe

----a-w 204,800 2003-08-27 01:47:34 c:\program files\Dell\Media Experience\bak\PCMService.exe

----a-w 270,336 2003-09-21 21:21:16 c:\program files\Dell AIO Printer A960\bak\dlbfbmgr.exe

----a-w 16,384 2007-11-15 14:24:00 c:\program files\Dell Support Center\gs_agent\custom\bak\dsca.exe
----a-w 16,384 2007-11-15 13:24:00 c:\program files\Dell Support Center\gs_agent\custom\dsca.exe

----a-w 460,784 2007-03-15 15:09:36 c:\program files\DellSupport\bak\DSAgnt.exe

----a-w 267,048 2008-01-15 08:22:56 c:\program files\iTunes\bak\iTunesHelper.exe
----a-w 290,088 2008-11-20 18:20:54 c:\program files\iTunes\iTunesHelper.exe

----a-w 132,496 2007-09-25 05:11:35 c:\program files\Java\jre1.6.0_03\bin\bak\jusched.exe

----a-w 582,992 2007-08-04 06:33:14 c:\program files\McAfee.com\Agent\bak\mcagent.exe
----a-w 641,208 2008-07-11 22:48:54 c:\program files\McAfee.com\Agent\mcagent.exe

----a-w 53,248 2003-10-06 16:05:40 c:\program files\MUSICMATCH\MUSICMATCH Jukebox\bak\mmtask.exe

----a-w 118,784 2003-10-06 16:05:40 c:\program files\MUSICMATCH\MUSICMATCH Jukebox\bak\mm_tray.exe

----a-w 99,480 2004-04-05 21:33:54 c:\program files\Pure Networks\Port Magic\bak\PortAOL.exe

----a-w 385,024 2008-01-10 20:27:36 c:\program files\QuickTime\bak\qttask.exe
----a-w 413,696 2008-11-04 15:30:50 c:\program files\QuickTime\QTTask.exe

----a-w 36,904 2007-01-17 19:24:46 c:\program files\SiteAdvisor\6172\bak\SiteAdv.exe

----a-w 28,672 2003-08-13 16:27:40 c:\windows\SYSTEM32\bak\DSentry.exe

----a-w 77,824 2005-09-20 13:32:24 c:\windows\SYSTEM32\bak\hkcmd.exe

----a-w 114,688 2005-09-20 13:36:20 c:\windows\SYSTEM32\bak\igfxpers.exe

----a-w 94,208 2005-09-20 13:35:40 c:\windows\SYSTEM32\bak\igfxtray.exe

----a-w 114,741 2003-08-06 07:04:00 c:\windows\SYSTEM32\dla\bak\tfswctrl.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId]
@="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}"
[HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}]
2008-11-13 17:04 238968 --a------ c:\program files\Webroot\WebrootSecurity\Backup\CtxMenu_1_0_0_10.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [N/A]
"AOL Fast Start"="c:\program files\America Online 9.0a\AOL.EXE" [2005-07-12 50776]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Sonic RecordNow!"="" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="c:\windows\BCMSMMSG.exe" [2003-08-29 122880]
"HostManager"="c:\program files\Common Files\AOL\1102280339\ee\AOLSoftware.exe" [N/A]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2008-07-11 641208]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
DataViz Inc Messenger.lnk - c:\program files\Common Files\DataViz\DvzIncMsgr.exe [2006-05-14 28672]
HotSync Manager.lnk - c:\program files\palmOne\Hotsync.exe [2004-06-09 471040]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0a\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1102280339\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\DRIVERS\ssfs0bbc.sys [2008-11-12 29808]
R2 WRConsumerService;Webroot Client Service;"c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe" [2008-11-30 1086840]
S3 PCD5SRVC{FBEA8B78-1B22F121-05040000};PCD5SRVC{FBEA8B78-1B22F121-05040000} - PCDR Kernel Mode Service Helper Driver;\??\c:\progra~1\DELLSU~2\HWDiag\bin\PCD5SRVC.pkms [2007-12-05 20640]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 [2005-09-23 2799808]
.
Contents of the 'Scheduled Tasks' folder

2008-12-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-11-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2008-07-09 17:10]

2008-12-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2008-07-09 17:10]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://home.bellsouth.net/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-07 15:54:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\PCD5SRVC{FBEA8B78-1B22F121-05040000}]
"ImagePath"="\??\c:\progra~1\DELLSU~2\HWDiag\bin\PCD5SRVC.pkms"
.
Completion time: 2008-12-07 15:58:25
ComboFix-quarantined-files.txt 2008-12-07 20:57:07
ComboFix2.txt 2008-12-06 21:26:15

Pre-Run: 40,792,866,816 bytes free
Post-Run: 40,836,644,864 bytes free

422 --- E O F --- 2008-11-12 08:03:58


---------------------------------------------------------------------------------------
Malwarebytes log
---------------------------------------------------------------------------------------
Malwarebytes' Anti-Malware 1.31
Database version: 1471
Windows 5.1.2600 Service Pack 3

12/7/2008 6:31:25 PM
mbam-log-2008-12-07 (18-31-25).txt

Scan type: Full Scan (C:\|)
Objects scanned: 210742
Time elapsed: 1 hour(s), 55 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 27

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\himepuka.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\ledamine.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\mejiyolo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\mihitibo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\murodaji.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\nemudodi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\pivejehu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\remonawe.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\sawibinu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\sovapeha.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tajovudi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tujiyivu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0000041.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0000115.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0000124.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0000126.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0000127.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0000128.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0000129.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0000132.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0000133.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0000134.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0000136.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0000137.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0000140.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\fakibaha.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\himegiwa.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.


--------------------------------------------------------------------------------------
HijackThis log
--------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:59:29 PM, on 12/7/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\WINDOWS\system32\ctfmon.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\palmOne\Hotsync.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\America Online 9.0a\shellmon.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [BCMSMMSG] "C:\WINDOWS\BCMSMMSG.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1102280339\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [AppleSyncNotifier] "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe

--
End of file - 9206 bytes
Chris45
Active Member
 
Posts: 8
Joined: December 4th, 2008, 12:31 am

Re: Virumondo recurring when using Spy Sweeper

Unread postby Chris45 » December 7th, 2008, 8:40 pm

Another quick question...I'm not sure if you wanted me to turn my firewall back on but when i did, i got a warning for a potentially unwanted program being detected (Tool-NirCmd). Sounds like something that we might have been using with one of the programs you asked me to install but I just wanted to ask before i checked "trust this program."
Chris45
Active Member
 
Posts: 8
Joined: December 4th, 2008, 12:31 am

Re: Virumondo recurring when using Spy Sweeper

Unread postby Sharagoz » December 8th, 2008, 8:50 am

i got a warning for a potentially unwanted program being detected (Tool-NirCmd)

You are right, the detection is related to the tool we used called ComboFix, and is a false detection.

Your logs are now clean, well done!
Unless you have discovered new problems its time to do the final steps.

1) Cleaning up after the removal procedures
  • 1.1) Uninstall through Add/Remove Programs
    • Locate and uninstall the below programs unless you want to keep some of them for future usage:
      CCleaner
      Malwarebytes' Anti-Malware
  • 1.2) Uninstall ComboFix
    • Press the windows key and the R key at the same time to open the Run dialog box
    • Type in combofix /u and press Enter
    • This will uninstall ComboFix
  • 1.3) Other deletions
    • C:\ComboFix (folder)
      C:\ComboFix.txt
      CFScript.txt (on your desktop)
    • Delete any other logs that remain on your desktop.
  • 1.4) Enable SpySweeper
      If you havent already, you can enable SpySweeper again using a similar procedure to the one I outlined in this post
      (You simply check instead of uncheck)

2) Taking measures to prevent your computer from being infected again
    Now that your computer is free from malware you may want to know how you can prevent this from happening again.
    Below I'm quoting a tutorial I've written which I post to everybody I help here at MWR.
    It covers the key parts of the software side of computer security. What steps you take or dont take to increase your own computers security is of course up to you.
    In purple I have added some comments that apply spesifically to your computer.
    The tutorial will take a little while to get through, but I hope you find it to be worth your time.
    If you have any questions beyond this, feel free to ask.

  • 2.1) Windows updates
    This is the most important security measure. With an unpatched operating system you will be defenseless even with top-notch security software.
    Malware often exploit security holes in your operating system to install itself, and keeping your OS up to date at all times will make sure this risk is at a minimum.
    Visit http://update.microsoft.com/ using Internet Explorer, and get all critical updates.
    You may have to repeat the update procedure several times before you get all updates. Repeat it until there are no more critical updates showing as missing.
    Also, I recommend you turn on automatic updates if you havent already.

  • 2.2) Immunization software
    These security measures does not do any realtime scanning. All they do is block sites that hosts malware, sites that advertises for malware, malicious ActiveX objects, malicious browser helpers, and cookies that have been identified as bad.
    These protection measures have proven very effective against "internet related" threats and require virtually no computer resources.
    - MVP hosts
      Blocks rougly 25k online domains that hosts or advertises for malware.
      Will significantly reduce the chance of getting in trouble by accidently visiting the wrong page.
    • Download hosts.zip from here
    • Extract the content to your desktop.
    • Copy the file called "HOSTS" to the folder C:\windows\system32\drivers\etc
    • And say "yes" to overwriting the existing file
    • Delete the installation files from your desktop
    Notes:
    If you have previously added custom entries to your own hosts file, these will have to be re-added after the new hosts file is installed.
    The MVP hosts file should be downloaded and re-installed every now and then to keep it up to date.
    If you install MVP Hosts you should disable a service called "DNS client".
    If you dont, your browser(s) will use 10-60 seconds longer to start than what you are used to.
    Disabling this service will have no side-effects. Its purpose is to put domains in cache, but there is no noticeable increase in browsing speed.
    To disable the "DNS Client" service, do the following:
    • Press the windows key and the R key at the same time to open the run dialog box
      (the windows key is usually located to the left of the space bar and is labeled with a windows logo).
    • Type in "services.msc" (without the quotes) and press enter.
    • Right-click on "DNS client" and chose "Stop".
    • After the service has stopped, right-click on it again, chose "Properties" and set "startup type" to "disabled, press "Apply" and "OK".

    - Javacool Spywareblaster
      Multi-purpose blocker of activeX objects, browser helpers and unwanted cookies.
    • Download Spywareblaster from here and install it using default settings
    • Launch Spywareblaster
    • Click "manual updating" (automatic require a subscription)
    • Click "updates"->"check for updates"
    • When the updates are finished downloading, click "protection status" -> "enable all protection"
    Note:
    The last two steps should be repeated from time to time to keep the protection up to date.

    - Spybot immunization
      Multi-purpose blocker of domains, activeX objects, browsers helpers and unwanted cookies.
    • Download Spybot from here
    • When installing spybot, be sure to uncheck "Security center integration", "Separate secure shredder application" and "use system settings protection (teatimer)".
      These features have more cons than pros.
    • Launch Spybot
    • Click "update" -> "check for updates" and install all available updates.
    • Click "Immunize" in the left menu and then "immunize" in the right-hand window to enable the protection. (this may take a couple of minutes to finish)
    Note:
    The last two steps should be repeated from time to time to keep the protection up to date.

    After immunization you will start to notice that on some pages advertisements are not displayed, instead it shows an icon indicating that an image couldnt be loaded.
    The reason for this is that the immunization is blocking the site that are hosting the ads because it has been found to advertise for malicious software.
    If you try to enter a website that is being blocked, the browser will simply say "the webpage could not be displayed".

    2.3) Real-time protection
    These security measures work in real time and scans computer activity as it is happening (anti-virus/anti-malware scans a file before it allows it to be opened, a firewall controls network traffic and blocks it unless you have allowed it to happen).
    This requires a lot of system resources, so what we are looking for is applications with good detection rate, low resource usage, that dont cause problems for legitimate applications.
    These are my recommendations.
    - Anti-virus
      Anti-virus software are ment to detect files infected with viruses and to detect worms, but also have anti-spy/adware capabilities.
      Here are three good, free alternatives (only free for non-comercial use).
    • Avira AntiVir
    • Alwil Avast
    • AVG Anti-virus
    Note:
    Never have more than one Anti-virus application installed. Installing a second one is likely to cause conflicts between the two and apart from making your system unstable it will reduce your security rather than increase it.
    I would recommend you keep McAfee since it is a pay-for security suite.
    If you decide to abandon McAfee it should be with the intention of switching from a suite-based solution to a solution where you pick the components yourself (anti-virus, anti-malware, firewall)


    - Anti-malware
      These applications are ment to supplement your antivirus as they are aimed spesifically at detecting malicious programs.
      This can be displaying advertising (adware), track your internet surfing (spyware), give other people control over your computer (backdoors) and the likes.
      Unfortuntly, in the anti-malware department there arent any great free alternatives like there are in the anti-virus department.
      If you want an anti-malware application worth using you'll need to purchase one. Here are three good alternatives:
    • Malwarebytes' Anti-Malware
    • A-squared Anti-Malware (can be tried for 30 days for free)
    • SUPERAntiSpyware (can be tried for 14 days for free)
    Note:
    You can have more than one of these running at the same time, but I don't recommend it because it only gives a small increase in security while a big increase in usage of system resources.

    - 3rd party Firewall
      Modern operating systems and routers have firewalls built into them that control incoming traffic so the only reason to install a 3rd party firewall is to control outgoing traffic.
      Firewalls are different from other security software as it really is a tool you need to learn how to use, rather than an automatic security solution. An anti-virus application for instance you usually just install and then it runs in the background and only alerts you if something is wrong.
      That is not the case with firewalls. It will alert you whenever something tries to connect to the internet, whether its good or bad, and then its up to you to allow or deny the request. So ultimately you are increasing the security yourself with the help of the firewall.
      If you want to have top notch security you need a 3rd party firewall and the knowledge of how to use it. This will be your last line of defense should something bad get through your immunzation, and anti-virus/anti-malware protection.
      It enables you to prevent a trojan downloader from downloading malware to your computer should you end up with one, or prevent malware from sending personal information after it has collected it.
      Here are three good, free alternatives. They each have their own support forum that can help you learn how setup and use their firewall.
    • Comodo
      (If you chose this one, be sure to uncheck the following alternatives during installation:
      "Install Comodo SafeSurf..", "Make Comodo my default search provider" and "Make Comodo Search my homepage")
    • PCTools Firewall
    • Online Armor
    Same comment as for Anti-Virus. Dont install one of these along-side McAfee

    - Winpatrol
      This program is not strictly a security application, but gives you a lot more control over your computer.
      Like a firewall it's a tool you need to learn how to use.
      Basically it watches your system settings and alerts you if an application tries to change something. Then its up to you to accept or deny this change.
      Its main purpose is to watch programs that add themselfs to auto-start, but it also watches file associations, activeX objects and Internet Explorer helpers.
      Most programs do not need to be on auto-start, and the bad thing about auto-start is that it clogs down system resources.
      With winpatrol you can easily detect and prevent when an unwanted auto-start entry is added, and this becomes an additional security layer because most malware will add itself to auto-start.
      You can download winpatrol from here
      And here's a link to a place where you can get more information on how to use it

    If you managed to read through all of that you're probably asking "do I really need that much security software?".
    That depends on what your computer is used for.
    I'd say that everybody who uses a computer on the internet today really needs the following:
    - Windows updates (having all windows updates is more important than any security software)
    - The immunization features in step 2.2
    - Anti-virus
    That's the minimum.
    If you use your computer for financial transactions (online bank, web-shopping, etc) or have sensitive information stored on the computer, you should strongly consider buying an anti-malware app and get a 3rd party firewall to enhance security.
    If you like to use your computer freely and install a lot of different programs, use file-sharing applications and surf all over the web you should also consider enhancing security as you'll be more at risk for infections.

    Finally, I will recommend you read this article called How did I get infected in the first place?
    Some of the advice related to security software is a bit outdated, but the first part called "Safe Computer Practices" is still as valid and important as ever.


Thats it.
If you have questions or comments, please respond back and let me know. If you do not respond, this thread will be closed within 48 hours.
User avatar
Sharagoz
Retired Graduate
 
Posts: 985
Joined: February 22nd, 2008, 4:31 pm
Location: Norway

Re: Virumondo recurring when using Spy Sweeper

Unread postby Chris45 » December 8th, 2008, 8:35 pm

I just want to say thanks for all your help. You guys are really awesome on here!!
Chris45
Active Member
 
Posts: 8
Joined: December 4th, 2008, 12:31 am

Re: Virumondo recurring when using Spy Sweeper

Unread postby Sharagoz » December 9th, 2008, 4:50 am

You're welcome :)
User avatar
Sharagoz
Retired Graduate
 
Posts: 985
Joined: February 22nd, 2008, 4:31 pm
Location: Norway

Re: Virumondo recurring when using Spy Sweeper

Unread postby NonSuch » December 14th, 2008, 5:01 am

As this issue is resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 291 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware