Yet another Virtumonde problem.

**Jjjakal** · 2007-11-22, 18:18

This started yesterday, when I got the virus from somewhere. It started small, just the ads that Virtumonde gives, later accompanied by error messages and popups telling me I needed their spyware scanner. I eventually got rid of it(or so I thought) with VundoFix, but when I ran Spybot S&D that night, it came right back. I ran VundoFix again to stop the ads, but I know its not gone yet. I read this thread:
http://forums.spybot.info/showthread.php?t=19904
and tried to fix the problem, but although I slightly understand the logs, I dont feel like I understand it enough to try and fix this without help.

Anyways, heres some logs:

HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:01:51 PM, on 11/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS2\System32\smss.exe
C:\WINDOWS2\system32\winlogon.exe
C:\WINDOWS2\system32\services.exe
C:\WINDOWS2\system32\lsass.exe
C:\WINDOWS2\system32\Ati2evxx.exe
C:\WINDOWS2\system32\svchost.exe
C:\WINDOWS2\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS2\system32\Ati2evxx.exe
C:\WINDOWS2\Explorer.EXE
C:\WINDOWS2\system32\spoolsv.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS2\System32\svchost.exe
C:\WINDOWS2\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS2\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\I8kfanGUI\I8kfanGUI.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS2\system32\notepad.exe
C:\WINDOWS2\system32\rundll32.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemonsearch.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [247f62df] rundll32.exe "C:\WINDOWS2\system32\jrektxsp.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS2\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [i8kfangui] C:\Program Files\I8kfanGUI\I8kfanGUI.exe /startup
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS2\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS2\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS2\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS2\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 5225 bytes

**Jjjakal** · 2007-11-22, 18:19

ComboFix:

ComboFix 07-11-19.3 - Owner 2007-11-22 11:24:28.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.514 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users.WINDOWS2\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users.WINDOWS2\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Owner\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Owner\Favorites\Online Security Guide.lnk
C:\WINDOWS2\system32\ijllm.ini
C:\WINDOWS2\system32\ijllm.ini2
C:\WINDOWS2\system32\mllji.dll
C:\WINDOWS2\system32\oehczwiw.dllbox

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\DomainService

((((((((((((((((((((((((( Files Created from 2007-10-22 to 2007-11-22 )))))))))))))))))))))))))))))))
.

2007-11-22 03:37 737,738 ---hs---- C:\WINDOWS2\system32\psxtkerj.ini
2007-11-22 03:37 85,056 --a------ C:\WINDOWS2\system32\jrektxsp.dll
2007-11-22 03:34 145,984 --a------ C:\WINDOWS2\system32\dvdptyeu.dll
2007-11-22 03:31 71,232 --a------ C:\WINDOWS2\system32\hfwvllnh.exe
2007-11-21 19:20 <DIR> d-------- C:\Program Files\MozBackup
2007-11-21 13:23 <DIR> d-------- C:\VundoFix Backups
2007-11-21 12:21 714,881 --ahs---- C:\WINDOWS2\system32\aqbevdvi.ini
2007-11-21 12:15 71,232 --a------ C:\WINDOWS2\system32\ixynfmlu.exe
2007-11-21 12:03 37,888 --a------ C:\WINDOWS2\system32\drivers\SSDefrag.sys
2007-11-20 17:55 38,229 --a------ C:\WINDOWS2\system32\drivers\StMp3Rec.sys
2007-11-20 17:54 <DIR> d-------- C:\Program Files\iPod
2007-11-20 17:53 <DIR> d-------- C:\WINDOWS2\Downloaded Installations
2007-11-16 18:25 <DIR> d-------- C:\Program Files\Babo Violent 2
2007-11-13 20:16 <DIR> d-------- C:\Program Files\CrossLoop
2007-11-12 22:40 <DIR> d-------- C:\Program Files\ASIO4ALL v2
2007-11-12 22:39 225,280 --a------ C:\WINDOWS2\system32\rewire.dll
2007-11-11 11:57 <DIR> d-------- C:\Program Files\DAEMON Tools
2007-11-11 11:51 685,816 --a------ C:\WINDOWS2\system32\drivers\sptd.sys
2007-11-11 11:41 26,624 --a------ C:\WINDOWS2\system32\FileDisk.exe
2007-11-11 11:41 10,588 --a------ C:\WINDOWS2\system32\drivers\FileDisk.sys
2007-11-09 23:32 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Move Networks
2007-11-04 18:44 <DIR> d-------- C:\Program Files\Liquid War
2007-11-04 10:33 <DIR> d-------- C:\Program Files\Foxit Software
2007-11-02 21:37 3,727,720 --a------ C:\WINDOWS2\system32\d3dx9_35.dll
2007-11-02 21:37 3,497,832 --a------ C:\WINDOWS2\system32\d3dx9_34.dll
2007-11-02 21:37 1,358,192 --a------ C:\WINDOWS2\system32\D3DCompiler_35.dll
2007-11-02 21:37 1,124,720 --a------ C:\WINDOWS2\system32\D3DCompiler_34.dll
2007-11-02 21:37 444,776 --a------ C:\WINDOWS2\system32\d3dx10_35.dll
2007-11-02 21:37 443,752 --a------ C:\WINDOWS2\system32\d3dx10_34.dll
2007-11-02 21:29 <DIR> d-------- C:\Program Files\Electronic Arts
2007-11-02 17:43 <DIR> d-------- C:\Program Files\I8kfanGUI
2007-11-02 17:43 14,464 --a------ C:\WINDOWS2\system32\drivers\fanio.sys
2007-10-25 23:02 <DIR> d-------- C:\Program Files\Blender Foundation
2007-10-23 19:24 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS2\Application Data\ATI
2007-10-23 18:01 593,920 --a------ C:\WINDOWS2\system32\ati2sgag.exe
2007-10-23 16:52 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\ATI
2007-10-23 16:41 <DIR> d-------- C:\ATI
2007-10-22 22:43 59,264 --a------ C:\WINDOWS2\system32\drivers\USBAUDIO.sys
2007-10-22 22:42 31,616 --a------ C:\WINDOWS2\system32\drivers\usbccgp.sys
2007-10-22 21:07 107,648 -ra------ C:\WINDOWS2\system32\drivers\vnetusbl.sys
2007-10-22 19:13 <DIR> d-------- C:\Program Files\Medieval Software
2007-10-22 19:11 217,088 --a------ C:\WINDOWS2\system32\BlueCiucc.dll
2007-10-22 16:30 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Uniblue

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-22 08:43 79,936 ----a-w C:\WINDOWS2\system32\xknagptw.dll
2007-11-22 05:18 --------- d-----w C:\Documents and Settings\All Users.WINDOWS2\Application Data\Spybot - Search & Destroy
2007-11-22 05:01 --------- d-----w C:\Program Files\Steam
2007-11-22 00:29 --------- d-----w C:\Documents and Settings\Owner\Application Data\Orbit
2007-11-21 17:18 80,960 ----a-w C:\WINDOWS2\system32\wuqibpgg.dll
2007-11-21 17:12 145,984 ----a-w C:\WINDOWS2\system32\wldajeji.dll
2007-11-21 16:43 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent
2007-11-21 05:05 36,864 ----a-w C:\WINDOWS2\system32\wvuvtsp.dll
2007-11-20 22:55 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-18 03:16 --------- d-----w C:\Documents and Settings\Owner\Application Data\gtk-2.0
2007-11-17 04:41 --------- d---a-w C:\Documents and Settings\All Users.WINDOWS2\Application Data\TEMP
2007-11-17 04:23 --------- d-----w C:\Program Files\Master of Defense
2007-11-13 22:11 --------- d-----w C:\Program Files\GIMP-2.0
2007-11-13 03:42 --------- d-----w C:\Program Files\VstPlugins
2007-11-13 03:42 --------- d-----w C:\Program Files\Image-Line
2007-11-12 00:09 --------- d-----w C:\Program Files\StepMania
2007-11-11 16:59 --------- d-----w C:\Program Files\Microsoft Games
2007-11-08 22:07 --------- d-----w C:\Documents and Settings\Owner\Application Data\OpenOffice.org2
2007-10-25 16:05 94,416 ----a-w C:\WINDOWS2\system32\drivers\aswmon2.sys
2007-10-25 16:05 93,264 ----a-w C:\WINDOWS2\system32\drivers\aswmon.sys
2007-10-25 16:03 23,152 ----a-w C:\WINDOWS2\system32\drivers\aswRdr.sys
2007-10-25 16:01 42,912 ----a-w C:\WINDOWS2\system32\drivers\aswTdi.sys
2007-10-25 15:58 26,624 ----a-w C:\WINDOWS2\system32\drivers\aavmker4.sys
2007-10-25 15:24 815,480 ----a-w C:\WINDOWS2\system32\aswBoot.exe
2007-10-25 15:14 95,608 ----a-w C:\WINDOWS2\system32\AvastSS.scr
2007-10-24 11:18 --------- d-----w C:\Program Files\Viewpoint
2007-10-24 11:18 --------- d-----w C:\Program Files\AIM6
2007-10-24 11:18 --------- d-----w C:\Documents and Settings\All Users.WINDOWS2\Application Data\Viewpoint
2007-10-24 11:17 --------- d-----w C:\Documents and Settings\All Users.WINDOWS2\Application Data\AOL Downloads
2007-10-23 23:07 --------- d-----w C:\Program Files\ATI Technologies
2007-10-23 03:48 --------- d-----w C:\Program Files\Audacity
2007-10-22 01:33 --------- d-----w C:\Program Files\VTFEdit
2007-10-21 21:51 --------- d-----w C:\Program Files\StepMania CVS
2007-10-21 03:20 --------- d-----w C:\Program Files\GIMP-2.4.0-RC1
2007-10-19 04:18 --------- d-----w C:\Documents and Settings\Owner\Application Data\FileZilla
2007-10-15 04:06 --------- d-----w C:\Program Files\mIRC
2007-10-13 04:43 --------- d-----w C:\Documents and Settings\All Users.WINDOWS2\Application Data\NexonUS
2007-10-12 04:19 --------- d-----w C:\Program Files\FileZilla Client
2007-10-12 03:47 --------- d-----w C:\Program Files\Nvu
2007-10-12 03:47 --------- d-----w C:\Documents and Settings\Owner\Application Data\Nvu
2007-10-12 03:35 --------- d-----w C:\Program Files\Defraggler
2007-10-09 21:47 --------- d-----w C:\Program Files\Java
2007-10-08 20:55 --------- d-----w C:\Program Files\WiFiConnector
2007-10-08 16:38 737,280 ----a-w C:\WINDOWS2\iun6002.exe
2007-10-08 16:38 --------- d-----w C:\Program Files\ClipMagic
2007-10-08 16:38 --------- d-----w C:\Documents and Settings\Owner\Application Data\ClipMagic
2007-10-06 16:20 --------- d-----w C:\Documents and Settings\Owner\Application Data\vlc
2007-10-05 04:35 --------- d-----w C:\Program Files\OpenOffice.org 2.3
2007-10-05 04:34 --------- d-----w C:\Program Files\OpenOffice.org
2007-10-05 02:46 --------- d-----w C:\Documents and Settings\Owner\Application Data\Wyzo
2007-10-05 02:31 --------- d-----w C:\Program Files\Orbitdownloader
2007-10-04 00:42 --------- d-----w C:\Program Files\Gravity Simulator
2007-10-03 03:41 --------- d-----w C:\Documents and Settings\All Users.WINDOWS2\Application Data\YoYoGames
2007-10-01 23:09 --------- d-----w C:\Documents and Settings\Owner\Application Data\Viewpoint
2007-09-30 16:50 --------- d-----w C:\Program Files\Game_Maker7
2007-09-30 15:09 --------- d-----w C:\Documents and Settings\Owner\Application Data\Nexon
2007-09-30 05:04 --------- d-----w C:\Program Files\Common Files\AOL
2007-09-30 05:04 --------- d-----w C:\Documents and Settings\All Users.WINDOWS2\Application Data\AOL
2007-09-30 03:32 --------- d-----w C:\Documents and Settings\All Users.WINDOWS2\Application Data\FLEXnet
2007-09-30 02:34 --------- d-----w C:\Documents and Settings\Owner\Application Data\Souptoys
2007-09-30 02:34 --------- d-----w C:\Documents and Settings\All Users.WINDOWS2\Application Data\Souptoys
2007-09-29 22:48 --------- d-----w C:\Documents and Settings\Owner\Application Data\InstallShield
2007-09-29 22:43 --------- d-----w C:\Documents and Settings\Owner\Application Data\acccore
2007-09-29 22:43 --------- d-----w C:\Documents and Settings\All Users.WINDOWS2\Application Data\AOL OCP
2007-09-29 22:36 --------- d-----w C:\Documents and Settings\Owner\Application Data\Talkback
2007-09-29 19:09 --------- d-----w C:\Program Files\MSXML 6.0
2007-09-29 18:01 --------- d-----w C:\Program Files\MSBuild
2007-09-29 17:58 --------- d-----w C:\Program Files\Intel
2007-09-29 17:52 --------- d-----w C:\Program Files\Reference Assemblies
2007-09-29 03:21 9,854,976 ----a-w C:\WINDOWS2\system32\atioglx2.dll
2007-09-29 03:07 356,352 ----a-w C:\WINDOWS2\system32\ATIDEMGX.dll
2007-09-29 02:47 172,032 ----a-w C:\WINDOWS2\system32\atiok3x2.dll
2007-09-28 16:20 --------- d-----w C:\Program Files\jv16 PowerTools 2007
2007-09-28 15:16 --------- d-----w C:\Program Files\Google
2007-09-28 15:16 --------- d-----w C:\Program Files\BAE
2007-09-27 23:02 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Webroot
2007-09-27 23:00 --------- d-----w C:\Program Files\Webroot
2007-09-27 23:00 --------- d-----w C:\Program Files\DIGStream
2007-09-27 23:00 --------- d-----w C:\Documents and Settings\James\Application Data\Webroot
2007-09-27 18:22 --------- d-----w C:\Documents and Settings\James\Application Data\Lavasoft
2007-09-23 17:10 --------- d-----w C:\Documents and Settings\James\Application Data\Azureus
2007-09-23 17:08 --------- d-----w C:\Documents and Settings\James\Application Data\uTorrent
2007-09-23 01:24 --------- d-----w C:\Documents and Settings\James\Application Data\gtk-2.0
2007-09-22 03:14 --------- d-----w C:\Program Files\Common Files\Adobe
2007-09-22 03:14 --------- d-----w C:\Program Files\Bonjour
2007-09-22 02:16 --------- d-----w C:\Program Files\MagicDisc
2007-09-14 16:25 581,632 ----a-w C:\VTFLib.dll
2007-09-14 16:25 425,984 ----a-w C:\VTFEdit.exe
2007-01-29 06:17 251 ----a-w C:\Program Files\wt3d.ini
.

((((((((((((((((((((((((((((( snapshot@2007-11-21_15.24.38.45 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-21 19:59:22 70,526 ----a-w C:\WINDOWS2\system32\perfc009.dat
+ 2007-11-22 15:57:25 70,526 ----a-w C:\WINDOWS2\system32\perfc009.dat
- 2007-11-21 19:59:22 436,928 ----a-w C:\WINDOWS2\system32\perfh009.dat
+ 2007-11-22 15:57:26 436,928 ----a-w C:\WINDOWS2\system32\perfh009.dat
+ 2007-11-22 16:40:57 16,384 ----atw C:\WINDOWS2\Temp\Perflib_Perfdata_734.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4A54500A-65FE-4F4A-B860-20EAE2F577F9}]
2007-11-21 00:05 36864 --a------ C:\WINDOWS2\system32\wvuvtsp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bc7239e4-d658-45dd-baaa-dbcba7f6cfe7}]
2007-11-22 03:43 79936 --a------ C:\WINDOWS2\system32\xknagptw.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS2\system32\ctfmon.exe" [2004-08-12 08:56]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-10-04 10:20]
"i8kfangui"="C:\Program Files\I8kfanGUI\I8kfanGUI.exe" [2007-02-16 11:58]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-09-18 09:16]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-25 00:30 C:\WINDOWS2\stsystra.exe]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2007-05-14 13:23]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-10-25 10:20]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 11:35]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 18:41]
"247f62df"="C:\WINDOWS2\system32\jrektxsp.dll" [2007-11-22 03:37]

C:\Documents and Settings\James\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2007-09-21 21:16:15]

[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{4A54500A-65FE-4F4A-B860-20EAE2F577F9}"= C:\WINDOWS2\system32\wvuvtsp.dll [2007-11-21 00:05 36864]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll 2005-12-06 20:16 176128 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvuvtsp]
wvuvtsp.dll 2007-11-21 00:05 36864 C:\WINDOWS2\system32\wvuvtsp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS2\system32\mllji.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS2^Start Menu^Programs^Startup^Run Nintendo Wi-Fi USB Connector Registration Tool.lnk]
path=C:\Documents and Settings\All Users.WINDOWS2\Start Menu\Programs\Startup\Run Nintendo Wi-Fi USB Connector Registration Tool.lnk
backup=C:\WINDOWS2\pss\Run Nintendo Wi-Fi USB Connector Registration Tool.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^VirtualExpander.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\VirtualExpander.lnk
backup=C:\WINDOWS2\pss\VirtualExpander.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
C:\Program Files\AIM6\aim6.exe /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2006-04-13 15:36 50792 --a------ C:\Program Files\Common Files\AOL\1191128672\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
c:\program files\steam\steam.exe -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)
"FLEXnet Licensing Service"=3 (0x3)

R1 fanio;FanIO driver;\??\C:\WINDOWS2\system32\drivers\fanio.sys
S3 SSDefrag;SSDefrag;\??\C:\WINDOWS2\system32\drivers\SSDefrag.sys
S3 USBNET;Instant Wireless USB Network Adapter ver.2.6 Driver;C:\WINDOWS2\system32\DRIVERS\vnetusbl.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-22 03:32:00 C:\WINDOWS2\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2007-10-22 21:29:56 C:\WINDOWS2\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-22 11:41:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-22 11:44:14 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-21 15:25
.
--- E O F ---

VundoFix:

VundoFix V6.6.2

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 1:23:46 PM 11/21/2007

Listing files found while scanning....

C:\windows\system32\geebx.dll
C:\windows\system32\xbeeg.bak1
C:\windows\system32\xbeeg.bak2
C:\windows\system32\xbeeg.ini
C:\WINDOWS2\system32\lmpbwrbd.dll

Beginning removal...

Attempting to delete C:\windows\system32\geebx.dll
C:\windows\system32\geebx.dll Has been deleted!

Attempting to delete C:\windows\system32\xbeeg.bak1
C:\windows\system32\xbeeg.bak1 Has been deleted!

Attempting to delete C:\windows\system32\xbeeg.bak2
C:\windows\system32\xbeeg.bak2 Has been deleted!

Attempting to delete C:\windows\system32\xbeeg.ini
C:\windows\system32\xbeeg.ini Has been deleted!

Attempting to delete C:\WINDOWS2\system32\lmpbwrbd.dll
C:\WINDOWS2\system32\lmpbwrbd.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS2\system32\lmpbwrbd.dll
C:\WINDOWS2\system32\lmpbwrbd.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.6.2

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 10:21:39 AM 11/22/2007

Listing files found while scanning....

C:\WINDOWS2\system32\oehczwiw.dll

Beginning removal...

Attempting to delete C:\WINDOWS2\system32\oehczwiw.dll
C:\WINDOWS2\system32\oehczwiw.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS2\system32\oehczwiw.dll
C:\WINDOWS2\system32\oehczwiw.dll Has been deleted!

Performing Repairs to the registry.
Done!

I appreciate any help, thanks.

**Jjjakal** · 2007-11-23, 03:20

Could someone please help out soon? I'm sorry for the bump, but I really need my laptop in useable condition.

**tashi** · 2007-12-03, 19:17

Hello and sorry for the wait.

Originally Posted by Jjjakal

Could someone please help out soon? I'm sorry for the bump, but I really need my laptop in useable condition.

We do request members don't bump and also:
NOTE:We do NOT ask for ComboFix etc before helpers have analysed HJT/KAV scans

For people waiting who have not resolved their problem, we have a sticky topic:
The Waiting Room: Post here if waiting for help longer than four days

As it has been 10 days or more since your last post (if you still require help), it would be best to start a new topic and include a fresh HijackThis log and a link to this thread in your new topic.

Best regards.

Thread: Yet another Virtumonde problem.

Thread Tools

Display

Yet another Virtumonde problem.

Posting Permissions