Results 1 to 10 of 10

Thread: Please Help With Virtumonde Removal

  1. #1
    Junior Member
    Join Date
    May 2008
    Posts
    6

    Default Please Help With Virtumonde Removal

    I've got virtumonde and can't get rid of it. Please help if possible.

    In the system start up function Spybot shows WinLogon (Current System) yayaxYSJ yayaxYSj.dll

    Task Manager has 7 svchost.exe occurances running and winlogon.exe

    McAfee shows yayaxysj.dll as quarantined but it is still loading

    Here is the log from Combofix (I accidently ran it twice):

    ComboFix 08-04-29.5 - Borg 2008-05-01 8:29:11.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1588 [GMT -7:00]
    Running from: C:\Documents and Settings\Borg\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\Borg\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    * Created a new restore point
    * Resident AV is active

    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\WINDOWS\cookies.ini
    C:\WINDOWS\pskt.ini
    C:\WINDOWS\system32\cgktpbfb.dll
    C:\WINDOWS\SYSTEM32\dltxsgrk.ini
    C:\WINDOWS\SYSTEM32\dMSDffii.ini
    C:\WINDOWS\SYSTEM32\dMSDffii.ini2
    C:\WINDOWS\system32\iiffDSMd.dll
    C:\WINDOWS\SYSTEM32\khdbpxqv.ini
    C:\WINDOWS\SYSTEM32\moVELkkj.ini
    C:\WINDOWS\SYSTEM32\moVELkkj.ini2
    C:\WINDOWS\system32\oscqnfed.dll
    C:\WINDOWS\SYSTEM32\rtCLRqss.ini
    C:\WINDOWS\SYSTEM32\rtCLRqss.ini2
    C:\WINDOWS\system32\srmgjnlm.ini
    C:\WINDOWS\system32\vqxpbdhk.dll
    C:\WINDOWS\system32\yayaxYSj.dll

    .
    ((((((((((((((((((((((((( Files Created from 2008-04-01 to 2008-05-01 )))))))))))))))))))))))))))))))
    .

    2008-04-28 10:29 . 2008-04-30 17:07 732 --a------ C:\WINDOWS\wininit.ini
    2008-04-28 08:26 . 2008-05-01 08:25 109,783 --a------ C:\WINDOWS\BMaf693516.xml

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-04-28 18:26 --------- d-----w C:\Program Files\Folder Lock
    2008-04-05 01:41 --------- d-----w C:\Program Files\McAfee
    2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
    2008-03-12 15:27 --------- d-----w C:\Program Files\Microsoft ActiveSync
    2008-03-10 23:45 --------- d-----w C:\Program Files\eSoftware
    2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\SYSTEM32\wininet.dll
    2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\SYSTEM32\gdi32.dll
    2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\SYSTEM32\dnsrslvr.dll
    2008-02-10 22:48 691,545 ----a-w C:\WINDOWS\unins000.exe
    .

    ((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    ----a-w 339,968 2004-08-25 20:52:00 C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe

    ----a-w 135,168 2004-03-23 17:16:16 C:\Program Files\Intel\Intel Application Accelerator\bak\iaanotif.exe

    ----a-w 582,992 2007-08-04 06:33:14 C:\Program Files\McAfee.com\Agent\bak\mcagent.exe
    ----a-w 582,992 2007-08-04 06:33:14 C:\Program Files\McAfee.com\Agent\mcagent.exe

    ----a-w 1,207,080 2006-06-27 00:13:40 C:\Program Files\Microsoft ActiveSync\bak\bak\wcescomm.exe

    ----a-w 1,207,080 2006-06-27 00:13:40 C:\Program Files\Microsoft ActiveSync\bak\bak\wcescomm.exe

    ----a-w 163,840 2003-05-15 23:41:15 C:\Program Files\Microsoft IntelliPoint\bak\point32.exe

    ----a-w 114,688 2003-05-15 23:45:54 C:\Program Files\Microsoft IntelliType Pro\bak\type32.exe

    ----a-w 77,824 2004-07-25 19:43:17 C:\Program Files\QuickTime\bak\qttask.exe

    ----a-w 15,360 2004-08-04 07:56:48 C:\WINDOWS\SYSTEM32\bak\ctfmon.exe
    ----a-w 15,360 2004-08-04 07:56:48 C:\WINDOWS\SYSTEM32\ctfmon.exe

    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{61B22D95-9EFB-4AB8-BD17-81E95B4A4989}]
    C:\WINDOWS\system32\ssqRLCtr.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 23:33 582992]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayaxYSj]
    yayaxYSj.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
    C:\Program Files\Microsoft Money\System\mnyexpr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
    C:\Program Files\Dell\Media Experience\PCMService.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    --a--c--- 2003-11-19 15:48 32881 C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "IntelMeM"=C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
    "C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
    "C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
    "C:\\Program Files\\Internet Explorer\\iexplore.exe"=
    "C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service


    .
    Contents of the 'Scheduled Tasks' folder
    "2008-04-15 08:03:23 C:\WINDOWS\Tasks\McDefragTask.job"
    - C:\WINDOWS\system32\defrag.exe
    "2008-04-01 08:00:19 C:\WINDOWS\Tasks\McQcTask.job"
    - c:\program files\mcafee\mqc\QcConsol.exe.4158 0
    .
    **************************************************************************

    catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-05-01 08:32:54
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...


    disk error: C:\WINDOWS\system32\drivers\
    disk error: C:\DOCUME~1\Borg\LOCALS~1\Temp\
    disk error: C:\WINDOWS\TEMP\
    disk error: C:\WINDOWS\system32\wbem\
    disk error: C:\Documents and Settings\Borg\Application Data\
    disk error: C:\WINDOWS\
    disk error: C:\Program Files\Common Files\
    disk error: C:\
    disk error: C:\Program Files\
    disk error: C:\WINDOWS\system32\
    disk error: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    disk error: C:\Documents and Settings\Borg\Start Menu\Programs\Startup\
    disk error: C:\Documents and Settings\Borg\Local Settings\Application Data\
    disk error: C:\WINDOWS\Occache\
    disk error: C:\WINDOWS\Fonts\

    scan completed successfully
    hidden files:

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\WINDOWS\SYSTEM32\ati2evxx.exe
    C:\Program Files\Intel\Intel Application Accelerator\IAANTmon.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
    C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
    C:\WINDOWS\SYSTEM32\HPZipm12.exe
    .
    **************************************************************************
    .
    Completion time: 2008-05-01 8:34:48 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-05-01 15:34:44

    Pre-Run: 9,963,806,720 bytes free
    Post-Run: 9,877,516,288 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
    C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

    151 --- E O F --- 2008-04-15 18:29:59


    And Here is the result of Hijackthis:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 3:06:12 PM, on 5/1/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16640)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\program files\common files\mcafee\mna\mcnasvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    C:\PROGRA~1\MI3AA1~1\rapimgr.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {61B22D95-9EFB-4AB8-BD17-81E95B4A4989} - C:\WINDOWS\system32\ssqRLCtr.dll (file missing)
    O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: *.amaena.com
    O15 - Trusted Zone: *.avsystemcare.com
    O15 - Trusted Zone: *.onerateld.com
    O15 - Trusted Zone: *.trustedantivirus.com
    O15 - Trusted Zone: *.virusschlacht.com
    O15 - Trusted Zone: *.amaena.com (HKLM)
    O15 - Trusted Zone: *.avsystemcare.com (HKLM)
    O15 - Trusted Zone: *.onerateld.com (HKLM)
    O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
    O15 - Trusted Zone: *.virusschlacht.com (HKLM)
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...6/mcinsctl.cab
    O16 - DPF: {87BE3784-6977-4E84-AA08-55A96B9CEAC5} (Bl_camera Control) -
    O20 - Winlogon Notify: yayaxYSj - yayaxYSj.dll (file missing)
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

    --
    End of file - 5035 bytes

  2. #2
    Junior Member
    Join Date
    May 2008
    Posts
    6

    Default Kaspersky Scan Results Added

    KASPERSKY ONLINE SCANNER REPORT
    Thursday, May 01, 2008 6:16:58 PM
    Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
    Kaspersky Online Scanner version: 5.0.98.0
    Kaspersky Anti-Virus database last update: 2/05/2008
    Kaspersky Anti-Virus database records: 735152


    Scan Settings
    Scan using the following antivirus database extended
    Scan Archives true
    Scan Mail Bases true

    Scan Target My Computer
    C:\
    D:\
    E:\

    Scan Statistics
    Total number of scanned objects 52098
    Number of viruses found 7
    Number of infected objects 64
    Number of suspicious objects 3
    Duration of the scan process 00:43:31

    Infected Object Name Virus Name Last Action
    C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll.zip/iqpmqaep.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qrt skipped

    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll.zip ZIP: infected - 1 skipped

    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll1.zip/jkkLEVom.dll Infected: Packed.Win32.Monder.gen skipped

    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll1.zip ZIP: infected - 1 skipped

    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll10.zip/rteqkpli.dll_old Infected: Packed.Win32.Monder.gen skipped

    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll10.zip ZIP: infected - 1 skipped

    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll11.zip/eyjscusy.dll_old Infected: Packed.Win32.Monder.gen skipped

    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll11.zip ZIP: infected - 1 skipped

    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll12.zip/mlnjgmrs.dll_old Infected: Packed.Win32.Monder.gen skipped

    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll12.zip ZIP: infected - 1 skipped

    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll13.zip/qvgiuyhq.dll_old Infected: not-a-virus:AdWare.Win32.Virtumonde.qrt skipped

    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll13.zip ZIP: infected - 1 skipped

    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll14.zip/rteqkpli.dll_old Infected: Packed.Win32.Monder.gen skipped

    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll14.zip ZIP: infected - 1 skipped

    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll15.zip/ssqRLCtr.dll Infected: Packed.Win32.Monder.gen skipped

    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll15.zip ZIP: infected - 1 skipped

    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll2.zip/krgsxtld.dll Infected: Packed.Win32.Monder.gen skipped

    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll2.zip ZIP: infected - 1 skipped

    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll3.zip/iqpmqaep.dll_old Infected: not-a-virus:AdWare.Win32.Virtumonde.qrt skipped

    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll3.zip ZIP: infected - 1 skipped

    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll4.zip/jkkLEVom.dll_old Infected: Packed.Win32.Monder.gen skipped

    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll4.zip ZIP: infected - 1 skipped

    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll5.zip/krgsxtld.dll_old Infected: Packed.Win32.Monder.gen skipped

    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll5.zip ZIP: infected - 1 skipped

    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll6.zip/rteqkpli.dll Infected: Packed.Win32.Monder.gen skipped

    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll6.zip ZIP: infected - 1 skipped

    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll7.zip/eyjscusy.dll Infected: Packed.Win32.Monder.gen skipped

    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll7.zip ZIP: infected - 1 skipped

    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll8.zip/mlnjgmrs.dll Infected: Packed.Win32.Monder.gen skipped

    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll8.zip ZIP: infected - 1 skipped

    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll9.zip/qvgiuyhq.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qrt skipped

    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll9.zip ZIP: infected - 1 skipped

    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinSmallazl.zip/mrofinu572.exe Infected: Trojan-Downloader.Win32.Homles.bj skipped

    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinSmallazl.zip ZIP: infected - 1 skipped

    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinSmallazl1.zip/mrofinu572.exe.tmp Infected: Trojan-Downloader.Win32.Homles.bj skipped

    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinSmallazl1.zip ZIP: infected - 1 skipped

    C:\Documents and Settings\Borg\Application Data\$_hpcst$.hpc Object is locked skipped

    C:\Documents and Settings\Borg\Cookies\INDEX.DAT Object is locked skipped

    C:\Documents and Settings\Borg\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

    C:\Documents and Settings\Borg\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

    C:\Documents and Settings\Borg\Local Settings\History\History.IE5\index.dat Object is locked skipped

    C:\Documents and Settings\Borg\Local Settings\Temp\WCESLog.log Object is locked skipped

    C:\Documents and Settings\Borg\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

    C:\Documents and Settings\Borg\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

    C:\Documents and Settings\Borg\NTUSER.DAT Object is locked skipped

    C:\Documents and Settings\Borg\ntuser.dat.LOG Object is locked skipped

    C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped

    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

    C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped

    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped

    C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

    C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

    C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped

    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

    C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped

    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

    C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

    C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

    C:\OL022306.pst/Personal Folders/Deleted Items/08 Dec 2005 23:44 from PayPal Inc.:Your PayPal account could get.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

    C:\OL022306.pst/Personal Folders/Deleted Items/10 Dec 2005 20:55 from PayPal Inc.:Your PayPal account could get.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

    C:\OL022306.pst/Personal Folders/Deleted Items/11 Dec 2005 01:53 from PayPal Inc.:Your PayPal account could get.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

    C:\OL022306.pst/Personal Folders/Deleted Items/05 Feb 2006 06:55 from support@ebay.com:Billing Issues.eml Infected: Trojan-Spy.HTML.Bayfraud.p skipped

    C:\OL022306.pst/Personal Folders/Deleted Items/05 Feb 2006 06:55 from support@ebay.com:Billing Issues.html Infected: Trojan-Spy.HTML.Bayfraud.p skipped

    C:\OL022306.pst/Personal Folders/Deleted Items/05 Feb 2006 19:52 from support@ebay.com:Billing Issues.eml Infected: Trojan-Spy.HTML.Bayfraud.p skipped

    C:\OL022306.pst/Personal Folders/Deleted Items/05 Feb 2006 19:52 from support@ebay.com:Billing Issues.html Infected: Trojan-Spy.HTML.Bayfraud.p skipped

    C:\OL022306.pst MailMSMaill: infected - 4, suspicious - 3 skipped

    C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\cgktpbfb.dll.vir Infected: Packed.Win32.Monder.gen skipped

    C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\oscqnfed.dll.vir Infected: Packed.Win32.Monder.gen skipped

    C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\vqxpbdhk.dll.vir Infected: Packed.Win32.Monder.gen skipped

    C:\QooBox\Quarantine\catchme2008-05-01_ 83107.32.zip/iiffDSMd.dll Infected: Packed.Win32.Monder.gen skipped

    C:\QooBox\Quarantine\catchme2008-05-01_ 83107.32.zip ZIP: infected - 1 skipped

    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1202\A0049823.exe Infected: Trojan.Win32.KillAV.pb skipped

    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1202\A0049824.exe Infected: Trojan.Win32.KillAV.pb skipped

    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1202\A0049825.exe Infected: Trojan.Win32.KillAV.pb skipped

    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1202\A0049826.exe Infected: Trojan.Win32.KillAV.pb skipped

    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1202\A0049827.exe Infected: Trojan.Win32.KillAV.pb skipped

    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1202\A0049828.exe Infected: Trojan.Win32.KillAV.pb skipped

    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1216\A0050067.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qrt skipped

    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1216\A0050068.dll Infected: Packed.Win32.Monder.gen skipped

    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1216\A0050069.dll Infected: Packed.Win32.Monder.gen skipped

    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1217\A0050078.dll Infected: Packed.Win32.Monder.gen skipped

    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1218\A0050106.dll Infected: Packed.Win32.Monder.gen skipped

    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1218\A0050108.dll Infected: Packed.Win32.Monder.gen skipped

    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1218\A0050109.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qrt skipped

    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1219\A0050172.dll Infected: Packed.Win32.Monder.gen skipped

    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1220\A0051219.dll Infected: Packed.Win32.Monder.gen skipped

    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1220\A0051220.dll Infected: Packed.Win32.Monder.gen skipped

    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1220\A0051221.dll Infected: Packed.Win32.Monder.gen skipped

    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1220\A0051222.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qng skipped

    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1220\change.log Object is locked skipped

    C:\WINDOWS\CSC\00000001 Object is locked skipped

    C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

    C:\WINDOWS\SchedLgU.Txt Object is locked skipped

    C:\WINDOWS\SoftwareDistribution\EventCache\{0885FE56-D9C8-41AB-98D0-663B5A63CBEE}.bin Object is locked skipped

    C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

    C:\WINDOWS\Sti_Trace.log Object is locked skipped

    C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped

    C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped

    C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped

    C:\WINDOWS\SYSTEM32\CONFIG\default Object is locked skipped

    C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped

    C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped

    C:\WINDOWS\SYSTEM32\CONFIG\sam Object is locked skipped

    C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped

    C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped

    C:\WINDOWS\SYSTEM32\CONFIG\security Object is locked skipped

    C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped

    C:\WINDOWS\SYSTEM32\CONFIG\software Object is locked skipped

    C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped

    C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped

    C:\WINDOWS\SYSTEM32\CONFIG\system Object is locked skipped

    C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped

    C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped

    C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped

    C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped

    C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped

    C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped

    C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped

    C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped

    C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped

    C:\WINDOWS\Temp\mcmsc_m5HAb4fW62OKuED Object is locked skipped

    C:\WINDOWS\Temp\mcmsc_ZMeKLWNbRqY72N4 Object is locked skipped

    C:\WINDOWS\WIADEBUG.LOG Object is locked skipped

    C:\WINDOWS\WIASERVC.LOG Object is locked skipped

    C:\WINDOWS\WindowsUpdate.log Object is locked skipped

    Scan process completed.

  3. #3
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
    "BEFORE you POST" (READ this Procedure before Requesting Assistance)
    http://forums.spybot.info/showthread.php?t=288
    All advice given is taken at your own risk.
    Please make sure you have read this information so we are on the same page.

    You missed some instructions at the top of this forum.
    Do NOT run 'fixes' before helpers have analyzed HJT/KAV scans
    http://forums.spybot.info/showthread.php?t=16806
    ComboFix is not a general purpose cleaning tool. Please do not use this tool without supervision.
    That being said, if you still want help, I will proceed starting with your KOS first.

    1) You are storing infected email, I will post two and they are easy enough to see in the scan.
    C:\OL022306.pst/Personal Folders/Deleted Items/08 Dec 2005 23:44 from PayPal Inc.:Your PayPal account could get.html <------Trojan-Spy.HTML.Fraud.gen
    http://www.viruslist.com/en/viruses/...?virusid=66363

    C:\OL022306.pst/Personal Folders/Deleted Items/05 Feb 2006 06:55 from support@ebay.com:Billing Issues.eml ------> Trojan-Spy.HTML.Bayfraud.p
    http://www.viruslist.com/en/viruses/...?virusid=96581

    I suggest you clean those out of the Deleted Items folders.

    2) C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ <<< delete the contents of the folder in red
    http://ict.cas.psu.edu/training/howt...vespybot.htm#1

    3) System Restore files are infected, DO NOT use SR until we clean those later.

    4) Please download ATF Cleaner by Atribune
    http://www.atribune.org/public-beta/ATF-Cleaner.exe
    Save it to your Desktop. We will use this later.

    5) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

    O2 - BHO: (no name) - {61B22D95-9EFB-4AB8-BD17-81E95B4A4989} - C:\WINDOWS\system32\ssqRLCtr.dll (file missing)
    O15 - Trusted Zone: *.amaena.com
    O15 - Trusted Zone: *.avsystemcare.com
    O15 - Trusted Zone: *.onerateld.com
    O15 - Trusted Zone: *.trustedantivirus.com
    O15 - Trusted Zone: *.virusschlacht.com
    O15 - Trusted Zone: *.amaena.com (HKLM)
    O15 - Trusted Zone: *.avsystemcare.com (HKLM)
    O15 - Trusted Zone: *.onerateld.com (HKLM)
    O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
    O15 - Trusted Zone: *.virusschlacht.com (HKLM)
    O20 - Winlogon Notify: yayaxYSj - yayaxYSj.dll (file missing)

    Close all programs but HJT and all browser windows, then click on "Fix Checked"

    Run ATF Cleaner
    Double-click ATF-Cleaner.exe to run the program.
    Click Select All found at the bottom of the list.
    Click the Empty Selected button.
    Click Exit on the Main menu to close the program.

    Restart and post a new HJT log and tell me how the computer is running.

    Thanks
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

  4. #4
    Junior Member
    Join Date
    May 2008
    Posts
    6

    Default Thanks, checklist completed, new HJT log

    I screwed up initially, thinking I could fix virtumonde on my own. I appreciate your help.

    1. Shredded my old outlook backups that contained viruses in the deleted items, I never did open those.

    2. Shredded everything in the SB Recovery directory.

    3. Didn't mess with SR Files.

    4. Downloaded ATF Cleaner to desktop.

    5. Ran HJT system scan and removed the items you requested.

    6. Ran ATF Cleaner.

    7. Rebooted, my system seems to be running good. The yayasYSj.dll doesn't load anymore or show in the SpyBot System Startup utility. The New HJT log follows (do you want any other logs?):


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:23:55 PM, on 5/3/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16640)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\program files\common files\mcafee\mna\mcnasvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\svchost.exe
    c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...6/mcinsctl.cab
    O16 - DPF: {87BE3784-6977-4E84-AA08-55A96B9CEAC5} (Bl_camera Control) -
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

    --
    End of file - 4447 bytes

  5. #5
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    Thanks for returning your information and the feedback. Looks like combofix removed most of the infection and we just got the rest. Remove combofix and the C:\QooBox\Quarantine\ folder and run a new Kaspersky Online Scan using these settings:

    * The program will launch and then begin downloading the latest definition files:
    * Once the files have been downloaded click on NEXT
    * Now click on Scan Settings
    * In the scan settings make that the following are selected:
    * Scan using the following Anti-Virus database:
    * Standard
    * Scan Options:
    * Scan Archives
    * Scan Mail Bases
    * Click OK
    * Now under select a target to scan:
    * Select My Computer
    * This will program will start and scan your system.
    * The scan will take a while so be patient and let it run.
    * Once the scan is complete it will display if your system has been infected.
    * Now click on the Save as Text button:
    * Save the file to your desktop.

    Then post it here.

    Expect infections because we have System Restore to clean, I want to make sure there is nothing else lurking before we clean it.

    Thanks...Phil
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

  6. #6
    Junior Member
    Join Date
    May 2008
    Posts
    6

    Default Next Steps Completed

    1. I used ComboFix /u to remove combofix, the program, subdirectoris and the quarantined files were removed during the uninstall.

    KASPERSKY ONLINE SCANNER REPORT
    Saturday, May 03, 2008 9:42:16 PM
    Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
    Kaspersky Online Scanner version: 5.0.98.0
    Kaspersky Anti-Virus database last update: 4/05/2008
    Kaspersky Anti-Virus database records: 660092


    Scan Settings
    Scan using the following antivirus database standard
    Scan Archives true
    Scan Mail Bases true

    Scan Target My Computer
    C:\
    D:\
    E:\

    Scan Statistics
    Total number of scanned objects 50334
    Number of viruses found 0
    Number of infected objects 0
    Number of suspicious objects 0
    Duration of the scan process 00:55:50

    Infected Object Name Virus Name Last Action
    C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR5.tmp Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped

    C:\Documents and Settings\Borg\Cookies\index.dat Object is locked skipped

    C:\Documents and Settings\Borg\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

    C:\Documents and Settings\Borg\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

    C:\Documents and Settings\Borg\Local Settings\History\History.IE5\index.dat Object is locked skipped

    C:\Documents and Settings\Borg\Local Settings\History\History.IE5\MSHist012008050320080504\index.dat Object is locked skipped

    C:\Documents and Settings\Borg\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

    C:\Documents and Settings\Borg\NTUSER.DAT Object is locked skipped

    C:\Documents and Settings\Borg\ntuser.dat.LOG Object is locked skipped

    C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

    C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped

    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

    C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

    C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

    C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped

    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

    C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped

    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

    C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

    C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

    C:\WINDOWS\CSC\00000001 Object is locked skipped

    C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

    C:\WINDOWS\SchedLgU.Txt Object is locked skipped

    C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

    C:\WINDOWS\Sti_Trace.log Object is locked skipped

    C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped

    C:\WINDOWS\SYSTEM32\CONFIG\default Object is locked skipped

    C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped

    C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped

    C:\WINDOWS\SYSTEM32\CONFIG\sam Object is locked skipped

    C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped

    C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped

    C:\WINDOWS\SYSTEM32\CONFIG\security Object is locked skipped

    C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped

    C:\WINDOWS\SYSTEM32\CONFIG\software Object is locked skipped

    C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped

    C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped

    C:\WINDOWS\SYSTEM32\CONFIG\system Object is locked skipped

    C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped

    C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped

    C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped

    C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped

    C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped

    C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped

    C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped

    C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped

    C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped

    C:\WINDOWS\Temp\mcmsc_DaaMo3p4RxOz8ju Object is locked skipped

    C:\WINDOWS\WIADEBUG.LOG Object is locked skipped

    C:\WINDOWS\WIASERVC.LOG Object is locked skipped

    C:\WINDOWS\WindowsUpdate.log Object is locked skipped

    Scan process completed.

  7. #7
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    Thanks for the feedback and the KOS results. The first KOS showed 18 infected System Restore files, you must have already cleaned those? I see none in this new KOS.

    Some good information for you:
    http://users.telenet.be/bluepatchy/m...wcomputer.html
    http://www.microsoft.com/windowsxp/u...s/mcgill1.mspx

    Here is some great information from experts in this field that will help you stay clean and safe online.
    http://users.telenet.be/bluepatchy/m...revention.html
    http://forums.spybot.info/showthread.php?t=279
    http://russelltexas.com/malware/allclear.htm
    http://forum.malwareremoval.com/viewtopic.php?t=14
    http://www.bleepingcomputer.com/forums/topict2520.html
    http://cybercoyote.org/security/not-admin.shtml

    http://www.malwarecomplaints.info/

    Thanks...pskelley
    Safer Networking Forums
    http://www.spybot.info/en/donate/index.html
    If you are reading this information...thank a teacher,
    If you are reading it in English...thank a soldier.
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

  8. #8
    Junior Member
    Join Date
    May 2008
    Posts
    6

    Default Thanks for the help!

    1. I can't find the System Restore files and didn't do anything with them on purpose?

    And I would like to uninstall the system restore program if you agree and can provide help with the uninstall.

    2. Do I need to keep the ATF cleaner? and HJT program or can I get rid of these as well?

    3. Do you want to see any other log files or does the fact my pc seems to be running good and the current KOS log prove that everything is good (I did run the KOS program in Standard and Not Extended)?

    Thanks again,

    Paul

  9. #9
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    And I would like to uninstall the system restore program if you agree and can provide help with the uninstall.
    NEGATIVE: System Restore is an important part of your Operating System, read about it:
    http://www.microsoft.com/windowsxp/u...emrestore.mspx
    http://www.microsoft.com/windowsxp/u...w_03may19.mspx
    I also post this link for you earlier:
    http://www.microsoft.com/windowsxp/u...s/mcgill1.mspx

    Here are manually directions for cleaning System Restore, it will not hurt for you to follow them once, or anytime you know they are infected and you wish to clean them:
    Turn off System Restore.
    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    Check Turn off System Restore.
    Click Apply, and then click OK.

    Reboot

    Turn ON System Restore,
    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    UN-Check *Turn off System Restore*.
    Click Apply, and then click OK.

    ATF-Cleaner is yours to keep and a fine free tool it is, here is a good tutorial:
    http://www.nutnworks.com/forums/showthread.php?t=1925

    I don't need to see anything else, you scanned MyComputer with KOS and it was clean. What I suggest you do is update your McAfee and run a full system scan with that program.

    Safe surfing
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

  10. #10
    Junior Member
    Join Date
    May 2008
    Posts
    6

    Default Thanks For Your Help

    Thanks For Your Help! I really appreciate it, I've used spybot for years for free, I'll make a donation in the next few days.

    Thanks again for all of your help.

    Paul

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •