Virtumonde me, too.... - Safer-Networking Forums

Mokie · 2007-09-15, 17:22

I've tried to remove it, too. It keeps coming back. I also had Smitfraud, but so far it hasn't popped back up. I just ran S&D and also Adaware scans. Please tell me what to do next and thank you!

Logfile of HijackThis v1.99.1
Scan saved at 8:16:44 AM, on 9/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 SP2 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Documents and Settings\MNL\Desktop\UTILITIES\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {07837F00-9454-44E0-B232-D2093879381F} - (no file)
O2 - BHO: (no name) - {18972FD1-685D-46B6-8D9D-B5643B2C6B27} - (no file)
O2 - BHO: (no name) - {2B3D566E-F8C5-4012-A5F8-B3724F78451a} - C:\WINDOWS\system32\dpjofsqb.dll (file missing)
O2 - BHO: (no name) - {336DC8FE-D8B7-456D-B7E4-0207804F3E59} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {638D549C-77EF-4512-B790-D5F434A2942e} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {77C5C405-4ACE-4DD2-B684-AF10621071Dc} - (no file)
O2 - BHO: (no name) - {7F09D21B-EC41-4F5B-99A3-BC44CB6BBD43} - (no file)
O2 - BHO: (no name) - {D01A22E2-4BDD-4A00-A796-A11DC35FA819} - (no file)
O2 - BHO: (no name) - {F2632D8E-733C-476E-B123-8EC217484376} - (no file)
O2 - BHO: (no name) - {F2FC29C5-7E6F-4828-A003-F6D25421A0C0} - (no file)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/re...s/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1135544634484
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1135548163312
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by110fd.bay110.hotmail.msn.co...x/HMAtchmt.ocx
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: gebcb - C:\WINDOWS\system32\gebcb.dll (file missing)
O20 - Winlogon Notify: jkhfg - C:\WINDOWS\system32\jkhfg.dll (file missing)
O20 - Winlogon Notify: sstqq - C:\WINDOWS\system32\sstqq.dll (file missing)
O20 - Winlogon Notify: ssttr - C:\WINDOWS\
O20 - Winlogon Notify: ssttu - C:\WINDOWS\system32\ssttu.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: mstlsapi32 - Unknown owner - C:\WINDOWS\mstlsapi32.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Mokie · 2007-09-15, 18:17

I didn't seem to get any information from the Kaspersky scan...here's the report it produced, maybe I didn't select the right scan mode. I have AVG and turned it off, so what else might I need to do?

Saturday, September 15, 2007 9:13:10 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 15/09/2007
Kaspersky Anti-Virus database records: 418996

Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target Critical Areas
C:\WINDOWS
C:\DOCUME~1\MNL\LOCALS~1\Temp\

Scan Statistics
Total number of scanned objects 25154
Number of viruses found 0
Number of infected objects 0
Number of suspicious objects 0
Duration of the scan process 00:15:43

Infected Object Name Virus Name Last Action
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\Internet Logs\BIGBOY.ldb Object is locked skipped

C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped

C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped

C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped

C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\Temp\Perflib_Perfdata_4f4.dat Object is locked skipped

C:\WINDOWS\Temp\ZLT019a0.TMP Object is locked skipped

C:\WINDOWS\Temp\ZLT019a3.TMP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

**Mr_JAk3** · 2007-09-17, 20:05

Hi and welcome to the Forums

There is a trace of a backdoor trojan; If this system is used for online banking or has credit card information on it, all passwords should be changed immediately by using a different computer (not the infected one!) to make the changes. Banking and credit card institutions, if any, should be notified of the possible security breech. I suggest that you read this article too.

You should print these instructions or save these to a text file. Follow these instructions carefully.

Download Dr.Web CureIt to the desktop -> ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Download ATF Cleaner by Atribune to your desktop.
Do NOT run yet.

==================
At first you need to disable a few realtime protections. These may interfere with our cleaning process.
We'll enable these when you're clean...

Disable Windows Defender's realtime protection.

Open Windows Defender
Click on "Tools"
Click on "General Settings"
Scroll down to "Real-time protection options"
Uncheck "Turn on Real-time protection (recommended)"
Click "Save"
Exit the program.

Disable the bad service

Start
Run
Type services.msc to the field and press enter.
A window opens, scroll down to mstlsapi32
Rightclick it and choose Stop
Then choose Properties
Set Startup to Disabled
Click Apply and OK.

Then, open HijackThis.

Open the Misc Tools section
Delete an NT service
Copy the following line to the box and press OK; mstlsapi32
Answer Yes
Close HIjackThis

Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.

O2 - BHO: (no name) - {07837F00-9454-44E0-B232-D2093879381F} - (no file)
O2 - BHO: (no name) - {18972FD1-685D-46B6-8D9D-B5643B2C6B27} - (no file)
O2 - BHO: (no name) - {2B3D566E-F8C5-4012-A5F8-B3724F78451a} - C:\WINDOWS\system32\dpjofsqb.dll (file missing)
O2 - BHO: (no name) - {336DC8FE-D8B7-456D-B7E4-0207804F3E59} - (no file)
O2 - BHO: (no name) - {638D549C-77EF-4512-B790-D5F434A2942e} - (no file)
O2 - BHO: (no name) - {77C5C405-4ACE-4DD2-B684-AF10621071Dc} - (no file)
O2 - BHO: (no name) - {7F09D21B-EC41-4F5B-99A3-BC44CB6BBD43} - (no file)
O2 - BHO: (no name) - {D01A22E2-4BDD-4A00-A796-A11DC35FA819} - (no file)
O2 - BHO: (no name) - {F2632D8E-733C-476E-B123-8EC217484376} - (no file)
O2 - BHO: (no name) - {F2FC29C5-7E6F-4828-A003-F6D25421A0C0} - (no file)
O20 - Winlogon Notify: gebcb - C:\WINDOWS\system32\gebcb.dll (file missing)
O20 - Winlogon Notify: jkhfg - C:\WINDOWS\system32\jkhfg.dll (file missing)
O20 - Winlogon Notify: sstqq - C:\WINDOWS\system32\sstqq.dll (file missing)
O20 - Winlogon Notify: ssttr - C:\WINDOWS\
O20 - Winlogon Notify: ssttu - C:\WINDOWS\system32\ssttu.dll (file missing)

Restart your computer to the safe mode:

Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.

Open "My Computer" and delete the following files (if present):
C:\WINDOWS\mstlsapi32.exe

Run ATF Cleaner

Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Run a scan with Dr.Web CureIt

Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, you should now mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found
If so, click it and then click the next icon right below and select Move incurable
After the scan, in the menu, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot the computer in Normal Mode,
Post the Cure-it report and a fresh HijackThis log

Mokie · 2007-09-23, 16:46

Sorry it took so long for me to get back on, here are the two logs. I think I deleted everything that was detected rather than moving it. Also, I haven't used my system to do any banking or other sensitive activity except email since I realized I had some type of bug, it's been several months actually, and I don't save credit card info on my system. Is there anything else I need to be concerned about?

00137984.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.;
00145968.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.;
00149218.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.;
00155437.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.;
00156062.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.;
00163656.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.;
00169000.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.;
00175953.FIL;C:\$VAULT$.AVG;Adware.Crew;Incurable.Deleted.;
00188328.FIL;C:\$VAULT$.AVG;Adware.Crew;Incurable.Deleted.;
00189343.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.;
00189828.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.;
00218750.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.;
00250765.FIL;C:\$VAULT$.AVG;Adware.Crew;Incurable.Deleted.;
00302187.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.;
00320734.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.;
00420015.FIL;C:\$VAULT$.AVG;Adware.Crew;Incurable.Deleted.;
00427562.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.;
00503656.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.;
00530453.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.;
00876546.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.;
00911218.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.;
00911328.FIL;C:\$VAULT$.AVG;Adware.Crew;Incurable.Deleted.;
00912609.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.;
00912656.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.;
00989015.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.;
00991187.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.;
01309656.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.;
01325234.FIL;C:\$VAULT$.AVG;Adware.Crew;Incurable.Deleted.;
01341890.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.;
01347890.FIL;C:\$VAULT$.AVG;Trojan.Juan;Deleted.;
01656078.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.;
01818140.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.;
01826656.FIL;C:\$VAULT$.AVG;Trojan.Juan;Deleted.;
01830140.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.;
01831859.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.;
01832890.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.;
01834640.FIL;C:\$VAULT$.AVG;Trojan.Juan;Deleted.;
02744703.FIL;C:\$VAULT$.AVG;Trojan.Packed.149;Incurable.Moved.;
02992984.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.;
02993843.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.;
02994140.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.;
02994203.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.;
02994250.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.;
03425640.FIL;C:\$VAULT$.AVG;Trojan.Popuper;Deleted.;
03426390.FIL;C:\$VAULT$.AVG;Trojan.Popuper;Deleted.;
03426890.FIL;C:\$VAULT$.AVG;Trojan.Popuper;Deleted.;
03427640.FIL;C:\$VAULT$.AVG;Trojan.Packed.149;Incurable.Moved.;
03427703.FIL;C:\$VAULT$.AVG;Trojan.Juan;Deleted.;
03427828.FIL;C:\$VAULT$.AVG;Trojan.Popuper;Deleted.;
03429562.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.;
03640531.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.;
04644671.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.;
05318796.FIL;C:\$VAULT$.AVG;Trojan.Packed.149;Incurable.Moved.;
05319625.FIL;C:\$VAULT$.AVG;Trojan.Packed.149;Incurable.Moved.;
05319765.FIL;C:\$VAULT$.AVG;Trojan.Juan;Deleted.;
05410265.FIL;C:\$VAULT$.AVG;Trojan.Popuper;Deleted.;
05416078.FIL;C:\$VAULT$.AVG;Trojan.Popuper;Deleted.;
05419171.FIL;C:\$VAULT$.AVG;Adware.Crew;Incurable.Deleted.;
05421921.FIL;C:\$VAULT$.AVG;Adware.Crew;Incurable.Deleted.;
05429281.FIL;C:\$VAULT$.AVG;Adware.Crew;Incurable.Deleted.;
05431593.FIL;C:\$VAULT$.AVG;Adware.Crew;Incurable.Deleted.;
06290578.FIL;C:\$VAULT$.AVG;Adware.Crew;Incurable.Deleted.;
06384781.FIL;C:\$VAULT$.AVG;Trojan.Popuper;Deleted.;
06389015.FIL;C:\$VAULT$.AVG;Trojan.Popuper;Deleted.;
06402843.FIL;C:\$VAULT$.AVG;Trojan.Packed.149;Incurable.Moved.;
08235984.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.;
08770296.FIL;C:\$VAULT$.AVG;Adware.Crew;Incurable.Deleted.;
11607765.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.;
11623140.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.;
11973921.FIL;C:\$VAULT$.AVG;Adware.Crew;Incurable.Deleted.;
13159209.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.;
13547187.FIL;C:\$VAULT$.AVG;Trojan.Juan;Deleted.;
16727875.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.;
16929892.FIL;C:\$VAULT$.AVG;Trojan.Juan;Deleted.;
16930908.FIL;C:\$VAULT$.AVG;Trojan.Juan;Deleted.;
AntiSpy.exe;C:\Program Files\Common Files\Scanner;Trojan.Click.origin;Incurable.Moved.;
ppctl.dll;C:\Program Files\Common Files\Scanner;Probably DLOADER.Trojan;Incurable.Deleted.;
sdcmon.dll;C:\Program Files\support.com\bin;Probably DLOADER.Trojan;Incurable.Deleted.;
tgupdate.exe;C:\Program Files\support.com\bin;Probably DLOADER.Trojan;Incurable.Deleted.;
A0358661.exe;C:\System Volume Information\_restore{D0EF8276-C546-4DA1-92AD-C6F6B8228708}\RP447;Adware.VMN;Incurable.Deleted.;
A0358666.exe;C:\System Volume Information\_restore{D0EF8276-C546-4DA1-92AD-C6F6B8228708}\RP447;Tool.Prockill;Incurable.Deleted.;
A0358668.exe;C:\System Volume Information\_restore{D0EF8276-C546-4DA1-92AD-C6F6B8228708}\RP447;Tool.ShutDown.11;Incurable.Deleted.;
A0358692.exe;C:\System Volume Information\_restore{D0EF8276-C546-4DA1-92AD-C6F6B8228708}\RP447;Probably BACKDOOR.Trojan;Incurable.Deleted.;
A0358721.exe;C:\System Volume Information\_restore{D0EF8276-C546-4DA1-92AD-C6F6B8228708}\RP447;Probably BACKDOOR.Trojan;Incurable.Deleted.;
A0358757.exe;C:\System Volume Information\_restore{D0EF8276-C546-4DA1-92AD-C6F6B8228708}\RP447;Probably BACKDOOR.Trojan;Incurable.Deleted.;
CMGR32.DLL;C:\WINDOWS\system32;BackDoor.Xdoor.origin;Incurable.Moved.;
Process.exe;C:\WINDOWS\system32;Tool.Prockill;Incurable.Deleted.;

Logfile of HijackThis v1.99.1
Scan saved at 7:32:22 AM, on 9/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 SP2 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and

**Mr_JAk3** · 2007-09-24, 21:18

Hi

Ok but you've propably used email and other user accounts. Would be best to change the passwords.

The HijackThis log wasn't complete. Please post the full HjT log

Mokie · 2007-09-28, 03:33

I will change all my passwords, just in case. Also, I ran a new hijack log just now, here it is:

Logfile of HijackThis v1.99.1
Scan saved at 6:31:36 PM, on 9/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 SP2

(7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware

2007\aawservice.exe
C:\Program Files\Lavasoft\Ad-Aware

2007\AAWTray.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile

Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Analog

Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Analog

Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog

Devices\SoundMAX\Smax4.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Adobe\Photoshop Album Starter

Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Zone

Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program

Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and

Settings\MNL\Desktop\UTILITIES\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Window Title = Microsoft Internet

Explorer presented by Comcast
R1 -

HKCU\Software\Microsoft\Windows\CurrentVersion\I

nternet Settings,ProxyServer = :0
O2 - BHO: Adobe PDF Reader Link Helper -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

C:\Program Files\Adobe\Acrobat

7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) -

{53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class -

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -

C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program

Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program

Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program

Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [AVG7_CC]

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE

C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Windows Defender] "C:\Program

Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [tgcmd] C:\Program

Files\Support.com\bin\tgcmd.exe /server

/startmonitor /deaf
O4 - HKLM\..\Run: [ISUSPM Startup]

C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.ex

e -startup
O4 - HKLM\..\Run: [Adobe Photo Downloader]

"C:\Program Files\Adobe\Photoshop Album Starter

Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program

Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program

Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition]

C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
O4 - HKCU\..\Run: [ctfmon.exe]

C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media

Manager]

C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.e

xe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program

Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed

Launch.lnk = C:\Program Files\Adobe\Acrobat

7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to

Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/30

00
O9 - Extra button: (no name) -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research -

{92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) -

{e2e2dd38-d088-4134-82b7-f2ba38496583} -

%windir%\Network Diagnostic\xpnetdiag.exe (file

missing)
O9 - Extra 'Tools' menuitem:

@xpsp3res.dll,-20001 -

{e2e2dd38-d088-4134-82b7-f2ba38496583} -

%windir%\Network Diagnostic\xpnetdiag.exe (file

missing)
O9 - Extra button: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL]

International*
O16 - DPF:

{0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75}

(CKAVWebScan Object) -

http://www.kaspersky.com/kos/english/kavwebscan_

unicode.cab
O16 - DPF:

{17492023-C23A-453E-A040-C7C580BBF700} (Windows

Genuine Advantage Validation Tool) -

http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF:

{4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN

Photo Upload Tool) -

http://gfx1.mail.live.com/mail/w1/resources/MSNP

Upld.cab
O16 - DPF:

{6414512B-B978-451D-A0D8-FCFDF33E833C}

(WUWebControl Class) -

http://update.microsoft.com/windowsupdate/v6/V5C

ontrols/en/x86/client/wuweb_site.cab?11355446344

84
O16 - DPF:

{6E32070A-766D-4EE6-879C-DC1FA91D2FC3}

(MUWebControl Class) -

http://update.microsoft.com/microsoftupdate/v6/V

5Controls/en/x86/client/muweb_site.cab?113554816

3312
O16 - DPF:

{F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail

Attachments Control) -

http://by110fd.bay110.hotmail.msn.com/activex/HM

Atchmt.ocx
O20 - Winlogon Notify: !SASWinLogon - C:\Program

Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon -

C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj -

{AAA288BA-9A4C-45B0-95D7-94D524869DB5} -

C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service

(aawservice) - Lavasoft AB - C:\Program

Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc.

- C:\Program Files\Common Files\Apple\Mobile

Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server

(Avg7Alrt) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc)

- GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) -

GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: iPod Service - Apple Inc. -

C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation -

C:\Program Files\Common Files\Sony

Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Intel NCS NetService (NetSvc) -

Intel(R) Corporation - C:\Program

Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service

(NVSvc) - NVIDIA Corporation -

C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation -

C:\Program Files\Common Files\Sony

Shared\AVLib\PACSPTISVR.exe
O23 - Service: PnkBstrA - Unknown owner -

C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SoundMAX Agent Service (SoundMAX

Agent Service (default)) - Analog Devices, Inc.

- C:\Program Files\Analog

Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) -

Sony Corporation - C:\Program Files\Common

Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TrueVector Internet Monitor

(vsmon) - Zone Labs, LLC -

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Thank you for all your help!

**Mr_JAk3** · 2007-09-29, 20:28

Hi

Looks pretty good now. How is the computer running? Any issues?

Mokie · 2007-09-30, 18:48

Yes, thank you for your assistance, it has been running very nicely! Mr_JAk3, this is the first time I ever had anything as insidious as this, now I'm feeling pretty vulnerable. Since I've changed my banking passwords, is it safe for me to go back to using online banking? I stopped in May, and since then have spent alot of time working at removing virus. I would really like to have the convenience back, but this Virtumonde (I had Smitfraud, too) scares me. What other protection can I install to prevent this from happening again? And with everything I already run, how did it get into my system? ZoneAlarm, Spybot S&d, AVG, Superantispyware, Windows Defender; I run them all, and keep them updated. What else can I do?

**Mr_JAk3** · 2007-10-01, 20:40

Hello

Yes the system appears to be clean now. You got virtumundo because you're using an outdated java...

You can remove the tools we used.

Then you should update your Java to the latest version (6u2)

Start

Control Panel

Add/Remove Programs
Delete the old Java,
J2SE Runtime Environment 5.0 Update 6
Download the latest version of Java Runtime Environment (JRE) 6u2.
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications."
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement."
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Install it

Now you can make your hidden files hidden again.

Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Check "Hide protected operating system files"
Click Apply and then the OK and close My Computer.

=============

Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:

Clear your system restore
This will clear the system restore folders from possible malware that was left behind during the cleaning process.
Use ATF Cleaner
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.
Use Ad-Aware
Download and install Ad-Aware. Update it and scan your computer regularly with it.
Use AVG Anti-Spyware
Download and install AVG Anti-Spyware. Update it and scan your computer regularly with it.
Use Spybot S&D
Download and install Spybot S&D. Update it and scan your computer regularly with it.
Install SpywareBlaster
SpywareBlaster will prevent spyware from being installed.
Install MVPS Hosts file
This prevents your computer from connecting to harmful sites.
Use Firefox browser
Firefox is faster and more secure browser than Internet Explorer.
Keep your systen up-to-date
Visit Windows Update regularly. How to enable Automatic Updates?
Keep your antivirus and firewall up-to-date
Scan your computer regularly with you antivirus software.
Read this article by TonyKlein
So how did I get infected in the first place?
Stand Up and Be Counted !
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Stay clean and be safe

2007-09-15, 17:22	#1
Mokie Junior Member Join Date: Jun 2007 Posts: 26	Virtumonde me, too.... I've tried to remove it, too. It keeps coming back. I also had Smitfraud, but so far it hasn't popped back up. I just ran S&D and also Adaware scans. Please tell me what to do next and thank you! Logfile of HijackThis v1.99.1 Scan saved at 8:16:44 AM, on 9/15/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 SP2 (7.00.6000.16512) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe C:\Program Files\Analog Devices\SoundMAX\Smax4.exe C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Support.com\bin\tgcmd.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Documents and Settings\MNL\Desktop\UTILITIES\HijackThis.exe C:\WINDOWS\system32\NOTEPAD.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {07837F00-9454-44E0-B232-D2093879381F} - (no file) O2 - BHO: (no name) - {18972FD1-685D-46B6-8D9D-B5643B2C6B27} - (no file) O2 - BHO: (no name) - {2B3D566E-F8C5-4012-A5F8-B3724F78451a} - C:\WINDOWS\system32\dpjofsqb.dll (file missing) O2 - BHO: (no name) - {336DC8FE-D8B7-456D-B7E4-0207804F3E59} - (no file) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {638D549C-77EF-4512-B790-D5F434A2942e} - (no file) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: (no name) - {77C5C405-4ACE-4DD2-B684-AF10621071Dc} - (no file) O2 - BHO: (no name) - {7F09D21B-EC41-4F5B-99A3-BC44CB6BBD43} - (no file) O2 - BHO: (no name) - {D01A22E2-4BDD-4A00-A796-A11DC35FA819} - (no file) O2 - BHO: (no name) - {F2632D8E-733C-476E-B123-8EC217484376} - (no file) O2 - BHO: (no name) - {F2FC29C5-7E6F-4828-A003-F6D25421A0C0} - (no file) O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [PopUpStopperFreeEdition] C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - Global Startup: Adobe Gamma Loader.lnk = ? O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/re...s/MSNPUpld.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1135544634484 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1135548163312 O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by110fd.bay110.hotmail.msn.co...x/HMAtchmt.ocx O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: gebcb - C:\WINDOWS\system32\gebcb.dll (file missing) O20 - Winlogon Notify: jkhfg - C:\WINDOWS\system32\jkhfg.dll (file missing) O20 - Winlogon Notify: sstqq - C:\WINDOWS\system32\sstqq.dll (file missing) O20 - Winlogon Notify: ssttr - C:\WINDOWS\ O20 - Winlogon Notify: ssttu - C:\WINDOWS\system32\ssttu.dll (file missing) O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe O23 - Service: mstlsapi32 - Unknown owner - C:\WINDOWS\mstlsapi32.exe (file missing) O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

2007-09-15, 18:17	#2
Mokie Junior Member Join Date: Jun 2007 Posts: 26	Virtumonde me, too- Kaspersky log I didn't seem to get any information from the Kaspersky scan...here's the report it produced, maybe I didn't select the right scan mode. I have AVG and turned it off, so what else might I need to do? Saturday, September 15, 2007 9:13:10 AM Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.93.1 Kaspersky Anti-Virus database last update: 15/09/2007 Kaspersky Anti-Virus database records: 418996 Scan Settings Scan using the following antivirus database extended Scan Archives true Scan Mail Bases true Scan Target Critical Areas C:\WINDOWS C:\DOCUME~1\MNL\LOCALS~1\Temp\ Scan Statistics Total number of scanned objects 25154 Number of viruses found 0 Number of infected objects 0 Number of suspicious objects 0 Duration of the scan process 00:15:43 Infected Object Name Virus Name Last Action C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\Internet Logs\BIGBOY.ldb Object is locked skipped C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\Internet.evt Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\Temp\Perflib_Perfdata_4f4.dat Object is locked skipped C:\WINDOWS\Temp\ZLT019a0.TMP Object is locked skipped C:\WINDOWS\Temp\ZLT019a3.TMP Object is locked skipped C:\WINDOWS\wiadebug.log Object is locked skipped C:\WINDOWS\wiaservc.log Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped Scan process completed.

2007-09-17, 20:05	#3
Mr_JAk3 Security Expert Join Date: Oct 2006 Location: Finland Posts: 3,952	Hi and welcome to the Forums There is a trace of a backdoor trojan; If this system is used for online banking or has credit card information on it, all passwords should be changed immediately by using a different computer (not the infected one!) to make the changes. Banking and credit card institutions, if any, should be notified of the possible security breech. I suggest that you read this article too. You should print these instructions or save these to a text file. Follow these instructions carefully. Download Dr.Web CureIt to the desktop -> ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe Download ATF Cleaner by Atribune to your desktop. Do NOT run yet. ================== At first you need to disable a few realtime protections. These may interfere with our cleaning process. We'll enable these when you're clean... Disable Windows Defender's realtime protection. Open Windows Defender Click on "Tools" Click on "General Settings" Scroll down to "Real-time protection options" Uncheck "Turn on Real-time protection (recommended)" Click "Save" Exit the program. Disable the bad service Start Run Type services.msc to the field and press enter. A window opens, scroll down to mstlsapi32 Rightclick it and choose Stop Then choose Properties Set Startup to Disabled Click Apply and OK. Then, open HijackThis. Open the Misc Tools section Delete an NT service Copy the following line to the box and press OK; mstlsapi32 Answer Yes Close HIjackThis Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list. O2 - BHO: (no name) - {07837F00-9454-44E0-B232-D2093879381F} - (no file) O2 - BHO: (no name) - {18972FD1-685D-46B6-8D9D-B5643B2C6B27} - (no file) O2 - BHO: (no name) - {2B3D566E-F8C5-4012-A5F8-B3724F78451a} - C:\WINDOWS\system32\dpjofsqb.dll (file missing) O2 - BHO: (no name) - {336DC8FE-D8B7-456D-B7E4-0207804F3E59} - (no file) O2 - BHO: (no name) - {638D549C-77EF-4512-B790-D5F434A2942e} - (no file) O2 - BHO: (no name) - {77C5C405-4ACE-4DD2-B684-AF10621071Dc} - (no file) O2 - BHO: (no name) - {7F09D21B-EC41-4F5B-99A3-BC44CB6BBD43} - (no file) O2 - BHO: (no name) - {D01A22E2-4BDD-4A00-A796-A11DC35FA819} - (no file) O2 - BHO: (no name) - {F2632D8E-733C-476E-B123-8EC217484376} - (no file) O2 - BHO: (no name) - {F2FC29C5-7E6F-4828-A003-F6D25421A0C0} - (no file) O20 - Winlogon Notify: gebcb - C:\WINDOWS\system32\gebcb.dll (file missing) O20 - Winlogon Notify: jkhfg - C:\WINDOWS\system32\jkhfg.dll (file missing) O20 - Winlogon Notify: sstqq - C:\WINDOWS\system32\sstqq.dll (file missing) O20 - Winlogon Notify: ssttr - C:\WINDOWS\ O20 - Winlogon Notify: ssttu - C:\WINDOWS\system32\ssttu.dll (file missing) Restart your computer to the safe mode: Restart your computer Start tapping the F8 key when the computer restarts. When the start menu opens, choose Safe mode Press Enter. The computer then begins to start in Safe mode. Open "My Computer" and delete the following files (if present): C:\WINDOWS\mstlsapi32.exe Run ATF Cleaner Under Main choose: Select All Click the Empty Selected button. If you use Firefox browser Click Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browser Click Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. Run a scan with Dr.Web CureIt Doubleclick the drweb-cureit.exe file and Allow to run the express scan This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan. Once the short scan has finished, you should now mark the drives that you want to scan. Select all drives. A red dot shows which drives have been chosen. Click the green arrow at the right, and the scan will start. Click 'Yes to all' if it asks if you want to cure/move the file. When the scan has finished, look if you can click next icon next to the files found If so, click it and then click the next icon right below and select Move incurable After the scan, in the menu, click file and choose save report list Save the report to your desktop. The report will be called DrWeb.csv Close Dr.Web Cureit. Reboot the computer in Normal Mode, Post the Cure-it report and a fresh HijackThis log __________________ MalWare Removal University - You too could train to help others UNITE & ASAP member since 2006

2007-09-23, 16:46	#4
Mokie Junior Member Join Date: Jun 2007 Posts: 26	Virtumonde, me too Sorry it took so long for me to get back on, here are the two logs. I think I deleted everything that was detected rather than moving it. Also, I haven't used my system to do any banking or other sensitive activity except email since I realized I had some type of bug, it's been several months actually, and I don't save credit card info on my system. Is there anything else I need to be concerned about? 00137984.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.; 00145968.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.; 00149218.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.; 00155437.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.; 00156062.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.; 00163656.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.; 00169000.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.; 00175953.FIL;C:\$VAULT$.AVG;Adware.Crew;Incurable.Deleted.; 00188328.FIL;C:\$VAULT$.AVG;Adware.Crew;Incurable.Deleted.; 00189343.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.; 00189828.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.; 00218750.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.; 00250765.FIL;C:\$VAULT$.AVG;Adware.Crew;Incurable.Deleted.; 00302187.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.; 00320734.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.; 00420015.FIL;C:\$VAULT$.AVG;Adware.Crew;Incurable.Deleted.; 00427562.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.; 00503656.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.; 00530453.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.; 00876546.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.; 00911218.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.; 00911328.FIL;C:\$VAULT$.AVG;Adware.Crew;Incurable.Deleted.; 00912609.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.; 00912656.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.; 00989015.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.; 00991187.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.; 01309656.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.; 01325234.FIL;C:\$VAULT$.AVG;Adware.Crew;Incurable.Deleted.; 01341890.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.; 01347890.FIL;C:\$VAULT$.AVG;Trojan.Juan;Deleted.; 01656078.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.; 01818140.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.; 01826656.FIL;C:\$VAULT$.AVG;Trojan.Juan;Deleted.; 01830140.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.; 01831859.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.; 01832890.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.; 01834640.FIL;C:\$VAULT$.AVG;Trojan.Juan;Deleted.; 02744703.FIL;C:\$VAULT$.AVG;Trojan.Packed.149;Incurable.Moved.; 02992984.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.; 02993843.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.; 02994140.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.; 02994203.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.; 02994250.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.; 03425640.FIL;C:\$VAULT$.AVG;Trojan.Popuper;Deleted.; 03426390.FIL;C:\$VAULT$.AVG;Trojan.Popuper;Deleted.; 03426890.FIL;C:\$VAULT$.AVG;Trojan.Popuper;Deleted.; 03427640.FIL;C:\$VAULT$.AVG;Trojan.Packed.149;Incurable.Moved.; 03427703.FIL;C:\$VAULT$.AVG;Trojan.Juan;Deleted.; 03427828.FIL;C:\$VAULT$.AVG;Trojan.Popuper;Deleted.; 03429562.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.; 03640531.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.; 04644671.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.; 05318796.FIL;C:\$VAULT$.AVG;Trojan.Packed.149;Incurable.Moved.; 05319625.FIL;C:\$VAULT$.AVG;Trojan.Packed.149;Incurable.Moved.; 05319765.FIL;C:\$VAULT$.AVG;Trojan.Juan;Deleted.; 05410265.FIL;C:\$VAULT$.AVG;Trojan.Popuper;Deleted.; 05416078.FIL;C:\$VAULT$.AVG;Trojan.Popuper;Deleted.; 05419171.FIL;C:\$VAULT$.AVG;Adware.Crew;Incurable.Deleted.; 05421921.FIL;C:\$VAULT$.AVG;Adware.Crew;Incurable.Deleted.; 05429281.FIL;C:\$VAULT$.AVG;Adware.Crew;Incurable.Deleted.; 05431593.FIL;C:\$VAULT$.AVG;Adware.Crew;Incurable.Deleted.; 06290578.FIL;C:\$VAULT$.AVG;Adware.Crew;Incurable.Deleted.; 06384781.FIL;C:\$VAULT$.AVG;Trojan.Popuper;Deleted.; 06389015.FIL;C:\$VAULT$.AVG;Trojan.Popuper;Deleted.; 06402843.FIL;C:\$VAULT$.AVG;Trojan.Packed.149;Incurable.Moved.; 08235984.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.; 08770296.FIL;C:\$VAULT$.AVG;Adware.Crew;Incurable.Deleted.; 11607765.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.; 11623140.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.; 11973921.FIL;C:\$VAULT$.AVG;Adware.Crew;Incurable.Deleted.; 13159209.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.; 13547187.FIL;C:\$VAULT$.AVG;Trojan.Juan;Deleted.; 16727875.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.; 16929892.FIL;C:\$VAULT$.AVG;Trojan.Juan;Deleted.; 16930908.FIL;C:\$VAULT$.AVG;Trojan.Juan;Deleted.; AntiSpy.exe;C:\Program Files\Common Files\Scanner;Trojan.Click.origin;Incurable.Moved.; ppctl.dll;C:\Program Files\Common Files\Scanner;Probably DLOADER.Trojan;Incurable.Deleted.; sdcmon.dll;C:\Program Files\support.com\bin;Probably DLOADER.Trojan;Incurable.Deleted.; tgupdate.exe;C:\Program Files\support.com\bin;Probably DLOADER.Trojan;Incurable.Deleted.; A0358661.exe;C:\System Volume Information\_restore{D0EF8276-C546-4DA1-92AD-C6F6B8228708}\RP447;Adware.VMN;Incurable.Deleted.; A0358666.exe;C:\System Volume Information\_restore{D0EF8276-C546-4DA1-92AD-C6F6B8228708}\RP447;Tool.Prockill;Incurable.Deleted.; A0358668.exe;C:\System Volume Information\_restore{D0EF8276-C546-4DA1-92AD-C6F6B8228708}\RP447;Tool.ShutDown.11;Incurable.Deleted.; A0358692.exe;C:\System Volume Information\_restore{D0EF8276-C546-4DA1-92AD-C6F6B8228708}\RP447;Probably BACKDOOR.Trojan;Incurable.Deleted.; A0358721.exe;C:\System Volume Information\_restore{D0EF8276-C546-4DA1-92AD-C6F6B8228708}\RP447;Probably BACKDOOR.Trojan;Incurable.Deleted.; A0358757.exe;C:\System Volume Information\_restore{D0EF8276-C546-4DA1-92AD-C6F6B8228708}\RP447;Probably BACKDOOR.Trojan;Incurable.Deleted.; CMGR32.DLL;C:\WINDOWS\system32;BackDoor.Xdoor.origin;Incurable.Moved.; Process.exe;C:\WINDOWS\system32;Tool.Prockill;Incurable.Deleted.; Logfile of HijackThis v1.99.1 Scan saved at 7:32:22 AM, on 9/23/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 SP2 (7.00.6000.16512) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe C:\Program Files\Analog Devices\SoundMAX\Smax4.exe C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Support.com\bin\tgcmd.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\iTunes\iTunesHelper.exe C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\iPod\bin\iPodService.exe C:\Documents and

2007-09-24, 21:18	#5
Mr_JAk3 Security Expert Join Date: Oct 2006 Location: Finland Posts: 3,952	Hi Ok but you've propably used email and other user accounts. Would be best to change the passwords. The HijackThis log wasn't complete. Please post the full HjT log __________________ MalWare Removal University - You too could train to help others UNITE & ASAP member since 2006

2007-09-28, 03:33	#6
Mokie Junior Member Join Date: Jun 2007 Posts: 26	Virtumonde, me too I will change all my passwords, just in case. Also, I ran a new hijack log just now, here it is: Logfile of HijackThis v1.99.1 Scan saved at 6:31:36 PM, on 9/27/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 SP2 (7.00.6000.16512) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\PnkBstrA.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe C:\Program Files\Analog Devices\SoundMAX\Smax4.exe C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Support.com\bin\tgcmd.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\iTunes\iTunesHelper.exe C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\MNL\Desktop\UTILITIES\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\I nternet Settings,ProxyServer = :0 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.ex e -startup O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [PopUpStopperFreeEdition] C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.e xe O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - Global Startup: Adobe Gamma Loader.lnk = ? O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/30 00 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_ unicode.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNP Upld.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5C ontrols/en/x86/client/wuweb_site.cab?11355446344 84 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V 5Controls/en/x86/client/muweb_site.cab?113554816 3312 O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by110fd.bay110.hotmail.msn.com/activex/HM Atchmt.ocx O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe Thank you for all your help!

2007-09-29, 20:28	#7
Mr_JAk3 Security Expert Join Date: Oct 2006 Location: Finland Posts: 3,952	Hi Looks pretty good now. How is the computer running? Any issues? __________________ MalWare Removal University - You too could train to help others UNITE & ASAP member since 2006

2007-09-30, 18:48	#8
Mokie Junior Member Join Date: Jun 2007 Posts: 26	Virtumonde me, too Yes, thank you for your assistance, it has been running very nicely! Mr_JAk3, this is the first time I ever had anything as insidious as this, now I'm feeling pretty vulnerable. Since I've changed my banking passwords, is it safe for me to go back to using online banking? I stopped in May, and since then have spent alot of time working at removing virus. I would really like to have the convenience back, but this Virtumonde (I had Smitfraud, too) scares me. What other protection can I install to prevent this from happening again? And with everything I already run, how did it get into my system? ZoneAlarm, Spybot S&d, AVG, Superantispyware, Windows Defender; I run them all, and keep them updated. What else can I do?

2007-10-01, 20:40	#9
Mr_JAk3 Security Expert Join Date: Oct 2006 Location: Finland Posts: 3,952	Hello Yes the system appears to be clean now. You got virtumundo because you're using an outdated java... You can remove the tools we used. Then you should update your Java to the latest version (6u2) Start Control Panel Add/Remove Programs Delete the old Java, J2SE Runtime Environment 5.0 Update 6 Download the latest version of Java Runtime Environment (JRE) 6u2. Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications." Click the "Download" button to the right. Check the box that says: "*Accept* License Agreement." The page will refresh. Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop. Install it Now you can make your hidden files hidden again. Go to My Computer Select the Tools menu and click Folder Options Click the View tab. Checkmark the "Display the contents of system folders" Under the Hidden files and folders select "Show hidden files and folders" Check "Hide protected operating system files" Click Apply and then the OK and close My Computer. ============= Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure: Clear your system restore This will clear the system restore folders from possible malware that was left behind during the cleaning process. Use ATF Cleaner Download and install ATF Cleaner. Clean your temporary files & folders with it regularly. Use Ad-Aware Download and install Ad-Aware. Update it and scan your computer regularly with it. Use AVG Anti-Spyware Download and install AVG Anti-Spyware. Update it and scan your computer regularly with it. Use Spybot S&D Download and install Spybot S&D. Update it and scan your computer regularly with it. Install SpywareBlaster SpywareBlaster will prevent spyware from being installed. Install MVPS Hosts file This prevents your computer from connecting to harmful sites. Use Firefox browser Firefox is faster and more secure browser than Internet Explorer. Keep your systen up-to-date Visit Windows Update regularly. How to enable Automatic Updates? Keep your antivirus and firewall up-to-date Scan your computer regularly with you antivirus software. Read this article by TonyKlein So how did I get infected in the first place? Stand Up and Be Counted ! The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware. Stay clean and be safe __________________ MalWare Removal University - You too could train to help others UNITE & ASAP member since 2006

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode