PDA

View Full Version : Infected with Virtumonde



cali01
2007-11-15, 23:40
I have been having problems removing Virtumonde from my computer. Please advise me of how to get rid of it, its very annoying. Thank you!

Here is my Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:28:26 PM, on 11/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WasteWORKS\wwwin.exe
C:\WINDOWS\system32\ushvdolj.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [b40c341c] rundll32.exe "C:\WINDOWS\system32\yoyjqgjr.dll",b
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://download.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1182528679234
O16 - DPF: {DD8C9372-35FD-4F7D-8CE4-909ABCFAB2C5} - ms-its:mhtml:file://c:\\nores.mht!http://adxtend.net/code/chm/xpre.chm::/xpreload.ocx
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\ushvdolj.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 5694 bytes

Also, my Kaspersky log is too long to post.

Mr_JAk3
2007-11-16, 20:50
Hello and welcome to the Forums :)

Let's see...

Rename HijackThis.exe to skanneri.exe by doing the following;

Navigate here using Windows Explorer (windows button + E) or My Computer Local Disk C: C:\Program Files\Trend Micro\HijackThis
Right-click on the HijackThis.exe
Choose from the pull-down menu; "Rename"
And now Rename HijackThis.exe to skanneri.exe
When you've renamed HijackThis, open HijackThis again.
Take a fresh HijackThis log (click Do a system scan and save a log file)
Post the fresh HijackThis log here.

cali01
2007-11-16, 22:21
I'm sorry. When Hijackthis gets done scanning it pops up notepad and says "Cannot find the C:\Program Files\Trend Micro\Hijackthis\Hijackthis.log file. Do you want to create a new file?"

If I select yes it still won't save a log.

Mr_JAk3
2007-11-17, 11:56
Ok please delete the old copy a HijackThis.


Download HJTInstall.exe (http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe) to your Desktop.
Doubleclick HJTInstall.exe to install it.
By default it will install to C:\Program Files\Trend Micro\HijackThis .
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed, it will launch Hijackthis. Close it
Navigate here using Windows Explorer (windows button + E) or My Computer Local Disk C: C:\Program Files\Trend Micro\HijackThis
Right-click on the HijackThis.exe
Choose from the pull-down menu; "Rename"
And now Rename HijackThis.exe to skanneri.exe
When you've renamed HijackThis, open HijackThis again.
Take a fresh HijackThis log (click Do a system scan and save a log file)
Post the fresh HijackThis log here.

:bigthumb:

Let me know if this didn't work

cali01
2007-11-17, 15:59
The same thing happens. :(

Mr_JAk3
2007-11-17, 16:57
Ok we'll use this then...

1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

cali01
2007-11-17, 17:36
ComboFix 07-11-08.1 - scale2 2007-11-17 9:11:11.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.62 [GMT -6:00]
Running from: C:\Documents and Settings\scale2\Desktop\ComboFix.exe
* Created a new restore point
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt
C:\Documents and Settings\scale2\Start Menu\Programs\Outerinfo
C:\Documents and Settings\scale2\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\scale2\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\temp\tn3
C:\WINDOWS\cookies.ini
C:\WINDOWS\cs_cache.ini
C:\WINDOWS\system32\awtqo.dll
C:\WINDOWS\system32\F1
C:\WINDOWS\system32\F2
C:\WINDOWS\system32\F3
C:\WINDOWS\system32\F4
C:\WINDOWS\system32\F5
C:\WINDOWS\system32\o02PrEz
C:\WINDOWS\SYSTEM32\oqtwa.bak1
C:\WINDOWS\SYSTEM32\oqtwa.bak2
C:\WINDOWS\SYSTEM32\oqtwa.ini
C:\WINDOWS\SYSTEM32\oqtwa.ini2
C:\WINDOWS\SYSTEM32\oqtwa.tmp
C:\WINDOWS\system32\win
C:\WINDOWS\wr.txt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_NET_AGENT
-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS
-------\Net Agent


((((((((((((((((((((((((( Files Created from 2007-10-17 to 2007-11-17 )))))))))))))))))))))))))))))))
.

2007-11-17 09:08 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-17 08:56 82,496 --a------ C:\WINDOWS\SYSTEM32\ilovqdov.dll
2007-11-17 08:53 84,545 --a------ C:\WINDOWS\SYSTEM32\pirtvbpe.dll
2007-11-17 08:42 82,496 --a------ C:\WINDOWS\SYSTEM32\astavpis.dll
2007-11-16 15:32 81,984 --a------ C:\WINDOWS\SYSTEM32\joiljwpj.dll
2007-11-16 14:17 81,984 --a------ C:\WINDOWS\SYSTEM32\elyoqnri.dll
2007-11-15 15:27 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-15 14:14 79,936 --a------ C:\WINDOWS\SYSTEM32\rohhicav.dll
2007-11-15 13:36 79,936 --a------ C:\WINDOWS\SYSTEM32\ktckqvok.dll
2007-11-15 13:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-15 13:31 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-11-15 12:35 79,936 --a------ C:\WINDOWS\SYSTEM32\injpapnb.dll
2007-11-14 14:43 79,424 --a------ C:\WINDOWS\SYSTEM32\rqcgtxor.dll
2007-11-14 10:21 79,424 --a------ C:\WINDOWS\SYSTEM32\foxvrsch.dll
2007-11-14 09:50 79,424 --a------ C:\WINDOWS\SYSTEM32\ejjkrfef.dll
2007-11-14 09:20 79,424 --a------ C:\WINDOWS\SYSTEM32\kfcqscqn.dll
2007-11-14 09:01 <DIR> d-------- C:\VundoFix Backups
2007-11-14 08:49 79,424 --a------ C:\WINDOWS\SYSTEM32\dpgnkbmp.dll
2007-11-14 08:18 79,424 --a------ C:\WINDOWS\SYSTEM32\lgalcdrs.dll
2007-11-14 08:12 79,424 --a------ C:\WINDOWS\SYSTEM32\udheqyim.dll
2007-11-14 07:48 81,472 --a------ C:\WINDOWS\SYSTEM32\pstshqpu.dll
2007-11-14 03:17 81,472 --a------ C:\WINDOWS\SYSTEM32\qicifnqc.dll
2007-11-12 14:11 81,472 --a------ C:\WINDOWS\SYSTEM32\qlqmlajv.dll
2007-11-10 14:11 81,472 --a------ C:\WINDOWS\SYSTEM32\yljovueq.dll
2007-11-09 14:11 77,888 --a------ C:\WINDOWS\SYSTEM32\glildbgh.dll
2007-11-04 21:42 78,912 --a------ C:\WINDOWS\SYSTEM32\agewokpr.dll
2007-11-03 21:39 81,472 --a------ C:\WINDOWS\SYSTEM32\jofkonww.dll
2007-10-30 19:55 625,032 --a------ C:\WINDOWS\SYSTEM32\SymNeti.dll
2007-10-30 19:55 242,056 --a------ C:\WINDOWS\SYSTEM32\SymRedir.dll
2007-10-30 19:55 191,536 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\symtdi.sys
2007-10-30 19:55 145,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\symfw.sys
2007-10-30 19:55 39,856 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\symids.sys
2007-10-30 19:55 37,936 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\symndisv.sys
2007-10-30 19:55 35,120 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\symndis.sys
2007-10-30 19:55 27,696 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\symredrv.sys
2007-10-30 19:55 12,848 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\symdns.sys
2007-10-19 12:40 233,472 --a------ C:\WINDOWS\SYSTEM32\OkDrtPrn.exe
2007-10-19 12:40 106,496 --a------ C:\WINDOWS\SYSTEM32\OkDrtPrn.dll
2007-10-19 12:40 45,056 --a------ C:\WINDOWS\SYSTEM32\OkDPnRes.dll
2007-10-19 12:35 24,576 -ra------ C:\WINDOWS\SYSTEM32\msxml3a.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-16 21:25 --------- d-----w C:\Program Files\Norton AntiVirus
2007-11-14 17:32 102,664 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys
2007-11-14 09:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-11-13 16:56 --------- d-----w C:\Program Files\Java
2007-11-06 13:31 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-31 01:24 12,963 ----a-w C:\WINDOWS\system32\drivers\SymRedir.cat
2007-10-31 01:24 1,358 ----a-w C:\WINDOWS\system32\drivers\SymRedir.inf
2007-10-19 18:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-19 18:40 --------- d-----w C:\Program Files\Okidata
2007-10-12 20:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2007-10-04 13:27 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-10-04 13:27 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-10-04 13:27 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-10-04 13:27 --------- d-----w C:\Program Files\Symantec
2007-09-21 02:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-09-18 20:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat
2007-09-18 20:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat
2007-09-18 20:44 10,658 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat
2007-09-18 20:44 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
2007-09-18 20:44 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
2007-09-18 20:44 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
2007-09-18 20:43 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
2007-09-18 20:43 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
2007-09-18 20:43 278,576 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
2007-06-22 16:50:35 6,369 --sha-w C:\WINDOWS\SYSTEM32\jlkkj.bak1
2007-06-27 15:05:02 1,899,012 --sha-w C:\WINDOWS\SYSTEM32\jlkkj.bak2
2007-07-05 14:29:29 1,761,215 --sha-w C:\WINDOWS\SYSTEM32\jlkkj.ini2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3cbc28b6-9131-4f6f-be73-891643e159bc}]
C:\WINDOWS\System32\ogytiis.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8339f5f5-14ec-473f-a2f9-dba3294a9701}]
2007-11-17 08:56 82496 --a------ C:\WINDOWS\system32\ilovqdov.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{92AC9027-B90A-46E9-B67A-FF60396AAE49}]
C:\WINDOWS\System32\jkklj.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 23:59]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" []
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 19:12]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"b40c341c"="C:\WINDOWS\system32\pirtvbpe.dll" [2007-11-17 08:53]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfgddb]
khfgddb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll 2003-05-29 11:00 8704 C:\WINDOWS\SYSTEM32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyvsss]
xxyvsss.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^scale2^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
path=C:\Documents and Settings\scale2\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler V3.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^scale2^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
path=C:\Documents and Settings\scale2\Start Menu\Programs\Startup\PowerReg Scheduler.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^scale2^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\scale2\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\b40c341c]
rundll32.exe "C:\WINDOWS\system32\dwgehlpp.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Configuration Manager]
C:\WINDOWS\cfg32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
C:\WINDOWS\system32\owinkndt.exe SKY003

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GPLv3]
rundll32.exe "C:\WINDOWS\system32\nvxbiufd.dll",realset

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\icq.com]
rundll32.exe "C:\WINDOWS\system32\abxnppdv.dll",forkonce

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageMonitor]
C:\WINDOWS\System32\Oplmsb01.exe OKI B4250(PCL)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MemoryManager]
rundll32.exe "C:\WINDOWS\system32\sodvujgd.dll",forkonce

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pyzssagA]
C:\WINDOWS\pyzssagA.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StatusClient]
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
"C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomcatStartup]
C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
C:\Program Files\Web Buying\v1.7.4\webbuying.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2007-11-13 13:07:07 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - scale2.job"
- C:\Program Files\Norton AntiVirus\Navw32.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-17 09:24:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-11-17 9:28:41 - machine was rebooted
.
--- E O F ---

Mr_JAk3
2007-11-18, 17:16
Hi, we'll continue :)

Open notepad and copy/paste the text in the quotebox below into it:


File::
C:\WINDOWS\SYSTEM32\ilovqdov.dll
C:\WINDOWS\SYSTEM32\pirtvbpe.dll
C:\WINDOWS\SYSTEM32\astavpis.dll
C:\WINDOWS\SYSTEM32\joiljwpj.dll
C:\WINDOWS\SYSTEM32\elyoqnri.dll
C:\WINDOWS\SYSTEM32\rohhicav.dll
C:\WINDOWS\SYSTEM32\ktckqvok.dll
C:\WINDOWS\SYSTEM32\injpapnb.dll
C:\WINDOWS\SYSTEM32\rqcgtxor.dll
C:\WINDOWS\SYSTEM32\foxvrsch.dll
C:\WINDOWS\SYSTEM32\ejjkrfef.dll
C:\WINDOWS\SYSTEM32\kfcqscqn.dll
C:\WINDOWS\SYSTEM32\dpgnkbmp.dll
C:\WINDOWS\SYSTEM32\lgalcdrs.dll
C:\WINDOWS\SYSTEM32\udheqyim.dll
C:\WINDOWS\SYSTEM32\pstshqpu.dll
C:\WINDOWS\SYSTEM32\qicifnqc.dll
C:\WINDOWS\SYSTEM32\qlqmlajv.dll
C:\WINDOWS\SYSTEM32\yljovueq.dll
C:\WINDOWS\SYSTEM32\glildbgh.dll
C:\WINDOWS\SYSTEM32\agewokpr.dll
C:\WINDOWS\SYSTEM32\jofkonww.dll
C:\WINDOWS\SYSTEM32\jlkkj.bak1
C:\WINDOWS\SYSTEM32\jlkkj.bak2
C:\WINDOWS\SYSTEM32\jlkkj.ini2
C:\WINDOWS\System32\ogytiis.dll
C:\WINDOWS\system32\ilovqdov.dll
C:\WINDOWS\System32\jkklj.dll
C:\WINDOWS\system32\pirtvbpe.dll
C:\Documents and Settings\scale2\Start Menu\Programs\Startup\TA_Start.lnk
C:\WINDOWS\pss\TA_Start.lnkStartup
C:\WINDOWS\system32\dwgehlpp.dll
C:\WINDOWS\cfg32.exe
C:\WINDOWS\system32\owinkndt.exe
C:\WINDOWS\system32\nvxbiufd.dll
C:\WINDOWS\system32\abxnppdv.dll
C:\WINDOWS\System32\Oplmsb01.exe
C:\WINDOWS\system32\sodvujgd.dll
C:\WINDOWS\pyzssagA.exe

Folder::
C:\Program Files\Web Buying

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3cbc28b6-9131-4f6f-be73-891643e159bc}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8339f5f5-14ec-473f-a2f9-dba3294a9701}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{92AC9027-B90A-46E9-B67A-FF60396AAE49}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"b40c341c"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfgddb]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyvsss]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^scale2^Start Menu^Programs^Startup^TA_Start.lnk]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\b40c341c]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Configuration Manager]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GPLv3]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\icq.com]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageMonitor]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MemoryManager]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pyzssagA]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]




Save this as "CFScript"

http://img.photobucket.com/albums/v666/sUBs/CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

cali01
2007-11-19, 15:36
Ok...I copied that text to notepad, named it as you said, and then drug the CFScript file onto the ComboFix icon as your picture shows. It started ComboFix but a window popped up and said that Combofix was out of date and to download the most recent version, and then uninstalled itself.

Mr_JAk3
2007-11-19, 21:35
OK we'l use another tool then...

Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

cali01
2007-11-19, 22:14
I had used VundoFix.exe and FxVMonde.exe while trying to remove this myself. Neither removed it, as S&D is still detecting it when I scan.

So here is the VundoFix log, the results from the first scan are there, also. Today it said that it didn't detect anything.


VundoFix V6.6.1

Checking Java version...

Scan started at 9:01:48 AM 11/14/2007

Listing files found while scanning....

C:\WINDOWS\system32\dgjlm.bak1
C:\WINDOWS\system32\dgjlm.bak2
C:\WINDOWS\system32\dgjlm.ini
C:\WINDOWS\system32\dgjlm.ini2
C:\WINDOWS\system32\dgjlm.tmp
C:\windows\SYSTEM32\jbnubuql.dll
C:\WINDOWS\system32\mljgd.dll
C:\windows\SYSTEM32\ufpjhjeh.dll
C:\WINDOWS\system32\xxyvsss.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\dgjlm.bak1
C:\WINDOWS\system32\dgjlm.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\dgjlm.bak2
C:\WINDOWS\system32\dgjlm.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\dgjlm.ini
C:\WINDOWS\system32\dgjlm.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\dgjlm.ini2
C:\WINDOWS\system32\dgjlm.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\dgjlm.tmp
C:\WINDOWS\system32\dgjlm.tmp Has been deleted!

Attempting to delete C:\windows\SYSTEM32\jbnubuql.dll
C:\windows\SYSTEM32\jbnubuql.dll Has been deleted!

Attempting to delete C:\windows\SYSTEM32\ufpjhjeh.dll
C:\windows\SYSTEM32\ufpjhjeh.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.6.1

Checking Java version...

Scan started at 9:16:03 AM 11/14/2007

Listing files found while scanning....


VundoFix V6.6.1

Checking Java version...

Scan started at 9:20:16 AM 11/14/2007

Listing files found while scanning....

C:\WINDOWS\system32\mljgd.dll

VundoFix V6.6.1

Checking Java version...

Scan started at 9:43:17 AM 11/14/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.6.2

Checking Java version...

Scan started at 1:50:56 PM 11/19/2007

Listing files found while scanning....

No infected files were found.

cali01
2007-11-19, 22:23
I cannot post a new Hijackthis log. It is still not saving the log files. I tried uninstalling it and deleting the .exe file manualling, then reinstalling, but it is still doing the same thing.

Mr_JAk3
2007-11-20, 18:51
Ok we'll continue :)

Please remove any old versions of VundoFix.

Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop
Open a new notepad window
Paste the list of files from the quote box below into the notepad window.

C:\WINDOWS\SYSTEM32\ilovqdov.dll
C:\WINDOWS\SYSTEM32\pirtvbpe.dll
C:\WINDOWS\SYSTEM32\astavpis.dll
C:\WINDOWS\SYSTEM32\joiljwpj.dll
C:\WINDOWS\SYSTEM32\elyoqnri.dll
C:\WINDOWS\SYSTEM32\rohhicav.dll
C:\WINDOWS\SYSTEM32\ktckqvok.dll
C:\WINDOWS\SYSTEM32\injpapnb.dll
C:\WINDOWS\SYSTEM32\rqcgtxor.dll
C:\WINDOWS\SYSTEM32\foxvrsch.dll
C:\WINDOWS\SYSTEM32\ejjkrfef.dll
C:\WINDOWS\SYSTEM32\kfcqscqn.dll
C:\WINDOWS\SYSTEM32\dpgnkbmp.dll
C:\WINDOWS\SYSTEM32\lgalcdrs.dll
C:\WINDOWS\SYSTEM32\udheqyim.dll
C:\WINDOWS\SYSTEM32\pstshqpu.dll
C:\WINDOWS\SYSTEM32\qicifnqc.dll
C:\WINDOWS\SYSTEM32\qlqmlajv.dll
C:\WINDOWS\SYSTEM32\yljovueq.dll
C:\WINDOWS\SYSTEM32\glildbgh.dll
C:\WINDOWS\SYSTEM32\agewokpr.dll
C:\WINDOWS\SYSTEM32\jofkonww.dll
C:\WINDOWS\SYSTEM32\jlkkj.bak1
C:\WINDOWS\SYSTEM32\jlkkj.bak2
C:\WINDOWS\SYSTEM32\jlkkj.ini2
C:\WINDOWS\System32\ogytiis.dll
C:\WINDOWS\system32\ilovqdov.dll
C:\WINDOWS\System32\jkklj.dll
C:\WINDOWS\system32\pirtvbpe.dll
C:\Documents and Settings\scale2\Start Menu\Programs\Startup\TA_Start.lnk
C:\WINDOWS\pss\TA_Start.lnkStartup
C:\WINDOWS\system32\dwgehlpp.dll
C:\WINDOWS\cfg32.exe
C:\WINDOWS\system32\owinkndt.exe
C:\WINDOWS\system32\nvxbiufd.dll
C:\WINDOWS\system32\abxnppdv.dll
C:\WINDOWS\System32\Oplmsb01.exe
C:\WINDOWS\system32\sodvujgd.dll
C:\WINDOWS\pyzssagA.exe
Save this as vundofix.vft and Save as type "all files".
Double-click VundoFix.exe to run it.
Drag vundofix.vft onto the listbox (white box) of VundoFix.
Click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting

Backup Your Registry with ERUNT:
Download erunt.zip to your Desktop from here:
http://aumha.org/downloads/erunt.zip
Right-click erunt.zip, select Extract All... and follow the prompts to extract ERUNT to a new folder on your Desktop
Inside the new folder, double-click ERUNT.exe to start the program
OK all the prompts to back up your registry to the default location.Note: to restore your registry, go to the backup folder and start ERDNT.exe


Open Notepad (NOT WORDPAD!) and copy the following lines from the quote box below into a new document, leaving a blank line at the end. (don't forget to copy and paste the word REGEDIT4) :


REGEDIT4

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3cbc28b6-9131-4f6f-be73-891643e159bc}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8339f5f5-14ec-473f-a2f9-dba3294a9701}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{92AC9027-B90A-46E9-B67A-FF60396AAE49}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"b40c341c"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfgddb]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyvsss]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^scale2^Start Menu^Programs^Startup^TA_Start.lnk]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\b40c341c]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Configuration Manager]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GPLv3]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\icq.com]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageMonitor]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MemoryManager]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pyzssagA]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]



Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.

Save the document to your desktop as Fix.reg and filetype: All Files
Go to your desktop and double click on the file to run Fix.reg and when it asks you if you want to merge the contents to the registry, click yes/ok.

Restart the computer.

Please post the contents of C:\vundofix.txt and a new HiJackThis log (if working now) in a reply to this thread.

cali01
2007-11-20, 19:23
Hijackthis is still not saving log file. From vundofix:

Beginning removal...

Attempting to delete C:\WINDOWS\pss\TA_Start.lnkStartup
C:\WINDOWS\pss\TA_Start.lnkStartup Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\agewokpr.dll
C:\WINDOWS\SYSTEM32\agewokpr.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\astavpis.dll
C:\WINDOWS\SYSTEM32\astavpis.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\dpgnkbmp.dll
C:\WINDOWS\SYSTEM32\dpgnkbmp.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\ejjkrfef.dll
C:\WINDOWS\SYSTEM32\ejjkrfef.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\foxvrsch.dll
C:\WINDOWS\SYSTEM32\foxvrsch.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\glildbgh.dll
C:\WINDOWS\SYSTEM32\glildbgh.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ilovqdov.dll
C:\WINDOWS\system32\ilovqdov.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\injpapnb.dll
C:\WINDOWS\SYSTEM32\injpapnb.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\jlkkj.bak1
C:\WINDOWS\SYSTEM32\jlkkj.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\jlkkj.bak2
C:\WINDOWS\SYSTEM32\jlkkj.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\jlkkj.ini2
C:\WINDOWS\SYSTEM32\jlkkj.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\kfcqscqn.dll
C:\WINDOWS\SYSTEM32\kfcqscqn.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\ktckqvok.dll
C:\WINDOWS\SYSTEM32\ktckqvok.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\lgalcdrs.dll
C:\WINDOWS\SYSTEM32\lgalcdrs.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\Oplmsb01.exe
C:\WINDOWS\System32\Oplmsb01.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\pirtvbpe.dll
C:\WINDOWS\system32\pirtvbpe.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\rohhicav.dll
C:\WINDOWS\SYSTEM32\rohhicav.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\rqcgtxor.dll
C:\WINDOWS\SYSTEM32\rqcgtxor.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\udheqyim.dll
C:\WINDOWS\SYSTEM32\udheqyim.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\yljovueq.dll
C:\WINDOWS\SYSTEM32\yljovueq.dll Has been deleted!

Performing Repairs to the registry.
Done!

Mr_JAk3
2007-11-20, 20:20
Okay let's try with an older version of HijacKThis...

Please post a HijackThis log to here: Click here (http://downloads.malwareremoval.com/HijackThis.exe) to download HijackThis.exe
Save HijackThis.exe to your desktop.
Create a new folder named HijackThis to your desktop. Move Hijackthis.exe into that folder.
Run HijackThis.exe
Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
Click Save to save the log file and then the log will open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

cali01
2007-11-20, 20:48
It is doing the same thing. I downloaded the version you linked, moved it into the new folder on the desktop which I named hijackthis, then opened the program. I clicked on "do a system scan and save a log file" and got the message "Cannot find the C:\Program Files\Trend Micro\Hijackthis\Hijackthis.log file. Do you want to create a new file?" If I select yes it creates a new text document named hijackthis, but the document is blank and the file size is 0 KB. If I select no, it deletes this blank file and nothing is there. Then, I tried to run hijackthis by selecting "do a system scan only" and then after scanning, selecting "save log." This brings up the Save logfile window, I click save and I again get "Cannot find the C:\Program Files\Trend Micro\Hijackthis\Hijackthis.log file. Do you want to create a new file?" and the same thing happens.

cali01
2007-11-20, 21:08
Another thing...as I have been trying to run hijackthis and save a log file, Norton Antivirus keeps popping up saying that its blocking Bloodhound.Exploit.6.

Mr_JAk3
2007-11-21, 20:31
Hi again :)

Ok that wasn't old enough, sorry.

Please try this version instead -> HijackThis 1.99.1 (http://www.majorgeeks.com/download3155.html)

:bigthumb:

cali01
2007-11-21, 21:01
Logfile of HijackThis v1.99.1
Scan saved at 1:01:12 PM, on 11/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WasteWORKS\wwwin.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\scale2\Desktop\HIJACKTHIS\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O2 - BHO: (no name) - {3cbc28b6-9131-4f6f-be73-891643e159bc} - C:\WINDOWS\System32\ogytiis.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Sonic\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: {1079a492-3abd-9f2a-f374-ce415f5f9338} - {8339f5f5-14ec-473f-a2f9-dba3294a9701} - C:\WINDOWS\system32\ilovqdov.dll (file missing)
O2 - BHO: (no name) - {92AC9027-B90A-46E9-B67A-FF60396AAE49} - C:\WINDOWS\System32\jkklj.dll (file missing)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://download.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1182528679234
O16 - DPF: {DD8C9372-35FD-4F7D-8CE4-909ABCFAB2C5} - ms-its:mhtml:file://c:\\nores.mht!http://adxtend.net/code/chm/xpre.chm::/xpreload.ocx
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h cltCommon (file missing)
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

Mr_JAk3
2007-11-22, 17:31
Ok good :)

Only a few leftovers. How is the computer running?

Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O2 - BHO: (no name) - {3cbc28b6-9131-4f6f-be73-891643e159bc} - C:\WINDOWS\System32\ogytiis.dll (file missing)
O2 - BHO: {1079a492-3abd-9f2a-f374-ce415f5f9338} - {8339f5f5-14ec-473f-a2f9-dba3294a9701} - C:\WINDOWS\system32\ilovqdov.dll (file missing)
O2 - BHO: (no name) - {92AC9027-B90A-46E9-B67A-FF60396AAE49} - C:\WINDOWS\System32\jkklj.dll (file missing)
Restart the computer and run a new scan with HijackThis. The entries you just fixed should be gone. Let me know if they're not.

You can now remove the tools we used.

=============

Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:
Clear your system restore (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx)
This will clear the system restore folders from possible malware that was left behind during the cleaning process.

Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.

Use Ad-Aware (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Download and install Ad-Aware. Update it and scan your computer regularly with it.

Use AVG Anti-Spyware (http://www.ewido.net/en/)
Download and install AVG Anti-Spyware. Update it and scan your computer regularly with it.

Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.

Install SpywareBlaster (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
SpywareBlaster will prevent spyware from being installed.

Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.

Use Firefox browser (http://www.mozilla.org)
Firefox is faster and more secure browser than Internet Explorer.

Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly. How to enable Automatic Updates? (http://www.bleepingcomputer.com/tutorials/tutorial35.html)

Keep your antivirus (http://forum.malwareremoval.com/viewtopic.php?p=53#53) and firewall (http://forum.malwareremoval.com/viewtopic.php?p=56#56) up-to-date
Scan your computer regularly with you antivirus software.

Read this article by TonyKlein (http://forums.spybot.info/showthread.php?t=279)
So how did I get infected in the first place?

Stand Up and Be Counted ! (http://www.malwarecomplaints.info/index.php)
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.


Stay clean and be safe ;)

cali01
2007-11-23, 16:25
I fixed those entries as you said, and they seem to be gone, but S&D is still detecting Virtumonde on my computer. Here is my HIjackthis log now:

Logfile of HijackThis v1.99.1
Scan saved at 8:22:32 AM, on 11/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Documents and Settings\scale2\Desktop\HIJACKTHIS\HijackThis.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Sonic\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://download.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1182528679234
O16 - DPF: {DD8C9372-35FD-4F7D-8CE4-909ABCFAB2C5} - ms-its:mhtml:file://c:\\nores.mht!http://adxtend.net/code/chm/xpre.chm::/xpreload.ocx
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h cltCommon (file missing)
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

Mr_JAk3
2007-11-23, 19:40
Ok could you please post the Spybot findings to here and I'll have a look. (the part from the scan log that shows the virtumonde) :bigthumb:

cali01
2007-11-23, 20:33
Where do I find the Spybot scan log?

Mr_JAk3
2007-11-23, 20:55
Hi :)

These instructions should help -> link (http://forums.spybot.info/showpost.php?p=15610&postcount=2)

:bigthumb:

cali01
2007-11-23, 21:05
--- Report generated: 2007-11-23 12:19 ---

Microsoft.WindowsSecurityCenter_disabled: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start!=W=2

Virtumonde: User settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1142129594-200351922-3848740364-1006\Software\Microsoft\rdfa

Virtumonde: Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1142129594-200351922-3848740364-1006\Software\Microsoft\aldd


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2007-06-22 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-05-23 advcheck.dll (1.5.3.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2007-07-31 Tools.dll (2.1.2.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-11-21 Includes\Cookies.sbi (*)
2007-10-31 Includes\Dialer.sbi (*)
2007-11-21 Includes\DialerC.sbi (*)
2007-11-07 Includes\Hijackers.sbi (*)
2007-11-21 Includes\HijackersC.sbi (*)
2007-10-04 Includes\Keyloggers.sbi (*)
2007-11-21 Includes\KeyloggersC.sbi (*)
2007-11-07 Includes\Malware.sbi (*)
2007-11-21 Includes\MalwareC.sbi (*)
2007-10-24 Includes\PUPS.sbi (*)
2007-11-21 Includes\PUPSC.sbi (*)
2007-11-21 Includes\Revision.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-11-21 Includes\SecurityC.sbi (*)
2007-11-07 Includes\Spybots.sbi (*)
2007-11-21 Includes\SpybotsC.sbi (*)
2007-11-06 Includes\Tracks.uti
2007-11-14 Includes\Trojans.sbi (*)
2007-11-21 Includes\TrojansC.sbi (*)
2007-06-06 Plugins\TCPIPAddress.dll

Mr_JAk3
2007-11-24, 16:32
Ok we'll clean those leftovers manually...

Backup Your Registry with ERUNT:
Download erunt.zip to your Desktop from here:
http://aumha.org/downloads/erunt.zip
Right-click erunt.zip, select Extract All... and follow the prompts to extract ERUNT to a new folder on your Desktop
Inside the new folder, double-click ERUNT.exe to start the program
OK all the prompts to back up your registry to the default location.Note: to restore your registry, go to the backup folder and start ERDNT.exe


Open Notepad (NOT WORDPAD!) and copy the following lines from the quote box below into a new document, leaving a blank line at the end. (don't forget to copy and paste the word REGEDIT4) :


REGEDIT4

[-HKEY_USERS\S-1-5-21-1142129594-200351922-3848740364-1006\Software\Microsoft\rdfa]

[-HKEY_USERS\S-1-5-21-1142129594-200351922-3848740364-1006\Software\Microsoft\aldd]



Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.

Save the document to your desktop as Fix.reg and filetype: All Files
Go to your desktop and double click on the file to run Fix.reg and when it asks you if you want to merge the contents to the registry, click yes/ok.

Restart the pc and run a new scan. Virtumonde shouldn't be bothering anymore. :bigthumb:

cali01
2007-11-26, 17:58
Thank you!! =) My Spybot scan is now clear. However, my Kaspersky scan isn't. I will try to post the log.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, November 26, 2007 9:58:07 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 26/11/2007
Kaspersky Anti-Virus database records: 465960
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 55823
Number of viruses found: 15
Number of infected objects: 25
Number of suspicious objects: 7
Duration of the scan process: 01:19:24

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\PurityScan.zip/offun.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\PurityScan.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde.zip/retadpu1000106.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentqt.zip/retadpu2000219.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentqt.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2007-11-26_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\1B07A734.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SubEng\submissions.idx Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\scale2\.housecall6.6\Quarantine\A0035100.dll.bac_a01528 Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\scale2\.housecall6.6\Quarantine\A0035154.dll.bac_a01528 Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\scale2\.housecall6.6\Quarantine\A0035170.exe.bac_a01528 Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\Documents and Settings\scale2\.housecall6.6\Quarantine\A0035208.dll.bac_a01528 Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\scale2\.housecall6.6\Quarantine\A0036492.exe.bac_a01528 Infected: not-a-virus:AdWare.Win32.Rond.a skipped
C:\Documents and Settings\scale2\.housecall6.6\Quarantine\A0036493.exe.bac_a01528 Infected: Trojan.Win32.Small.oa skipped
C:\Documents and Settings\scale2\.housecall6.6\Quarantine\b122.exe.bac_a01528/stream/data0002 Infected: not-a-virus:AdWare.Win32.Rond.b skipped
C:\Documents and Settings\scale2\.housecall6.6\Quarantine\b122.exe.bac_a01528/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\Documents and Settings\scale2\.housecall6.6\Quarantine\b122.exe.bac_a01528/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\Documents and Settings\scale2\.housecall6.6\Quarantine\b122.exe.bac_a01528 NSIS: infected - 3 skipped
C:\Documents and Settings\scale2\.housecall6.6\Quarantine\b122.exe.bac_a01528 CryptFF.b: infected - 3 skipped
C:\Documents and Settings\scale2\.housecall6.6\Quarantine\byxwtsr.dll.bac_a01528 Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\Documents and Settings\scale2\.housecall6.6\Quarantine\cfg32.exe.bac_a01528 Infected: not-a-virus:AdWare.Win32.BookedSpace.h skipped
C:\Documents and Settings\scale2\.housecall6.6\Quarantine\cfg32a.exe.bac_a01528 Infected: not-a-virus:AdWare.Win32.BookedSpace.h skipped
C:\Documents and Settings\scale2\.housecall6.6\Quarantine\iifecya.dll.bac_a01528 Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\Documents and Settings\scale2\.housecall6.6\Quarantine\khfgddb.dll.bac_a01528 Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\Documents and Settings\scale2\.housecall6.6\Quarantine\khfgffe.dll.bac_a01528 Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\Documents and Settings\scale2\.housecall6.6\Quarantine\ljjiiif.dll.bac_a01528 Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\Documents and Settings\scale2\.housecall6.6\Quarantine\nvxbiufd.dll.bac_a01528 Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\Documents and Settings\scale2\.housecall6.6\Quarantine\ogytiis.dll.bac_a01528 Infected: not-a-virus:AdWare.Win32.Agent.co skipped
C:\Documents and Settings\scale2\.housecall6.6\Quarantine\owinkndt.exe.bac_a01528 Infected: not-a-virus:AdWare.Win32.ZenoSearch.r skipped
C:\Documents and Settings\scale2\.housecall6.6\Quarantine\yayvvvu.dll.bac_a01528 Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\Documents and Settings\scale2\Application Data\Mozilla\Firefox\Profiles\c9eagjlx.default\cert8.db Object is locked skipped
C:\Documents and Settings\scale2\Application Data\Mozilla\Firefox\Profiles\c9eagjlx.default\history.dat Object is locked skipped
C:\Documents and Settings\scale2\Application Data\Mozilla\Firefox\Profiles\c9eagjlx.default\key3.db Object is locked skipped
C:\Documents and Settings\scale2\Application Data\Mozilla\Firefox\Profiles\c9eagjlx.default\parent.lock Object is locked skipped
C:\Documents and Settings\scale2\Application Data\Mozilla\Firefox\Profiles\c9eagjlx.default\search.sqlite Object is locked skipped
C:\Documents and Settings\scale2\Application Data\Mozilla\Firefox\Profiles\c9eagjlx.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\scale2\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\scale2\Desktop\HIJACKTHIS\hijackthis.log Suspicious: Exploit.HTML.Mht skipped
C:\Documents and Settings\scale2\Local Settings\Application Data\Identities\{2C7A8CD0-78FA-427F-BF86-AE333A20DC52}\Microsoft\Outlook Express\Folders.dbx Object is locked skipped
C:\Documents and Settings\scale2\Local Settings\Application Data\Identities\{2C7A8CD0-78FA-427F-BF86-AE333A20DC52}\Microsoft\Outlook Express\Offline.dbx Object is locked skipped
C:\Documents and Settings\scale2\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\scale2\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\scale2\Local Settings\Application Data\Mozilla\Firefox\Profiles\c9eagjlx.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\scale2\Local Settings\Application Data\Mozilla\Firefox\Profiles\c9eagjlx.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\scale2\Local Settings\Application Data\Mozilla\Firefox\Profiles\c9eagjlx.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\scale2\Local Settings\Application Data\Mozilla\Firefox\Profiles\c9eagjlx.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\scale2\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\scale2\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\scale2\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\scale2\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\NFWEVT.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP6\change.log Object is locked skipped
C:\VundoFix Backups\agewokpr.dll.bad Infected: Trojan.Win32.BHO.rg skipped
C:\VundoFix Backups\pirtvbpe.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\VundoFix Backups\yljovueq.dll.bad Infected: not-a-virus:AdWare.Win32.SuperJuan.i skipped
C:\WasteWORKS\wwscale\CONTROL.DBF Object is locked skipped
C:\WasteWORKS\wwscale\GRID.CDX Object is locked skipped
C:\WasteWORKS\wwscale\GRID.DBF Object is locked skipped
C:\WasteWORKS\wwscale\ONHOLD.DBF Object is locked skipped
C:\WasteWORKS\wwscale\RATECODE.CDX Object is locked skipped
C:\WasteWORKS\wwscale\ratecode.dbf Object is locked skipped
C:\WasteWORKS\wwscale\TICKET.CDX Object is locked skipped
C:\WasteWORKS\wwscale\TICKET.DBF Object is locked skipped
C:\WasteWORKS\wwscale\VEHICLE.CDX Object is locked skipped
C:\WasteWORKS\wwscale\VEHICLE.DBF Object is locked skipped
C:\WasteWORKS\wwscale\XREF.CDX Object is locked skipped
C:\WasteWORKS\wwscale\XREF.DBF Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_Intel(R) 537EP V9x DF PCI Modem.txt Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\ODiag.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\OSession.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Mr_JAk3
2007-11-26, 21:44
Hi :)

The Kaspersky findings were in the Quaranties or backups wich are easily cleaned.

So the pc is running ok now? :bigthumb:

cali01
2007-11-26, 21:49
Yes it is ...Thank you!! =)

Mr_JAk3
2007-11-27, 18:52
Hi again, it is looking clean now :)

You can remove this folder, C:\Vundofix backups



=============

Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:
Clear your system restore (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx)
This will clear the system restore folders from possible malware that was left behind during the cleaning process.

Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.

Use Ad-Aware (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Download and install Ad-Aware. Update it and scan your computer regularly with it.

Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.

Install SpywareBlaster (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
SpywareBlaster will prevent spyware from being installed.

Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.

Use Firefox browser (http://www.mozilla.org)
Firefox is faster and more secure browser than Internet Explorer.

Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly. How to enable Automatic Updates? (http://www.bleepingcomputer.com/tutorials/tutorial35.html)

Keep your antivirus (http://forum.malwareremoval.com/viewtopic.php?p=53#53) and firewall (http://forum.malwareremoval.com/viewtopic.php?p=56#56) up-to-date
Scan your computer regularly with you antivirus software.

Read this article by TonyKlein (http://forums.spybot.info/showthread.php?t=279)
So how did I get infected in the first place?

Stand Up and Be Counted ! (http://www.malwarecomplaints.info/index.php)
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.


Stay clean and be safe ;)