help with vertumonde.generic [Archive] - Safer-Networking Forums

View Full Version : help with vertumonde.generic

blackcat275

2008-01-17, 04:13

Hi guys

Having trouble getting rid of the Vertumonde.generic bestie.

I have run spybot a number of times in both normal a safe mode

Have a number of viruses on the system too, how can i get rid of these as I have already run the virus scanner a number of times and tried deleting them.

here are the logs

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - Folders:
C:\

Scan Statistics:
Total number of scanned objects: 48218
Number of viruses found: 11
Number of infected objects: 31
Number of suspicious objects: 0
Duration of the scan process: 00:42:52

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondegeneric.zip/opnoonl.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dlc skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondegeneric.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondegeneric1.zip/opnoonl.dll_old Infected: not-a-virus:AdWare.Win32.Virtumonde.dlc skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondegeneric1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondegeneric6.zip/opnoonl.dll_old Infected: not-a-virus:AdWare.Win32.Virtumonde.dlc skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondegeneric6.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBHOje.zip/prolooker.dll Infected: not-a-virus:AdWare.Win32.BHO.ta skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBHOje.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinRenos.zip/laf4.exe Infected: not-virus:Hoax.Win32.Renos.aos skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinRenos.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloadervdt4.zip/ictun.exe Infected: Trojan-Downloader.Win32.Zlob.frl skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloadervdt4.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Keith\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\game.class-506f6b50-4a163744.class Infected: Exploit.Java.Gimsh.a skipped
C:\Documents and Settings\Keith\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Keith\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Keith\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Keith\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Keith\Local Settings\History\History.IE5\MSHist012008011720080118\index.dat Object is locked skipped
C:\Documents and Settings\Keith\Local Settings\Temp\laf4.exe_old Infected: not-virus:Hoax.Win32.Renos.aos skipped
C:\Documents and Settings\Keith\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Keith\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Keith\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Keith\UserData\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\RECYCLER\S-1-5-21-1223188425-152140474-3975749824-1005\Dc1\count.jar-453fec19-7a516236.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\RECYCLER\S-1-5-21-1223188425-152140474-3975749824-1005\Dc1\count.jar-453fec19-7a516236.zip ZIP: infected - 1 skipped
C:\RECYCLER\S-1-5-21-1223188425-152140474-3975749824-1005\Dc1\eRT.jar-14e46f0-1f29a75d.zip/HiPointInstallShieldRT.class Infected: Trojan-Downloader.Java.OpenConnection.ap skipped
C:\RECYCLER\S-1-5-21-1223188425-152140474-3975749824-1005\Dc1\eRT.jar-14e46f0-1f29a75d.zip ZIP: infected - 1 skipped
C:\RECYCLER\S-1-5-21-1223188425-152140474-3975749824-1005\Dc1\eRT.jar-27406485-6f6ac201.zip/HiPointInstallShieldRT.class Infected: Trojan-Downloader.Java.OpenConnection.ap skipped
C:\RECYCLER\S-1-5-21-1223188425-152140474-3975749824-1005\Dc1\eRT.jar-27406485-6f6ac201.zip ZIP: infected - 1 skipped
C:\RECYCLER\S-1-5-21-1223188425-152140474-3975749824-1005\Dc1\pRT.jar-64395656-6db263e3.zip/HiPointInstallShieldRT.class Infected: Trojan-Downloader.Java.OpenConnection.ap skipped
C:\RECYCLER\S-1-5-21-1223188425-152140474-3975749824-1005\Dc1\pRT.jar-64395656-6db263e3.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{EE35F0D4-CB4F-4234-95C8-31EBA2F94C1F}\RP239\A0031396.dll Infected: not-a-virus:AdWare.Win32.HotBar.ch skipped
C:\System Volume Information\_restore{EE35F0D4-CB4F-4234-95C8-31EBA2F94C1F}\RP239\A0031399.dll Infected: not-a-virus:AdWare.Win32.180Solutions.bl skipped
C:\System Volume Information\_restore{EE35F0D4-CB4F-4234-95C8-31EBA2F94C1F}\RP239\A0031407.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.180Solutions.bj skipped
C:\System Volume Information\_restore{EE35F0D4-CB4F-4234-95C8-31EBA2F94C1F}\RP239\A0031407.exe/stream Infected: not-a-virus:AdWare.Win32.180Solutions.bj skipped
C:\System Volume Information\_restore{EE35F0D4-CB4F-4234-95C8-31EBA2F94C1F}\RP239\A0031407.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{EE35F0D4-CB4F-4234-95C8-31EBA2F94C1F}\RP239\A0031431.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dlc skipped
C:\System Volume Information\_restore{EE35F0D4-CB4F-4234-95C8-31EBA2F94C1F}\RP239\A0031432.dll Infected: not-a-virus:AdWare.Win32.BHO.ta skipped
C:\System Volume Information\_restore{EE35F0D4-CB4F-4234-95C8-31EBA2F94C1F}\RP240\A0031459.exe Infected: Trojan-Downloader.Win32.Zlob.frl skipped
C:\System Volume Information\_restore{EE35F0D4-CB4F-4234-95C8-31EBA2F94C1F}\RP240\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\fsehfcu.dll Infected: Trojan-Downloader.Win32.Bojo.ae skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_508.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

The Spybot log

--- Search result list ---
Virtumonde.generic: [SBI $1BB1339D] Browser helper object (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}

--- Spybot - Search & Destroy version: 1.5 (build: 20070830) ---

--- Process list ---
PID: 0 ( 0) [System]
PID: 504 ( 0) \SystemRoot\System32\smss.exe
size: 50688
PID: 556 ( 0) \??\C:\WINDOWS\system32\csrss.exe
size: 6144
PID: 580 ( 0) \??\C:\WINDOWS\system32\winlogon.exe
size: 502272
PID: 624 ( 0) C:\WINDOWS\system32\services.exe
size: 108032
MD5: C6CE6EEC82F187615D1002BB3BB50ED4
PID: 636 ( 0) C:\WINDOWS\system32\lsass.exe
size: 13312
MD5: 84885F9B82F4D55C6146EBF6065D75D2
PID: 780 ( 0) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 836 ( 0) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 876 ( 0) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 924 ( 0) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1020 ( 0) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1236 ( 0) C:\WINDOWS\Explorer.EXE
size: 1033216
MD5: 97BD6515465659FF8F3B7BE375B2EA87
PID: 1304 ( 0) C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
size: 17272
MD5: 591E7CDF35DE74D55CD462A13FBADE5E
PID: 1352 ( 0) C:\Program Files\Alwil Software\Avast4\ashServ.exe
size: 140664
MD5: DBBB6E20EC8C38902C4935B249AEBE2A
PID: 1492 ( 0) C:\WINDOWS\system32\Rundll32.exe
size: 33280
MD5: DA285490BBD8A1D0CE6623577D5BA1FF
PID: 1500 ( 0) C:\WINDOWS\system32\keyhook.exe
size: 249856
MD5: 0E9748A140A5A6A86379E1993B574F8E
PID: 1508 ( 0) C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
size: 32768
MD5: 7A011702C0AA86AD79EFA86E66F411DC
PID: 1524 ( 0) C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
size: 135168
MD5: 34FC457931D0F9C7CF2F1371764D715C
PID: 1532 ( 0) C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
size: 36975
MD5: 1F6573D67DD5DC06DD29EC7FCF81DC6F
PID: 1552 ( 0) C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
size: 53248
MD5: EFEA5551E578FF6FE52B5DB15CE13390
PID: 1568 ( 0) C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
size: 79224
MD5: 88D86112DD9F2BB6A603674706C7E846
PID: 1612 ( 0) C:\Program Files\Messenger\msmsgs.exe
size: 1694208
MD5: 74E6E96C6F0E2ECA4EDBB7F7A468F259
PID: 1716 ( 0) C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
size: 171448
MD5: 0FA44EA8B03ABA3E1D240B5A333D8E6A
PID: 1800 ( 0) C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 1460560
MD5: B7D4586BFC0DD6C3BE7DCCC252A3E97E
PID: 1948 ( 0) C:\WINDOWS\system32\sistray.exe
size: 331776
MD5: 75D2905CC72D4DEB2771EEF42A809C35
PID: 2004 ( 0) C:\WINDOWS\system32\spoolsv.exe
size: 57856
MD5: DA81EC57ACD4CDC3D4C51CF3D409AF9F
PID: 172 ( 0) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 4943184
MD5: C92780F50B8BB7A89E919585916494A9
PID: 352 ( 0) C:\WINDOWS\system32\slserv.exe
size: 45056
MD5: 495B6A1F09E2390D0B5D718CD260E541
PID: 372 ( 0) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1196 ( 0) C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
size: 247160
MD5: 36088BA16E85C081D7BC48725872D540
PID: 1004 ( 0) C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
size: 345464
MD5: 86ACF7955F4DB72880F61D724A97855A
PID: 2188 ( 0) C:\WINDOWS\System32\alg.exe
size: 44544
MD5: F1958FBF86D5C004CF19A5951A9514B7
PID: 2640 ( 0) C:\WINDOWS\system32\wuauclt.exe
size: 53080
MD5: F3E9065EB617A7E3A832A7976BFA021B
PID: 2788 ( 0) C:\Program Files\Internet Explorer\iexplore.exe
size: 93184
MD5: E7484514C0464642BE7B4DC2689354C8
PID: 544 ( 0) C:\WINDOWS\system32\NOTEPAD.EXE
size: 69120
MD5: 388B8FBC36A8558587AFC90FB23A3B99

Here is the HTJ log

Logfile of Trend Micro HijackThis v2.0.2
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\keyhook.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\sistray.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.optima.com.au
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - (no file)
O2 - BHO: (no name) - {8800AC00-6916-44CF-8E97-5BC152E4891D} - C:\WINDOWS\system32\pmkhe.dll (file missing)
O2 - BHO: (no name) - {8AC486A2-1DA6-4EF7-845B-B87F3C138869} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [{1290A33C-85F5-4164-A1BE-7DD299D4986A}] "C:\Program Files\CyberLink\PowerBackup\PBKScheduler.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{235D61FB-345A-4CD4-8FF6-A400281D453C}: Domain = nsw.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{6E49F710-E4E4-40D1-899B-673D3073F376}: Domain = nsw.bigpond.net.au
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

I have already run vundofix to no effect
What do you suggest

thanks for your help it is mucch appreciated.

steamwiz

2008-01-17, 21:58

Hi

1. Delete your Spybot - Search & Destroy backups ...

how do I clean out the Spybot backups?

1. Run Spybot
2. Click on "Recovery" on the left side
3. Place a checkmark in all of the boxes on the right side
4. From the top menu click on "Purge selected items"
5. This will remove those backups.

--
2. Paste this into your address bar & click GO :-

C:\Documents and Settings\Keith\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\

Then delete this game.class-506f6b50-4a163744.class

--
3. Empty your RECYCLE bin

--
4. Find & delete this file :-

C:\WINDOWS\system32\fsehfcu.dll

--
5.

Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts. When finished, it will produce a report for you. Please post the "C:\ComboFix.txt"

along with a new HijackThis log for further review.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

steam

blackcat275

2008-01-18, 00:22

Ok files have been deleted as requested

Here is the combofix log

ComboFix 08-01-18.3 - Keith 2008-01-18 9:56:16.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.69 [GMT 11:00]
Running from: C:\Documents and Settings\Keith\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Keith\Application Data\DriveCleaner Free
C:\Documents and Settings\Keith\Application Data\DriveCleaner Free\Logs\update.log
C:\Documents and Settings\Keith\err.log
C:\Documents and Settings\Keith\ResErrors.log
C:\Program Files\Helper
C:\WINDOWS\system32\ehkmp.ini
C:\WINDOWS\system32\ehkmp.ini2

.
((((((((((((((((((((((((( Files Created from 2007-12-17 to 2008-01-17 )))))))))))))))))))))))))))))))
.

2008-01-18 09:54 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-17 11:21 . 2005-04-12 09:59 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-01-17 11:21 . 2005-04-12 11:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\CyberLink
2008-01-16 15:55 . 2008-01-16 15:55 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-16 15:55 . 2008-01-16 15:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-16 15:06 . 2008-01-16 15:06 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-16 12:26 . 2008-01-16 12:26 <DIR> d-------- C:\VundoFix Backups
2008-01-16 09:51 . 2008-01-16 09:51 <DIR> d-------- C:\Program Files\Alwil Software
2008-01-16 09:51 . 2007-12-05 00:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-01-16 09:51 . 2004-01-09 21:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-01-16 09:51 . 2007-12-04 23:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-01-16 09:51 . 2007-12-05 01:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-16 09:51 . 2007-12-05 01:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-16 09:51 . 2007-12-05 01:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-16 09:51 . 2007-12-05 01:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-16 09:51 . 2007-12-05 01:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-01-15 17:02 . 2008-01-15 18:09 151 --a------ C:\WINDOWS\wininit.ini
2008-01-15 16:23 . 2008-01-15 16:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-15 16:11 . 2008-01-18 09:55 <DIR> d-------- C:\Documents and Settings\Keith\Application Data\U3
2008-01-15 11:08 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-01-15 11:08 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-01-15 11:08 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-01-15 11:08 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-01-09 00:26 . 2008-01-16 10:46 <DIR> d-------- C:\Program Files\VirusProtect 3.9
2008-01-09 00:26 . 2008-01-09 11:23 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-29 21:42 --------- d-----w C:\Documents and Settings\Keith\Application Data\Canon
2007-12-15 15:46 --------- d-----w C:\Documents and Settings\Keith\Application Data\CyberLink
2007-12-03 12:20 --------- d-----w C:\Program Files\Google
2007-11-24 13:17 2,100 ----a-w C:\Documents and Settings\Keith\Application Data\wklnhst.dat
2007-02-28 14:52 92,064 ----a-w C:\Documents and Settings\Keith\mqdmmdm.sys
2007-02-28 14:52 9,232 ----a-w C:\Documents and Settings\Keith\mqdmmdfl.sys
2007-02-28 14:52 79,328 ----a-w C:\Documents and Settings\Keith\mqdmserd.sys
2007-02-28 14:52 66,656 ----a-w C:\Documents and Settings\Keith\mqdmbus.sys
2007-02-28 14:52 6,208 ----a-w C:\Documents and Settings\Keith\mqdmcmnt.sys
2007-02-28 14:52 5,936 ----a-w C:\Documents and Settings\Keith\mqdmwhnt.sys
2007-02-28 14:52 4,048 ----a-w C:\Documents and Settings\Keith\mqdmcr.sys
2007-02-28 14:52 25,600 ----a-w C:\Documents and Settings\Keith\usbsermptxp.sys
2007-02-28 14:52 22,768 ----a-w C:\Documents and Settings\Keith\usbsermpt.sys
2004-10-11 09:46 205,312 ----a-w C:\Program Files\ltefx13n.dll
2004-01-19 04:31 153,600 ----a-w C:\Program Files\ltfil13n.DLL
2004-01-19 03:31 27,648 ----a-w C:\Program Files\lfiff13n.dll
2004-01-19 03:31 20,480 ----a-w C:\Program Files\lfCUT13n.dll
2004-01-19 02:31 453,120 ----a-w C:\Program Files\ltkrn13n.dll
2004-01-19 02:12 89,600 ----a-w C:\Program Files\Lfcgm13n.dll
2004-01-19 01:49 278,016 ----a-w C:\Program Files\LFJ2K13n.dll
2004-01-19 01:49 180,736 ----a-w C:\Program Files\Lfpng13n.dll
2004-01-19 01:47 76,800 ----a-w C:\Program Files\Lfwmf13n.dll
2004-01-19 01:47 509,440 ----a-w C:\Program Files\LFCMW13n.dll
2004-01-19 01:45 420,352 ----a-w C:\Program Files\LFCMP13n.DLL
2004-01-19 01:44 143,872 ----a-w C:\Program Files\lftif13n.dll
2004-01-19 01:36 65,536 ----a-w C:\Program Files\Lfpct13n.dll
2004-01-19 01:36 56,832 ----a-w C:\Program Files\lfpsd13n.dll
2004-01-19 01:36 26,624 ----a-w C:\Program Files\lfpcx13n.dll
2004-01-19 01:36 19,968 ----a-w C:\Program Files\lfpcd13n.dll
2004-01-19 01:36 18,944 ----a-w C:\Program Files\lfmsp13n.dll
2004-01-19 01:35 20,992 ----a-w C:\Program Files\lfimg13n.dll
2004-01-19 01:35 18,944 ----a-w C:\Program Files\lfmac13n.dll
2004-01-19 01:34 31,744 ----a-w C:\Program Files\lfclp13n.dll
2004-01-19 01:34 30,208 ----a-w C:\Program Files\lfbmp13n.dll
2004-01-19 01:33 444,928 ----a-w C:\Program Files\ltimg13n.dll
2004-01-19 01:32 265,216 ----a-w C:\Program Files\LTDIS13n.dll
2000-05-01 18:17 212,480 ----a-w C:\Program Files\PCDLIB32.DLL
1999-11-18 13:00 284,032 ----a-w C:\Program Files\XceedZip.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8800AC00-6916-44CF-8E97-5BC152E4891D}]
C:\WINDOWS\system32\pmkhe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8AC486A2-1DA6-4EF7-845B-B87F3C138869}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 03:24 1694208]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [2002-07-12 21:15 106496]
"SiSPower"="SiSPower.dll" [2004-09-02 16:47 49152 C:\WINDOWS\system32\SiSPower.dll]
"SiS Windows KeyHook"="C:\WINDOWS\system32\keyhook.exe" [2004-09-02 14:44 249856]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-07-15 02:07 32768]
"{1290A33C-85F5-4164-A1BE-7DD299D4986A}"="C:\Program Files\CyberLink\PowerBackup\PBKScheduler.exe" [2004-06-08 19:33 69721]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe" [2005-03-04 04:36 36975]
"mmtask"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2006-01-17 13:03 53248]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-05 00:00 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 23:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Utility Tray.lnk - C:\WINDOWS\system32\sistray.exe [2005-04-12 09:59:57]

R3 CONAN;CONAN;C:\WINDOWS\system32\drivers\o2mmb.sys [2004-02-12 05:18]
R3 MbxStby;MbxStby;C:\WINDOWS\system32\drivers\MbxStby.sys [2004-01-28 15:00]
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys [2007-02-27 14:31]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-18 10:00:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-18 10:03:33 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-17 23:03:21
.
2008-01-15 07:27:08 --- E O F ---

and here is the HTJ log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:09:29 AM, on 18/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\keyhook.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\sistray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.optima.com.au
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {8800AC00-6916-44CF-8E97-5BC152E4891D} - C:\WINDOWS\system32\pmkhe.dll (file missing)
O2 - BHO: (no name) - {8AC486A2-1DA6-4EF7-845B-B87F3C138869} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [{1290A33C-85F5-4164-A1BE-7DD299D4986A}] "C:\Program Files\CyberLink\PowerBackup\PBKScheduler.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{235D61FB-345A-4CD4-8FF6-A400281D453C}: Domain = nsw.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{6E49F710-E4E4-40D1-899B-673D3073F376}: Domain = nsw.bigpond.net.au
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 4763 bytes

Thanks for you help

steamwiz

2008-01-18, 21:43

Hi

You are running an out-of-date version of java

Go to add/remove programs and uninstall any earlier versions ...

Then You can go here and install the latest version of Java.

http://java.sun.com/javase/downloads/index.jsp

Scroll down the page to 'Java Runtime Environment (JRE) 6 Update 4' and press the 'Download' button.

Running an out-of-date version of java is an infection risk.

Then ....

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word Registry:: is on the first line of the text file you save (no blank line above it, & no space in front of it)

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8800AC00-6916-44CF-8E97-5BC152E4891D}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8AC486A2-1DA6-4EF7-845B-B87F3C138869}]

Save this as "CFScript.txt"

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

ALSO ...

Please run a new KASPERSKY ONLINE SCAN & post the log ...

steam