PDA

View Full Version : Virtumonde removal


GlennW
2008-02-15, 01:33
I need help removing Virumonde. What do I need to do? Thanks.
GlennW
2008-02-16, 23:54
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:45:32 PM, on 2/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\WINDOWS\system32\LxrSII1s.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Motherboard Monitor 5\MBM5.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\iolo\System Mechanic Professional 7\SMSystemAnalyzer.exe
C:\Program Files\iolo\System Mechanic Professional 7\AntiVirus\ioloAV.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iolo\System Mechanic Professional 7\Personal Firewall\ioloFW.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iolo\System Mechanic Professional 7\AntiVirus\iAVEmailScanner.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {1346666A-F3FF-4A29-B8A9-BEBF9117F17F} - C:\WINDOWS\system32\vtsqn.dll (file missing)
O2 - BHO: (no name) - {23D44BCF-AA7A-41D6-8905-E808F16322EF} - C:\WINDOWS\system32\xxyaxwx.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {73F67620-AE6E-440B-9732-919A2ABC62C0} - C:\WINDOWS\system32\awtqq.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: e404 helper - {C03FD59D-9104-44B7-929A-9EAA0BA05211} - C:\Program Files\Helper\1202940853.dll
O2 - BHO: (no name) - {E5F72719-D49C-4213-A575-7B6F931D294F} - C:\WINDOWS\system32\awvtr.dll (file missing)
O2 - BHO: (no name) - {FD239346-3150-4516-930E-9C71CF564035} - C:\WINDOWS\system32\ssqpo.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
O4 - HKLM\..\Run: [Lwinst Run Profiler] C:\Program Files\Logitech\WingMan Profiler\LWTest.Exe /detect /quiet /launch ".\Lwpevntm.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic Professional 7\SMSystemAnalyzer.exe"
O4 - HKLM\..\Run: [iolo AntiVirus] "C:\Program Files\iolo\System Mechanic Professional 7\AntiVirus\ioloAV.exe"
O4 - HKLM\..\Run: [2079e117] rundll32.exe "C:\WINDOWS\system32\dvgclgtx.dll",b
O4 - HKLM\..\Run: [iolo Personal Firewall] "C:\Program Files\iolo\System Mechanic Professional 7\Personal Firewall\ioloFW.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.updatesgate.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.updatesgate.com/redirect.php (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1166154035656
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {CDAA0214-3907-4C47-A3F6-014DA1517440} (ArkDownloader Class) - http://www.gamedek.com/download/arkDownloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://anu.popcap.com/games/popcaploader_v5.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O20 - Winlogon Notify: xxyaxwx - C:\WINDOWS\SYSTEM32\xxyaxwx.dll
O22 - SharedTaskScheduler: aposiopetic - {91316323-2ad5-4794-9589-52a2eaa60a68} - (no file)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Lexar Secure II (LxrSII1s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSII1s.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 10509 bytes
-----------------------------------------------------------------------------
Kasperski report too long. Can submit in another post if needed. Thanks.
GlennW
2008-02-17, 00:12
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, February 14, 2008 9:26:01 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 14/02/2008
Kaspersky Anti-Virus database records: 567256
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 50954
Number of viruses found: 30
Number of infected objects: 176
Number of suspicious objects: 2
Duration of the scan process: 01:09:45

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Alik Weiss\Application Data\iolo\SystemAnalyzer.log Object is locked skipped
C:\Documents and Settings\Alik Weiss\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Alik Weiss\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Alik Weiss\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Alik Weiss\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Alik Weiss\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{B6EE3A72-6D9A-45A0-9C0D-B9EBB78043AF} Object is locked skipped
C:\Documents and Settings\Alik Weiss\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Alik Weiss\Local Settings\History\History.IE5\MSHist012008021420080215\index.dat Object is locked skipped
C:\Documents and Settings\Alik Weiss\Local Settings\Temp\~DF61BB.tmp Object is locked skipped
C:\Documents and Settings\Alik Weiss\Local Settings\Temp\~DF7821.tmp Object is locked skipped
C:\Documents and Settings\Alik Weiss\Local Settings\Temporary Internet Files\Content.IE5\3TA6MH7S\css4[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\Alik Weiss\Local Settings\Temporary Internet Files\Content.IE5\DREXQOVO\css4[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\Alik Weiss\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Alik Weiss\Local Settings\Temporary Internet Files\Content.IE5\RX646ZFD\css4[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\Alik Weiss\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Alik Weiss\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\iolo\AntiVirus\Quarantined\02407606.INFECTED Infected: Trojan.Win32.StartPage.nk skipped
C:\Documents and Settings\All Users\Application Data\iolo\AntiVirus\Quarantined\057B15A5.INFECTED Infected: Trojan.Win32.StartPage.nk skipped
C:\Documents and Settings\All Users\Application Data\iolo\AntiVirus\Quarantined\06205892.EXE.INFECTED Infected: Trojan.Win32.StartPage.nk skipped
C:\Documents and Settings\All Users\Application Data\iolo\AntiVirus\Quarantined\06295687.EXE.INFECTED Infected: Trojan.Win32.StartPage.nk skipped
C:\Documents and Settings\All Users\Application Data\iolo\AntiVirus\Quarantined\07DC4599.INFECTED Infected: Trojan.Win32.StartPage.nk skipped
C:\Documents and Settings\All Users\Application Data\iolo\AntiVirus\Quarantined\092412A7(1).INFECTED Infected: Email-Worm.Win32.Sircam.c skipped
C:\Documents and Settings\All Users\Application Data\iolo\AntiVirus\Quarantined\092412A7.INFECTED Infected: Email-Worm.Win32.Sircam.c skipped
C:\Documents and Settings\All Users\Application Data\iolo\AntiVirus\Quarantined\0ACC18B2.INFECTED Infected: Trojan.Win32.StartPage.nk skipped
C:\Documents and Settings\All Users\Application Data\iolo\AntiVirus\Quarantined\117178ED.INFECTED Infected: Trojan.Win32.StartPage.nk skipped
C:\Documents and Settings\All Users\Application Data\iolo\AntiVirus\Quarantined\1172004F.INFECTED Infected: Trojan.Win32.StartPage.nk skipped
C:\Documents and Settings\All Users\Application Data\iolo\AntiVirus\Quarantined\117422E9.INFECTED Infected: Trojan.Win32.StartPage.nk skipped
C:\Documents and Settings\All Users\Application Data\iolo\AntiVirus\Quarantined\186E1991.INFECTED Infected: Trojan-Spy.Win32.Small.dj skipped
C:\Documents and Settings\All Users\Application Data\iolo\AntiVirus\Quarantined\1BF06693.INFECTED Infected: Trojan.Win32.StartPage.nk skipped
C:\Documents and Settings\All Users\Application Data\iolo\AntiVirus\Quarantined\1EBA1BEE.INFECTED Infected: Trojan.Win32.StartPage.nk skipped
C:\Documents and Settings\All Users\Application Data\iolo\AntiVirus\Quarantined\1F760659.INFECTED Infected: Trojan.Win32.StartPage.nk skipped
C:\Documents and Settings\All Users\Application Data\iolo\AntiVirus\Quarantined\21EF0FFE.INFECTED Infected: Trojan.Win32.StartPage.nk skipped
C:\Documents and Settings\All Users\Application Data\iolo\AntiVirus\Quarantined\31680F2A.INFECTED Infected: Trojan.Win32.StartPage.nk skipped
C:\Documents and Settings\All Users\Application Data\iolo\AntiVirus\Quarantined\32C046F0(1).INFECTED Infected: Trojan-Dropper.Win32.Small.gj skipped
C:\Documents and Settings\All Users\Application Data\iolo\AntiVirus\Quarantined\32C046F0.INFECTED Infected: Trojan-Dropper.Win32.Small.gj skipped
C:\Documents and Settings\All Users\Application Data\iolo\AntiVirus\Quarantined\35BD2A5D.INFECTED Infected: Trojan.Win32.StartPage.nk skipped
C:\Documents and Settings\All Users\Application Data\iolo\AntiVirus\Quarantined\35C05459.INFECTED Infected: Trojan.Win32.StartPage.nk skipped
C:\Documents and Settings\All Users\Application Data\iolo\AntiVirus\Quarantined\35C37E56.INFECTED Infected: Trojan.Win32.StartPage.nk skipped
C:\Documents and Settings\All Users\Application Data\iolo\AntiVirus\Quarantined\397A20DA.EXE.INFECTED Infected: Backdoor.Win32.MoSucker.06 skipped
C:\Documents and Settings\All Users\Application Data\iolo\AntiVirus\Quarantined\3C316C32.INFECTED Infected: not-a-virus:AdWare.Win32.SurfAccuracy.n skipped
C:\Documents and Settings\All Users\Application Data\iolo\AntiVirus\Quarantined\3C34162E.INFECTED Infected: not-a-virus:AdWare.Win32.SurfAccuracy.n skipped
C:\Documents and Settings\All Users\Application Data\iolo\AntiVirus\Quarantined\3C38402A.INFECTED Infected: not-a-virus:AdWare.Win32.SurfAccuracy.n skipped
C:\Documents and Settings\All Users\Application Data\iolo\AntiVirus\Quarantined\415A436A.VBS(1).INFECTED Infected: Email-Worm.VBS.Gedza skipped
C:\Documents and Settings\All Users\Application Data\iolo\AntiVirus\Quarantined\415A436A.VBS.INFECTED Infected: Email-Worm.VBS.Gedza skipped
C:\Documents and Settings\All Users\Application Data\iolo\AntiVirus\Quarantined\4184653B.VBS(1).INFECTED Infected: Email-Worm.VBS.Gedza skipped
C:\Documents and Settings\All Users\Application Data\iolo\AntiVirus\Quarantined\4184653B.VBS.INFECTED Infected: Email-Worm.VBS.Gedza skipped
C:\Documents and Settings\All Users\Application Data\iolo\AntiVirus\Quarantined\41AD2A83(1).INFECTED Infected: Email-Worm.Win32.Sircam.c skipped
C:\Documents and Settings\All Users\Application Data\iolo\AntiVirus\Quarantined\41AD2A83.INFECTED Infected: Email-Worm.Win32.Sircam.c skipped
C:\Documents and Settings\All Users\Application Data\iolo\AntiVirus\Quarantined\437255DF.INFECTED Infected: Trojan.Win32.StartPage.nk skipped
C:\Documents and Settings\All Users\Application Data\iolo\AntiVirus\Quarantined\44B93D31.INFECTED Infected: Trojan.Win32.StartPage.nk skipped
C:\Documents and Settings\All Users\Application Data\iolo\AntiVirus\Quarantined\46F8049D(1).INFECTED Infected: Email-Worm.Win32.Sircam.c skipped
C:\Documents and Settings\All Users\Application Data\iolo\AntiVirus\Quarantined\46F8049D.INFECTED Infected: Email-Worm.Win32.Sircam.c skipped
C:\Documents and Settings\All Users\Application Data\iolo\AntiVirus\Quarantined\4CB6524C(1).INFECTED Infected: Email-Worm.Win32.Sircam.c skipped
C:\Documents and Settings\All Users\Application Data\iolo\AntiVirus\Quarantined\4CB6524C.INFECTED Infected: Email-Worm.Win32.Sircam.c skipped
C:\Documents and Settings\All Users\Application Data\iolo\AntiVirus\Quarantined\51F00AA5.INFECTED Infected: Trojan.Win32.StartPage.nk skipped
C:\Documents and Settings\All Users\Application Data\iolo\AntiVirus\Quarantined\5B7C30F5.INFECTED Infected: Trojan.Win32.StartPage.nk skipped
C:\Documents and Settings\All Users\Application Data\iolo\AntiVirus\Quarantined\5C8D7741.exe.INFECTED Infected: Trojan.Win32.StartPage.nk skipped
C:\Documents and Settings\All Users\Application Data\iolo\AntiVirus\Quarantined\5E4441C5.INFECTED Infected: Trojan.Win32.StartPage.nk skipped
C:\Documents and Settings\All Users\Application Data\iolo\AntiVirus\Quarantined\62971E9F.INFECTED Infected: Trojan.Win32.StartPage.nk skipped
C:\Documents and Settings\All Users\Application Data\iolo\AntiVirus\Quarantined\69CC5554.INFECTED Infected: Trojan.Win32.StartPage.nk skipped
C:\Documents and Settings\All Users\Application Data\iolo\AntiVirus\Quarantined\70D35D53.INFECTED Infected: Trojan.Win32.StartPage.nk skipped
C:\Documents and Settings\All Users\Application Data\iolo\AntiVirus\Quarantined\74B158B4.INFECTED Infected: Trojan.Win32.StartPage.nk skipped
C:\Documents and Settings\All Users\Application Data\iolo\AntiVirus\Quarantined\76083E9C.INFECTED Infected: Trojan.Java.ClassLoader.f skipped
C:\Documents and Settings\All Users\Application Data\iolo\AntiVirus\Quarantined\7D854DF4.VBS.INFECTED Infected: Email-Worm.VBS.Gedza skipped
C:\Documents and Settings\All Users\Application Data\iolo\AntiVirus\Quarantined\7EF05F32.INFECTED Infected: Trojan.Win32.StartPage.nk skipped
C:\Documents and Settings\All Users\Application Data\iolo\AntiVirus\Quarantined\A0174397.VBS.INFECTED Infected: Email-Worm.VBS.Gedza skipped
C:\Documents and Settings\All Users\Application Data\iolo\AntiVirus\Quarantined\A0174398.VBS.INFECTED Infected: Email-Worm.VBS.Gedza skipped
C:\Documents and Settings\All Users\Application Data\iolo\AntiVirus\Quarantined\A0174399.VBS.INFECTED Infected: Email-Worm.VBS.Gedza skipped
C:\Documents and Settings\All Users\Application Data\iolo\AntiVirus\Quarantined\A0174400.VBS.INFECTED Infected: Email-Worm.VBS.Gedza skipped
C:\Documents and Settings\All Users\Application Data\iolo\AntiVirus\Quarantined\A0174401.exe.INFECTED Infected: Trojan.Win32.StartPage.nk skipped
C:\Documents and Settings\All Users\Application Data\iolo\AntiVirus\Quarantined\A0174402.VBS.INFECTED Infected: Email-Worm.VBS.Gedza skipped
C:\Documents and Settings\All Users\Application Data\iolo\FileInfoList\IOLOFIL.FDB Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0f149e3de6a099b2a7f8a574131e6726_eeab2b6a-f9e8-48ba-819c-a722dea5ff5c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\2a87d1ccf7d23dd081601f92fea6987a_eeab2b6a-f9e8-48ba-819c-a722dea5ff5c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\befeb7d8b9cf54c563246a6527a1bbba_eeab2b6a-f9e8-48ba-819c-a722dea5ff5c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c8a5238adf06ee9e9ffe3bedd85689d6_eeab2b6a-f9e8-48ba-819c-a722dea5ff5c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\dfc9a447f2c94d2d30ab47e16ce1b2b0_eeab2b6a-f9e8-48ba-819c-a722dea5ff5c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-07182007-010043.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloadervdt2.zip/uninst.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloadervdt2.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-02-14_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Helper\1202940853.dll Infected: not-a-virus:AdWare.Win32.E404.f skipped
C:\Program Files\InstallShield Installation Information\{6675E71B-9843-4971-BC15-18AB52801134}\setup.ilg Object is locked skipped
C:\Program Files\InstallShield Installation Information\{909354DE-C180-4B00-B61F-9A6D805E5796}\setup.ilg Object is locked skipped
C:\Program Files\Norton AntiVirus\Quarantine\02BB2114.exe Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Program Files\Norton AntiVirus\Quarantine\04A42548.exe Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Program Files\Norton AntiVirus\Quarantine\04F36888.exe Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Program Files\Norton AntiVirus\Quarantine\0B0D0E5C.exe Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Program Files\Norton AntiVirus\Quarantine\0CAD3547.exe Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Program Files\Norton AntiVirus\Quarantine\118C12ED.exe Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Program Files\Norton AntiVirus\Quarantine\17016614.exe Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Program Files\Norton AntiVirus\Quarantine\19E24D9A.exe Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Program Files\Norton AntiVirus\Quarantine\21AB5778.exe Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Program Files\Norton AntiVirus\Quarantine\22C5153B.exe Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Program Files\Norton AntiVirus\Quarantine\23A615FF.exe Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Program Files\Norton AntiVirus\Quarantine\263347CE.exe Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Program Files\Norton AntiVirus\Quarantine\2B1A2186.exe Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Program Files\Norton AntiVirus\Quarantine\2C6853B5.exe Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Program Files\Norton AntiVirus\Quarantine\2E3C37E8 Object is locked skipped
C:\Program Files\Norton AntiVirus\Quarantine\2F971F02.exe Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Program Files\Norton AntiVirus\Quarantine\30D80455.exe Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Program Files\Norton AntiVirus\Quarantine\362044F6.exe Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Program Files\Norton AntiVirus\Quarantine\38B8341B.exe Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Program Files\Norton AntiVirus\Quarantine\3A9922BE.exe Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Program Files\Norton AntiVirus\Quarantine\4119080E.exe Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Program Files\Norton AntiVirus\Quarantine\46B12396.exe Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Program Files\Norton AntiVirus\Quarantine\47CB1114.exe Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Program Files\Norton AntiVirus\Quarantine\4FF35C8B.exe Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\01BD2102 Object is locked skipped
pskelley
2008-02-17, 13:47
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

You are infected, I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.

We have a bit of a mess here, if you wish to clean this up, expect neither easy nor fast, there are issues and multiple malware.

You are running two (or more) antivirus programs at the same time and this is not a good thing. They conflict with each other and you will be less safe than if you ran one good program and maintained it properly.
http://service1.symantec.com/SUPPORT/nav.nsf/docid/2000031316555206
"Microsoft recommends that you have only one anti-virus program installed on your computer."
http://www.washingtonpost.com/wp-dyn/content/article/2005/12/03/AR2005120300087.html
http://www.smartcomputing.com/editorial/article.asp?article=articles/2003/s1407/38s07/38s07.asp

C:\Program Files\Common Files\Authentium\AntiVirus\
C:\Program Files\iolo\System Mechanic Professional 7\AntiVirus\
C:\Program Files\Common Files\Symantec Shared\Security Center\

When you have one antivirus program and one firewall running, then do this.

We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)

Thanks to LonnyBJones and anyone else who helped with this fix.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your Desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.
Once the desktop loads post the text that will open (report.txt) and a new Hijackthis log in the forum please.

That is just the beginning, we have a long way to go.

Thanks

You can do this time permitting (Kaspersky)

C:\Documents and Settings\Alik Weiss\Local Settings\Temporary Internet Files\ <<< delete the contents

C:\Documents and Settings\All Users\Application Data\iolo\AntiVirus\Quarantined\ <<< delete the contents

C:\Program Files\Norton AntiVirus\Quarantine\ <<< delete the contents
GlennW
2008-02-18, 03:09
How do I remove the other antivirus software? They are not listed in the add/remove programs. I already uninstalled the norton antivirus but it is still listed here.
I don't know where the first antivirus software (first line) came from.
I just want to keep the second line, system mechanic.

Thanks.
pskelley
2008-02-18, 12:06
Is this your computer? I find it strange an antivirus program is installed and you don't know it is there? Have a look here:
http://www.google.com/search?hl=en&q=uninstall+Authentium%5CAntiVirus&btnG=Search
I would prefer not to delete it manually if at all possible.
Is it possible this was something your Internet Service Provider made available, I have seen earthlink mentioned.

Try this information for Symantec: http://basconotw.mvps.org/SymRem.htm

You have several nasty infections and I would prefer not to proceed until you have resolved this issue. Once you have those removed, then proceed to these instructions.

1) Thanks to LonnyBJones and anyone else who helped with this fix.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your Desktopand run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.
Once the desktop loads post the text that will open (report.txt) and a new Hijackthis log in the forum please.

(wait until you finish the instructions to post logs and reports)

2) Thanks to Atribune and any others who helped with this fix.

http://vundofix.atribune.org/ <<< tutorial

"Download VundoFix" to your Desktop

http://www.atribune.org/ccount/click.php?id=4

Double-click VundoFix.exe to run it.
When VundoFix opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will attempt run on reboot, simply follow the above instructions starting from "Click
the Scan for Vundo button." when VundoFix appears at reboot. Vundofix.txt will be on the C:\

Post the report from Fixwareout, the Vundofix.txt and a new HJT log

Thanks