View Full Version : i have the virtumonde trojan
SB S&D keeps finding ddcyy.dll and nothing i have done can get rid of it
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\F-Secure\ANTI-S~1\fsaw.exe
C:\Program Files\F-Secure\FSGUI\fsguidll.exe
C:\Program Files\Codebox\BitMeter\BitMeter2.exe
C:\Program Files\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Opera\Opera.exe
C:\Documents and Settings\brett\Desktop\hijackthis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.intergate.com/startpage/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.intergate.com/startpage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.intergate.com/startpage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.intergate.com/startpage/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: HotSync Manager.LNK = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Bitmeter2.lnk = C:\Program Files\Codebox\BitMeter\BitMeter2.exe
O4 - Global Startup: F-Secure Automatic Update.lnk = C:\Program Files\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe
O8 - Extra context menu item: &Block this popup - C:\Program Files\F-Secure\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {1A26F07F-0D60-4835-91CF-1E1766A0EC56} - http://scanner2.malware-scan.com/setup/webinst.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {E1E73B44-2D20-47A9-9CA2-B534CEBBF856} (F-Secure Health Check 1.0) - http://support.f-secure.com/enu/home/onlineservices/fshc/fscax.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: F-Secure Automatic Update (BackWeb Plug-in - 7681197) - F-Secure Automatic Update - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, March 26, 2008 6:47:37 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 26/03/2008
Kaspersky Anti-Virus database records: 664264
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
Scan Statistics:
Total number of scanned objects: 57278
Number of viruses found: 6
Number of infected objects: 171
Number of suspicious objects: 0
Duration of the scan process: 01:16:37
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\ntuser.dat Object is locked skipped
C:\Documents and Settings\All Users\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\brett\Application Data\Opera\Opera\mail\indexer\indexer.dat Object is locked skipped
C:\Documents and Settings\brett\Application Data\Opera\Opera\mail\indexer\indexer_128.dat Object is locked skipped
C:\Documents and Settings\brett\Application Data\Opera\Opera\mail\indexer\indexer_256.dat Object is locked skipped
C:\Documents and Settings\brett\Application Data\Opera\Opera\mail\indexer\indexer_512.dat Object is locked skipped
C:\Documents and Settings\brett\Application Data\Opera\Opera\mail\indexer\indexer_64.dat Object is locked skipped
C:\Documents and Settings\brett\Application Data\Opera\Opera\mail\lexicon\lexicon.dat Object is locked skipped
C:\Documents and Settings\brett\Application Data\Opera\Opera\mail\lexicon\lexicon_1024.dat Object is locked skipped
C:\Documents and Settings\brett\Application Data\Opera\Opera\mail\lexicon\lexicon_128.dat Object is locked skipped
C:\Documents and Settings\brett\Application Data\Opera\Opera\mail\lexicon\lexicon_256.dat Object is locked skipped
C:\Documents and Settings\brett\Application Data\Opera\Opera\mail\lexicon\lexicon_512.dat Object is locked skipped
C:\Documents and Settings\brett\Application Data\Opera\Opera\mail\lexicon\lexicon_64.dat Object is locked skipped
C:\Documents and Settings\brett\Application Data\Opera\Opera\mail\mailbase.dat Object is locked skipped
C:\Documents and Settings\brett\Application Data\Opera\Opera\mail\store\account10\2007\11\27\97.mbs Object is locked skipped
C:\Documents and Settings\brett\Application Data\Opera\Opera\mail\store\account10\2007\12\21\692.mbs Object is locked skipped
C:\Documents and Settings\brett\Application Data\Opera\Opera\mail\store\account10\2008\03\05\2164.mbs Object is locked skipped
C:\Documents and Settings\brett\Application Data\Opera\Opera\mail\store\account11\2007\12\12\485.mbs Object is locked skipped
C:\Documents and Settings\brett\Application Data\Opera\Opera\mail\store\account11\2007\12\13\501.mbs Object is locked skipped
C:\Documents and Settings\brett\Application Data\Opera\Opera\mail\store\account11\2008\01\10\1020.mbs Object is locked skipped
C:\Documents and Settings\brett\Application Data\Opera\Opera\mail\store\account11\2008\02\26\2007.mbs Object is locked skipped
C:\Documents and Settings\brett\Application Data\Opera\Opera\mail\store\account11\2008\03\11\2309.mbs Object is locked skipped
C:\Documents and Settings\brett\Application Data\Opera\Opera\mail\store\account9\2007\11\27\116.mbs Object is locked skipped
C:\Documents and Settings\brett\Application Data\Opera\Opera\mail\store\account9\2007\11\27\89.mbs Object is locked skipped
C:\Documents and Settings\brett\Application Data\Opera\Opera\mail\store\account9\2007\12\26\786.mbs Object is locked skipped
C:\Documents and Settings\brett\Application Data\Opera\Opera\mail\store\account9\2008\01\04\935.mbs Object is locked skipped
C:\Documents and Settings\brett\Application Data\Opera\Opera\mail\store\account9\2008\01\20\1203.mbs Object is locked skipped
C:\Documents and Settings\brett\Application Data\Opera\Opera\mail\store\account9\2008\02\01\1428.mbs Object is locked skipped
C:\Documents and Settings\brett\Application Data\Opera\Opera\mail\store\account9\2008\02\02\1431.mbs Object is locked skipped
C:\Documents and Settings\brett\Application Data\Opera\Opera\mail\store\account9\2008\03\04\2150.mbs Object is locked skipped
C:\Documents and Settings\brett\Application Data\Opera\Opera\mail\store\account9\2008\03\08\2238.mbs Object is locked skipped
C:\Documents and Settings\brett\Application Data\Opera\Opera\mail\store\account9\2008\03\09\2256.mbs Object is locked skipped
C:\Documents and Settings\brett\Application Data\Opera\Opera\mail\store\account9\2008\03\12\2334.mbs Object is locked skipped
C:\Documents and Settings\brett\Application Data\Opera\Opera\mail\store\account9\2008\03\16\2424.mbs Object is locked skipped
C:\Documents and Settings\brett\Application Data\Opera\Opera\mail\store\account9\2008\03\17\2442.mbs Object is locked skipped
C:\Documents and Settings\brett\Application Data\Opera\Opera\mail\store\account9\2008\03\17\2454.mbs Object is locked skipped
C:\Documents and Settings\brett\Application Data\Opera\Opera\mail\store\account9\2008\03\17\2455.mbs Object is locked skipped
C:\Documents and Settings\brett\Application Data\Opera\Opera\mail\store\account9\2008\03\20\2511.mbs Object is locked skipped
C:\Documents and Settings\brett\Application Data\Opera\Opera\mail\store\account9\2008\03\21\2525.mbs Object is locked skipped
C:\Documents and Settings\brett\Application Data\Opera\Opera\mail\store\account9\2008\03\26\2632.mbs Object is locked skipped
C:\Documents and Settings\brett\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\brett\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\brett\Desktop\SmitfraudFix\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\brett\Desktop\SmitfraudFix\SmitfraudFix.zip ZIP: infected - 1 skipped
C:\Documents and Settings\brett\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\brett\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\brett\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\brett\Local Settings\Application Data\ApplicationHistory\BitMeter2.exe.4a2984fe.ini.inuse Object is locked skipped
C:\Documents and Settings\brett\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\brett\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\brett\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\brett\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\brett\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\brett\ntuser.dat Object is locked skipped
C:\Documents and Settings\brett\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\F-Secure\Anti-Virus\dbupdate.log Object is locked skipped
C:\Program Files\F-Secure\Anti-Virus\Qrt.log Object is locked skipped
C:\Program Files\F-Secure\BackWeb\7681197\Users\Default\Data\cache.dat Object is locked skipped
C:\Program Files\F-Secure\BackWeb\7681197\Users\Default\Data\chandir.dat Object is locked skipped
C:\Program Files\F-Secure\BackWeb\7681197\Users\Default\Data\chandir.idx Object is locked skipped
C:\Program Files\F-Secure\BackWeb\7681197\Users\Default\Data\chn.dat Object is locked skipped
C:\Program Files\F-Secure\BackWeb\7681197\Users\Default\Data\chn.idx Object is locked skipped
C:\Program Files\F-Secure\BackWeb\7681197\Users\Default\Data\D0000000.FCS Object is locked skipped
C:\Program Files\F-Secure\BackWeb\7681197\Users\Default\Data\inuse.txt Object is locked skipped
C:\Program Files\F-Secure\BackWeb\7681197\Users\Default\Data\L0000040.FCS Object is locked skipped
C:\Program Files\F-Secure\BackWeb\7681197\Users\Default\Data\main.log Object is locked skipped
C:\Program Files\F-Secure\BackWeb\7681197\Users\Default\Data\prs.dat Object is locked skipped
C:\Program Files\F-Secure\BackWeb\7681197\Users\Default\Data\prs.idx Object is locked skipped
C:\Program Files\F-Secure\BackWeb\7681197\Users\Default\Data\prs_die.dat Object is locked skipped
C:\Program Files\F-Secure\BackWeb\7681197\Users\Default\Data\prs_die.idx Object is locked skipped
C:\Program Files\F-Secure\BackWeb\7681197\Users\Default\Data\prs_dnd.dat Object is locked skipped
C:\Program Files\F-Secure\BackWeb\7681197\Users\Default\Data\prs_dnd.idx Object is locked skipped
C:\Program Files\F-Secure\BackWeb\7681197\Users\Default\Data\prs_ext.dat Object is locked skipped
C:\Program Files\F-Secure\BackWeb\7681197\Users\Default\Data\prs_ext.idx Object is locked skipped
C:\Program Files\F-Secure\BackWeb\7681197\Users\Default\Data\prs_rcv.dat Object is locked skipped
C:\Program Files\F-Secure\BackWeb\7681197\Users\Default\Data\prs_rcv.idx Object is locked skipped
C:\Program Files\F-Secure\BackWeb\7681197\Users\Default\Data\storydb.dat Object is locked skipped
C:\Program Files\F-Secure\BackWeb\7681197\Users\Default\Data\storydb.idx Object is locked skipped
C:\Program Files\F-Secure\common\admin.pub Object is locked skipped
C:\Program Files\F-Secure\common\policy.bpf Object is locked skipped
C:\Program Files\F-Secure\common\policy.ipf Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP10\A0000682.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP10\A0000683.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP10\A0000684.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP10\A0000846.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP11\A0000921.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP11\A0000925.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP11\A0000926.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP11\A0000938.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP11\A0000939.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP11\A0000997.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP11\A0000999.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP12\A0001035.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP12\A0001039.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP12\A0001040.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP12\A0001052.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP12\A0001053.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP12\A0001111.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP12\A0001113.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP19\A0002042.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP2\A0000017.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP2\A0000114.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP20\A0002206.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP22\A0002317.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP22\A0002382.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP23\A0002612.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP24\A0002698.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP24\A0002803.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP25\A0002869.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP26\A0002917.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP28\A0003010.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP28\A0003011.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP3\A0000221.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP33\A0004410.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP33\A0004411.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP33\A0004412.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP33\A0004422.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP33\A0004423.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP33\A0004424.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP33\A0004425.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP33\A0004439.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jxa skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP33\A0004440.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP33\A0004444.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP33\A0004446.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP33\A0004452.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP33\A0004454.dll Infected: not-a-virus:AdWare.Win32.Agent.ajx skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP33\A0004457.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP33\A0004458.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP33\A0004465.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP33\A0004466.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP33\A0004467.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP33\A0004481.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP33\A0004482.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP34\A0004541.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP34\A0004542.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP34\A0004544.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP34\A0004554.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP35\A0004624.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP35\A0004641.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP35\A0004642.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP35\A0004726.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP35\A0004727.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP35\A0004728.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP35\A0004738.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP35\A0004739.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP35\A0004740.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP35\A0004741.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP35\A0004755.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jxa skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP35\A0004756.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP35\A0004760.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP35\A0004762.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP35\A0004768.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP35\A0004770.dll Infected: not-a-virus:AdWare.Win32.Agent.ajx skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP35\A0004773.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP35\A0004774.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP35\A0004781.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP35\A0004782.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP35\A0004783.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP35\A0004797.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP35\A0004798.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP35\A0004857.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP35\A0006249.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP35\A0006250.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP35\A0006251.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP35\A0006252.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP35\A0006253.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP35\A0006254.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP35\A0006255.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP35\A0006256.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP35\A0006257.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP35\A0006258.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP35\A0006259.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP35\A0006260.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP35\A0006261.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP35\A0006262.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP35\A0006263.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP35\A0006264.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP35\A0006265.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP35\A0006266.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP35\A0006267.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP35\A0006268.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP35\A0006269.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP35\A0006270.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP36\A0008323.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP36\A0008324.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP36\A0008327.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP36\A0009427.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP36\A0009428.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP36\A0009429.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP36\A0009478.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP36\A0009510.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP37\A0010550.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP37\A0010551.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP37\A0010595.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP37\A0010635.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP37\A0010636.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP37\A0010637.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP37\A0010638.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP37\A0010694.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP37\A0010695.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP37\A0010696.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP37\A0010697.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP37\A0010698.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP37\A0010699.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP37\A0010700.dll Infected: not-a-virus:AdWare.Win32.Agent.asj skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP37\A0010701.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP37\A0010702.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP37\A0010703.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP37\A0010704.dll Infected: not-a-virus:AdWare.Win32.Agent.ajx skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP37\A0010705.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP37\A0010706.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP37\A0010707.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP37\A0010708.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP37\A0010709.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP37\A0010710.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP37\A0010711.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP37\A0010712.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jxa skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP37\A0010713.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP37\A0010714.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP39\A0011329.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP39\A0011330.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP39\A0011332.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP4\A0000260.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP4\A0000261.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP4\A0000272.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.bce skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP4\A0000273.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP4\A0000283.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP4\A0000293.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP4\A0000319.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP43\A0012082.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP43\A0012083.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP43\A0012084.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP43\A0012389.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP43\A0012390.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP43\A0012391.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP43\A0012426.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP43\change.log Object is locked skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP5\A0000421.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP8\A0000569.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP8\A0000570.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP8\A0000571.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BA23F7CE-96EF-4105-8299-2CC6119CE6EB}\RP8\A0000613.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\qwatknsh.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\vhgweuyb.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\xuijkvoj.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\ycrhcidc.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{A5403A23-34D7-4EA7-B4E2-8B5CD35A96CB}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\ddcyy.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
pskelley
2008-03-27, 12:27
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
You are infected, I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
If you want help, this is how I want you to start.
1) You have cut off the header of the HJT log and I want you to download it again, following these instructions exactly.
Download Trend Micro Hijack This™
http://download.bleepingcomputer.com/hijackthis/HJTInstall.exe
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.
HijackThis will open after install. Press the Scan button below.
This will start the scan and open a log.
Copy and paste the contents of the log in your next reply.
(wait until I request the HJT log later)
2) You have a very infected System Restore, most everything KOS found so DO NOT use it until we get it clean later.
3) Delete Smitfraudfix and Vundofix from the computer if they are still there.
4) Thanks to LonnyBJones and anyone else who helped with this fix.
Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
Save it to yourDesktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.
Once the desktop loads post the text that will open (report.txt) and a new Hijackthis log in the forum please.
(wait until we finish to post the reports and logs)
5) Thanks to Atribune and any others who helped with this fix.
Download VundoFix" to your Desktop
http://www.atribune.org/ccount/click.php?id=4
Follow these directions starting at: Normal Usage for Removal
http://vundofix.atribune.org/
Post the Vundofix.txt and a new HJT log
Vundofix.txt will be on the C:\
6) Post the report from Fixwareout, the Vundofix.txt and a new HJT log. When you copy/paste from notepad, use EDIT > SELECT ALL > paste the highlited information completely.
Thanks
Username "brett" - 03/27/2008 11:00:11 [Fixwareout edited 9/01/2007]
~~~~~ Prerun check
Successfully flushed the DNS Resolver Cache.
System was rebooted successfully.
~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....
~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_05\\bin\\jusched.exe\""
"F-Secure Manager"="\"C:\\Program Files\\F-Secure\\Common\\FSM32.EXE\" /splash"
"F-Secure TNB"="\"C:\\Program Files\\F-Secure\\TNB\\TNBUtil.exe\" /CHECKALL /WAITFORSW"
"Adobe Reader Speed Launcher"="\"C:\\Program Files\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe\""
"BM7bba376b"="Rundll32.exe \"C:\\WINDOWS\\system32\\ceacquig.dll\",s"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~
no vondofix detection or log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:55:23 AM, on 3/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure\BackWeb\7681197\Program\F-Secure Automatic Update.exe
C:\Program Files\F-Secure\Anti-Virus\fsrw.exe
C:\Program Files\F-Secure\Common\FNRB32.EXE
C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
C:\Program Files\F-Secure\Common\FIH32.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\F-Secure\ANTI-S~1\fsaw.exe
C:\Program Files\F-Secure\FSGUI\fsguidll.exe
C:\Program Files\Codebox\BitMeter\BitMeter2.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Opera\Opera.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.intergate.com/startpage/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.intergate.com/startpage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.intergate.com/startpage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.intergate.com/startpage/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BM7bba376b] Rundll32.exe "C:\WINDOWS\system32\ceacquig.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: HotSync Manager.LNK = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Bitmeter2.lnk = C:\Program Files\Codebox\BitMeter\BitMeter2.exe
O4 - Global Startup: F-Secure Automatic Update.lnk = C:\Program Files\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe
O8 - Extra context menu item: &Block this popup - C:\Program Files\F-Secure\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1A26F07F-0D60-4835-91CF-1E1766A0EC56} - http://scanner2.malware-scan.com/setup/webinst.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {E1E73B44-2D20-47A9-9CA2-B534CEBBF856} (F-Secure Health Check 1.0) - http://support.f-secure.com/enu/home/onlineservices/fshc/fscax.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: F-Secure Automatic Update (BackWeb Plug-in - 7681197) - F-Secure Automatic Update - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
--
End of file - 7015 bytes
thank you very much for the help
pskelley
2008-03-27, 18:03
Post the Vundofix.txt and a new HJT log
Vundofix.txt will be on the C:\
Please post the information I request.
Thanks
VundoFix V7.0.3
Scan started at 11:10:34 AM 3/27/2008
Listing files found while scanning....
No infected files were found.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:07:45 PM, on 3/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\Program Files\F-Secure\BackWeb\7681197\Program\F-Secure Automatic Update.exe
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure\Anti-Virus\fsrw.exe
C:\Program Files\F-Secure\Common\FNRB32.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\F-Secure\Common\FIH32.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\Program Files\Codebox\BitMeter\BitMeter2.exe
C:\PROGRA~1\F-Secure\ANTI-S~1\fsaw.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\F-Secure\FSGUI\fsguidll.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.intergate.com/startpage/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.intergate.com/startpage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.intergate.com/startpage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.intergate.com/startpage/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: HotSync Manager.LNK = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Bitmeter2.lnk = C:\Program Files\Codebox\BitMeter\BitMeter2.exe
O4 - Global Startup: F-Secure Automatic Update.lnk = C:\Program Files\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe
O8 - Extra context menu item: &Block this popup - C:\Program Files\F-Secure\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1A26F07F-0D60-4835-91CF-1E1766A0EC56} - http://scanner2.malware-scan.com/setup/webinst.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {E1E73B44-2D20-47A9-9CA2-B534CEBBF856} (F-Secure Health Check 1.0) - http://support.f-secure.com/enu/home/onlineservices/fshc/fscax.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: F-Secure Automatic Update (BackWeb Plug-in - 7681197) - F-Secure Automatic Update - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
--
End of file - 6988 bytes
pskelley
2008-03-27, 19:55
1) Thanks to LonnyBJones and anyone else who helped with this fix.
Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
Save it to yourDesktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.
Once the desktop loads post the text that will open (report.txt) and a new Hijackthis log in the forum please.
(wait until you finish to post the report and log)
2) C:\Program Files\Trend Micro\HijackThis\HijackThis.exe <<< rename HJT.exe, call it pegfrog.exe, that will work, restart and post the report from Fixwareout and a new HJT log.
Thanks
Username "brett" - 03/27/2008 15:09:32 [Fixwareout edited 9/01/2007]
~~~~~ Prerun check
Successfully flushed the DNS Resolver Cache.
System was rebooted successfully.
~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....
~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_05\\bin\\jusched.exe\""
"F-Secure Manager"="\"C:\\Program Files\\F-Secure\\Common\\FSM32.EXE\" /splash"
"F-Secure TNB"="\"C:\\Program Files\\F-Secure\\TNB\\TNBUtil.exe\" /CHECKALL /WAITFORSW"
"Adobe Reader Speed Launcher"="\"C:\\Program Files\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe\""
"BM7bba376b"="Rundll32.exe \"C:\\WINDOWS\\system32\\yuupprgf.dll\",s"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:34:17 PM, on 3/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Codebox\BitMeter\BitMeter2.exe
C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
C:\Palm\HOTSYNC.EXE
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\Program Files\F-Secure\BackWeb\7681197\Program\F-Secure Automatic Update.exe
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure\Anti-Virus\fsrw.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\F-Secure\Common\FNRB32.EXE
C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
C:\Program Files\F-Secure\Common\FIH32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\PROGRA~1\F-Secure\ANTI-S~1\fsaw.exe
C:\Program Files\F-Secure\FSGUI\fsguidll.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\pegfrog.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.intergate.com/startpage/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.intergate.com/startpage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.intergate.com/startpage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.intergate.com/startpage/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: {5059068b-9f38-6feb-f8a4-03001a08c5b3} - {3b5c80a1-0030-4a8f-bef6-83f9b8609505} - C:\WINDOWS\system32\sdvucobp.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {CA26AD49-43ED-4F30-8FC8-11252E6CDF9C} - C:\WINDOWS\system32\ddcyy.dll
O2 - BHO: (no name) - {F0BEE013-08D8-4750-A917-83DD9303F12B} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BM7bba376b] Rundll32.exe "C:\WINDOWS\system32\yuupprgf.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: HotSync Manager.LNK = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Bitmeter2.lnk = C:\Program Files\Codebox\BitMeter\BitMeter2.exe
O4 - Global Startup: F-Secure Automatic Update.lnk = C:\Program Files\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe
O8 - Extra context menu item: &Block this popup - C:\Program Files\F-Secure\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1A26F07F-0D60-4835-91CF-1E1766A0EC56} - http://scanner2.malware-scan.com/setup/webinst.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {E1E73B44-2D20-47A9-9CA2-B534CEBBF856} (F-Secure Health Check 1.0) - http://support.f-secure.com/enu/home/onlineservices/fshc/fscax.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O20 - Winlogon Notify: ssqrrpq - ssqrrpq.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: F-Secure Automatic Update (BackWeb Plug-in - 7681197) - F-Secure Automatic Update - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
--
End of file - 7803 bytes
pskelley
2008-03-27, 22:01
Read and follow the directions carefully:
1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.
2) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.
3) Open a new notepad window
Paste the list of files from the quote box below into the notepad window.
C:\WINDOWS\system32\sdvucobp.dll
C:\WINDOWS\system32\ddcyy.dll
C:\WINDOWS\system32\yuupprgf.dll
Save this as vundofix.vft and Save as type "all files".
Double-click VundoFix.exe to run it.
Drag vundofix.vft onto the listbox (white box) of VundoFix.
Click the "Fix Vundo" button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions
starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: {5059068b-9f38-6feb-f8a4-03001a08c5b3} - {3b5c80a1-0030-4a8f-bef6-83f9b8609505} - C:\WINDOWS\system32\sdvucobp.dll
O2 - BHO: (no name) - {CA26AD49-43ED-4F30-8FC8-11252E6CDF9C} - C:\WINDOWS\system32\ddcyy.dll
O2 - BHO: (no name) - {F0BEE013-08D8-4750-A917-83DD9303F12B} - (no file)
O4 - HKLM\..\Run: [BM7bba376b] Rundll32.exe "C:\WINDOWS\system32\yuupprgf.dll",s
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O20 - Winlogon Notify: ssqrrpq - ssqrrpq.dll (file missing)
Close all programs but HJT and all browser windows, then click on "Fix Checked"
5) Right click Start > Explore and navigate to these files/folders and delete them if there.
(make sure these files are gone)
C:\WINDOWS\system32\sdvucobp.dll
C:\WINDOWS\system32\ddcyy.dll
C:\WINDOWS\system32\yuupprgf.dll
6) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Restart and post the Vundofix report and a new HJT log. Tell me how the computer is running.
Thanks
VundoFix V7.0.3
Scan started at 5:51:24 PM 3/27/2008
Listing files found while scanning....
No infected files were found.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:00:52 PM, on 3/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\F-Secure\BackWeb\7681197\Program\F-Secure Automatic Update.exe
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure\Anti-Virus\fsrw.exe
C:\Program Files\F-Secure\Common\FNRB32.EXE
C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
C:\Program Files\F-Secure\Common\FIH32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\PROGRA~1\F-Secure\ANTI-S~1\fsaw.exe
C:\Program Files\F-Secure\FSGUI\fsguidll.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Trend Micro\HijackThis\pegfrog.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.intergate.com/startpage/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.intergate.com/startpage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.intergate.com/startpage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.intergate.com/startpage/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: HotSync Manager.LNK = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Bitmeter2.lnk = C:\Program Files\Codebox\BitMeter\BitMeter2.exe
O4 - Global Startup: F-Secure Automatic Update.lnk = C:\Program Files\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe
O8 - Extra context menu item: &Block this popup - C:\Program Files\F-Secure\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1A26F07F-0D60-4835-91CF-1E1766A0EC56} - http://scanner2.malware-scan.com/setup/webinst.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {E1E73B44-2D20-47A9-9CA2-B534CEBBF856} (F-Secure Health Check 1.0) - http://support.f-secure.com/enu/home/onlineservices/fshc/fscax.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: F-Secure Automatic Update (BackWeb Plug-in - 7681197) - F-Secure Automatic Update - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
--
End of file - 6925 bytes
the computer seem to be OK on the
O2 - BHO: (no name) - {CA26AD49-43ED-4F30-8FC8-11252E6CDF9C} - C:\WINDOWS\system32\ddcyy.dll
it had a diffrent letter/ number sequence and had ddcyy.dll (missing file) but i removed it any way
question how do i get rid of the SB S&D restore logs ? and do i need to ?
pskelley
2008-03-27, 23:31
Did you check these?
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
There are not malware but you don't need them. Try to remove them again with HJT.
(do you use TeaTimer in Spybot S&D?)
Besides that, the HJT log looks good.
1) C:\Documents and Settings\brett\Desktop\SmitfraudFix\ <<< remove Smitfraudfix from your computer
2) Delete vundofix and the C:\Vundofix Backups\
3) Empty the Recycle Bin on the Desktop
4) Restart the computer
5) Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot
Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
The next scan should be clean, I do not need to see a clean scan.
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
http://www.malwarecomplaints.info/
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
pskelley,
no i do not use Tea Timer
these are being blocked from removal by F-secure AV/firewall
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
and for some reason my Administrator`s status is being blocked from accessing the restore function completely
it doesnt show up in the My Computer /properties as an option
and i cannot get to it anyother way
this first happened while the virtumonde was on my system and the friend who sent me this computer was able to get me access by activating the administrator account which is now being blocked from access to the restore function
so i am stumped
i want to thank you for your help it is much appreciated
pskelley
2008-03-28, 00:34
The two items are not a big thing, but you surely need to be able to clean System Restore, have a look here:
http://www.kellys-korner-xp.com/xp_tweaks.htm
and in the link I posted:
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
If that does not do it, you should ask for help here:
http://support.microsoft.com/
Thanks
i ran a SB S&D scan and it came up with this
C:\windows\system32\dfwujyss.dll
and 3 registries
HKEY_USERS\S-1-5-21-180674531-527237240-839522115-1003\software\microsoft\aldd
HKEY_USERS\S-1-5-21-180674531-527237240-839522115-1003\software\microsoft\rdfa
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws
pskelley,
well i used SB S&D fix on those problems and rebooted and now i come up clean no detections
so maybe we licked it time will tell
THANK YOU VERY MUCH
sincerly ,
pegfrog