View Full Version : I have Virtumonde trojan Please HELP!!!
chuckjab
2008-06-01, 21:17
My Fiancee computer is infected. I have ran your Spybot program and it says that Virtumonde is on the computer but when i go to fix it and restart it it returns. If you could help me in trying to get rid of this I would be forever greatful. Thanks in advance for any help that you can supply. this infection is on a windows vista laptop. I will keep and eye on this board and respond as soon as I can to any request for info or what to do. i am not 100% tech savey but should be able to do whatever is needed as long as it is explained. Thanks again, Charlie
Hello Charlie
Welcome to Safer Networking.
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.
Download Trendmicros Hijackthis (http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe) to your desktop.
Double click it to install
Follow the prompts and by default it will install in C:\Program Files\Trendmicro\Hijackthis\Highjackthis.exe
Open HJT Scan and Save a Log File, it will open in Notepad
Go to Format and make sure Wordwrap is Unchecked
Go to Edit> Select All.....Edit > Copy and Paste the new log into this thread by using the Post Reply and not start a New Thread.
DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.
chuckjab
2008-06-05, 05:08
I have been trying to download what you have asked me however every time it gets to the end of the scan and I go to save a copy of it a running internet explorer page in background prevents me from doing it. I did finally get it saved once however it will not show up on the desktop and no longer can be found. This Virtumonde is getting wose by the day and I can barley do anything now. I was able to get a highjackthis log and it is posted here. I will continueto try to get the K report and post it. Please let me know what else I can do and again thanks in advance.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:41:50 PM, on 6/2/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\AIM\aim.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\PROGRA~1\HEWLET~1\Shared\HPQTOA~1.EXE
C:\Program Files\Internet Explorer\ieuser.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\Katie\AppData\Local\Temp\hgGwWNdB.dll,#1
O4 - HKCU\..\Run: [LSA Shellu] C:\Users\Katie\lsass.exe
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Katie\AppData\Local\Temp\xxyvvSmM.dll,c
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [BM76ee0c25] Rundll32.exe "C:\Users\Katie\AppData\Local\Temp\ldbvvhjj.dll",s
O4 - HKCU\..\Run: [75dd3fb9] rundll32.exe "C:\Users\Katie\AppData\Local\Temp\jmisnepx.dll",b
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: HP Connections.lnk = C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {BE319D04-18BD-4B34-AECC-EE7CB610FCA9} (BewitchedGameClass Control) - http://l.yimg.com/jh/games/web_games/sony/bewitched/main.cab
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 9037 bytes
Hello Chuck,
You have quite a few issues going on here, besides the Vundo Trojan your infected with the SDBot worm
Before we proceed, you need to disable the TeaTimer in Spybot Search and Destroy.
Disable the TeaTimer, you can re enable it when were done if you wish
Run Spybot-S&D in Advanced Mode.
If it is not already set to do this Go to the Mode menu select "Advanced Mode"
On the left hand side, Click on Tools
Then click on the Resident Icon in the List
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer.<--You need to do this for it to take effect
Then you also need to disable Windows Defender
We must disable the Real-Time Protection feature of Windows Defender for it may interfere with the fix.
To disable Real-Time Protection: Go to "Tools" | "General Settings" Scroll down to "Real-time protection >Options" Uncheck "Turn on real-time protection (recommended)"
Remember to reactivate this feature when we have finished all our work.
Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\Katie\AppData\Local\Temp\hgGwWNdB.dll,#1
O4 - HKCU\..\Run: [LSA Shellu] C:\Users\Katie\lsass.exe
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Katie\AppData\Local\Temp\xxyvvSmM.dll,c
O4 - HKCU\..\Run: Rundll32.exe "C:\Users\Katie\AppData\Local\Temp\ldbvvhjj.dll",s
O4 - HKCU\..\Run: [75dd3fb9] rundll32.exe "C:\Users\Katie\AppData\Local\Temp\jmisnepx.dll",b
This next tool needs to be run in Safemode to be effective. Download the tool and then boot to safemode
To Enter Safemode
Go to [b]Start> Shut off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to Safemode
Then press the Enter Key on your Keyboard
Tutorial if you need it How to boot into Safemode (http://www.bleepingcomputer.com/tutorials/tutorial61.html)
Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
Then run this program in normal windows
Please download Malwarebytes' Anti-Malware from Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) or Here (http://www.besttechie.net/tools/mbam-setup.exe)
Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply along with a Hijackthis log.
I need you to post the SDFix log, the Malwarebytes log and a new HJT log, it most likely won't all fit in one reply so take as many replies as you need to post all the logs.
chuckjab
2008-06-09, 01:43
I am back. I have done everything that you have instruted however I could not run the SDFix runthis.bat. When I started up in safe mode and double clicked the black screen would come up for a 1/2 secound and go back off. I tried this a number of times with no luck. (i cannot figure out what is going on) There is a new HJT log as well as the MaleWareBytes log. Please let me know what else I need to do and what i can do about SDFix. Thanks again for all of your help.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:26:32 PM, on 6/8/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\PROGRA~1\HEWLET~1\Shared\HPQTOA~1.EXE
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User '?')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User '?')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User '?')
O4 - HKUS\S-1-5-21-4194038908-3935335703-2413737941-1000\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl (User '?')
O4 - S-1-5-21-4194038908-3935335703-2413737941-1000 Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User '?')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: HP Connections.lnk = C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {BE319D04-18BD-4B34-AECC-EE7CB610FCA9} (BewitchedGameClass Control) - http://l.yimg.com/jh/games/web_games/sony/bewitched/main.cab
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 8923 bytes
Malwarebytes' Anti-Malware 1.15
Database version: 841
4:16:53 PM 6/8/2008
mbam-log-6-8-2008 (16-16-53).txt
Scan type: Quick Scan
Objects scanned: 37552
Time elapsed: 7 minute(s), 3 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 4
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 44
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\Users\Katie\AppData\Local\Temp\xxyvvSmM.dll (Trojan.Vundo) -> Unloaded module successfully.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1900a5a8-4bf1-42da-9604-90ae61ee7d79} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{1900a5a8-4bf1-42da-9604-90ae61ee7d79} (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmds (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM76ee0c25 (Trojan.Agent) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM76ee0c25 (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\users\katie\appdata\local\temp\xxyvvsmm -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\users\katie\appdata\local\temp\xxyvvsmm -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Users\Katie\AppData\Local\Temp\xxyvvSmM.dll (Trojan.Vundo) -> Delete on reboot.
C:\Users\Katie\AppData\Local\Temp\MmSvvyxx.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Katie\AppData\Local\Temp\MmSvvyxx.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Katie\AppData\Local\Temp\cbXOIYpP.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Katie\AppData\Local\Temp\friqfmhk.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\Users\Katie\AppData\Local\Temp\fyeajxfl.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\Users\Katie\AppData\Local\Temp\hlhaiofy.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\Users\Katie\AppData\Local\Temp\jhxlvorr.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\Users\Katie\AppData\Local\Temp\kodtkvim.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\Users\Katie\AppData\Local\Temp\kquamkyp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Katie\AppData\Local\Temp\ktmvrkfc.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\Users\Katie\AppData\Local\Temp\lxxubckw.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\Users\Katie\AppData\Local\Temp\msdhbxak.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\Users\Katie\AppData\Local\Temp\nflxndni.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\Users\Katie\AppData\Local\Temp\ohtxjabn.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\Users\Katie\AppData\Local\Temp\qcxlnuqx.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\Users\Katie\AppData\Local\Temp\qoryqbbn.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\Users\Katie\AppData\Local\Temp\rvaeiieh.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\Users\Katie\AppData\Local\Temp\sqcvqrsc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Katie\AppData\Local\Temp\tmp00015521 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Katie\AppData\Local\Temp\tmp00015bd5 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Katie\AppData\Local\Temp\tmp000167c6 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Katie\AppData\Local\Temp\tmp000168df (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Katie\AppData\Local\Temp\tmp0001694c (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Katie\AppData\Local\Temp\tmp0001699a (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Katie\AppData\Local\Temp\tmp00016c68 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Katie\AppData\Local\Temp\tmp00016da0 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Katie\AppData\Local\Temp\tmp00016dcf (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Katie\AppData\Local\Temp\tmp0001735b (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Katie\AppData\Local\Temp\tmp000174f0 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Katie\AppData\Local\Temp\tmp0001778f (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Katie\AppData\Local\Temp\tmp000188dd (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Katie\AppData\Local\Temp\tmp00018aa2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Katie\AppData\Local\Temp\tmp0001980a (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Katie\AppData\Local\Temp\tmp00019a3b (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Katie\AppData\Local\Temp\tmp0001a14d (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Katie\AppData\Local\Temp\tmp00021248 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Katie\AppData\Local\Temp\tmp0002bbdf (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Katie\AppData\Local\Temp\tmp0003903d (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Katie\AppData\Local\Temp\yjgifhft.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\Users\Katie\Local Settings\Temporary Internet Files\Content.IE5\4HYSG6E6\kb713501[1] (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\Users\Katie\Local Settings\Temporary Internet Files\Content.IE5\TUZNEDBO\kb456456[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Katie\winlogon.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Katie\AppData\Local\Temp\pjjupoep.dll (Trojan.Agent) -> Delete on reboot.
pskelley
2008-06-09, 01:56
Hi Charlie, Ken is unavailable temporarily, I'll see what I can do to help. MBAM did a great job removing the junk and as far as I can see your latest HJT log is clean of malware. Could I get a report from you on how the computer is running.
I would also like to see a Kaspersky Online Scan (KOS) follow these instructions:
Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner
Next Click on Launch Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.
Then post it here.
Thanks...Phil
chuckjab
2008-06-11, 01:47
Hi Phil,
I have ran the Kaspersky Online Scan and it is posted here. My Fiancee's computer seems to be running alot better now and I believe that this nightmare is finally coming to an end. I just want to thank you guys again for the wonderful help that you have provided and I am forever greatful. if there is anything else that I need to do please let me know. Again, thanks for all of your help. you and Ken have been a termendous help.
Charlie
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, June 9, 2008
Operating System: Microsoft Windows Vista Home Basic Edition, 32-bit (build 6000)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, June 09, 2008 19:26:50
Records in database: 844518
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
C:\
D:\
E:\
Scan statistics
Files scanned 138208
Threat name 9
Infected objects 56
Suspicious objects 0
Duration of the scan 01:48:08
File name Threat name Threats count
C:\Users\Katie\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IR3MI0P6\kb516107[1] Infected: Trojan.Win32.Mondera.gen 1
C:\Users\Katie\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IR3MI0P6\kb516107[2] Infected: Trojan.Win32.Mondera.gen 1
C:\Users\Katie\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IR3MI0P6\kb767887[2] Infected: Trojan.Win32.Mondera.gen 1
C:\Users\Katie\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MR0ATKUB\kb456456[1] Infected: Trojan.Win32.Mondera.gen 1
C:\Users\Katie\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MR0ATKUB\kb516107[2] Infected: Trojan.Win32.Mondera.gen 1
C:\Users\Katie\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MR0ATKUB\kb767887[1] Infected: Trojan.Win32.Mondera.gen 1
C:\Users\Katie\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TUZNEDBO\kb456456[2] Infected: Trojan.Win32.Mondera.gen 1
C:\Users\Katie\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TUZNEDBO\kb456456[3] Infected: Trojan.Win32.Mondera.gen 1
C:\Users\Katie\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TUZNEDBO\kb516107[1] Infected: Trojan.Win32.Mondera.gen 1
C:\Users\Katie\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TUZNEDBO\kb516107[2] Infected: Trojan.Win32.Mondera.gen 1
C:\Users\Katie\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TUZNEDBO\kb516107[3] Infected: Trojan.Win32.Mondera.gen 1
C:\Users\Katie\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TUZNEDBO\kb516107[4] Infected: Trojan.Win32.Mondera.gen 1
C:\Users\Katie\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TUZNEDBO\kb767887[2] Infected: Trojan.Win32.Mondera.gen 1
C:\Users\Katie\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\AU71KNKB\kb456456[1] Infected: Trojan.Win32.Mondera.gen 1
C:\Users\Katie\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XGGG4F0K\index[1].htm Infected: Trojan.JS.Pakes.l 1
C:\Users\Katie\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XGGG4F0K\webinst[1].cab Infected: Trojan-Downloader.Win32.FraudLoad.atc 1
C:\Users\Katie\AppData\Local\Temp\badqgamr.dll Infected: Trojan.Win32.Mondera.gen 1
C:\Users\Katie\AppData\Local\Temp\bfdlqsyw.dll Infected: Trojan.Win32.Mondera.gen 1
C:\Users\Katie\AppData\Local\Temp\bfgoskvt.dll Infected: Trojan.Win32.Mondera.gen 1
C:\Users\Katie\AppData\Local\Temp\bjefgktf.dll Infected: Trojan.Win32.Mondera.gen 1
C:\Users\Katie\AppData\Local\Temp\clxnvaqn.dll Infected: Trojan.Win32.Mondera.gen 1
C:\Users\Katie\AppData\Local\Temp\ecxuqkes.dll Infected: Trojan.Win32.Mondera.gen 1
C:\Users\Katie\AppData\Local\Temp\emxgpbip.dll Infected: Trojan.Win32.Mondera.gen 1
C:\Users\Katie\AppData\Local\Temp\fwudvyem.dll Infected: Trojan.Win32.Mondera.gen 1
C:\Users\Katie\AppData\Local\Temp\hagcdyeu.dll Infected: Trojan.Win32.Mondera.gen 1
C:\Users\Katie\AppData\Local\Temp\hpfcthxt.dll Infected: Trojan.Win32.Mondera.gen 1
C:\Users\Katie\AppData\Local\Temp\hqcwpquj.dll Infected: Trojan.Win32.Mondera.gen 1
C:\Users\Katie\AppData\Local\Temp\ijcsccok.dll Infected: Trojan.Win32.Mondera.gen 1
C:\Users\Katie\AppData\Local\Temp\jmisnepx.dll Infected: Trojan.Win32.Mondera.gen 1
C:\Users\Katie\AppData\Local\Temp\jyhsjytd.dll Infected: Trojan.Win32.Mondera.gen 1
C:\Users\Katie\AppData\Local\Temp\knsgvbfb.dll Infected: Trojan.Win32.Mondera.gen 1
C:\Users\Katie\AppData\Local\Temp\ldbvvhjj.dll Infected: Trojan.Win32.Mondera.gen 1
C:\Users\Katie\AppData\Local\Temp\liukyoni.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.uor 1
C:\Users\Katie\AppData\Local\Temp\lnsilljm.dll Infected: Trojan.Win32.Mondera.gen 1
C:\Users\Katie\AppData\Local\Temp\lvlgfihm.dll Infected: Trojan.Win32.Mondera.gen 1
C:\Users\Katie\AppData\Local\Temp\lyocmofq.dll Infected: Trojan.Win32.Mondera.gen 1
C:\Users\Katie\AppData\Local\Temp\navjdecs.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.szt 1
C:\Users\Katie\AppData\Local\Temp\ncfawxkr.dll Infected: Trojan.Win32.Mondera.gen 1
C:\Users\Katie\AppData\Local\Temp\oeumajju.dll Infected: Trojan.Win32.Mondera.gen 1
C:\Users\Katie\AppData\Local\Temp\omgqvejx.dll Infected: Trojan.Win32.Mondera.gen 1
C:\Users\Katie\AppData\Local\Temp\ommhsfjd.dll Infected: Trojan.Win32.Mondera.gen 1
C:\Users\Katie\AppData\Local\Temp\ptgfpcdr.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.uor 1
C:\Users\Katie\AppData\Local\Temp\qmgvwsym.dll Infected: Trojan.Win32.Mondera.gen 1
C:\Users\Katie\AppData\Local\Temp\tnfnurrp.dll Infected: Trojan.Win32.Mondera.gen 1
C:\Users\Katie\AppData\Local\Temp\tnqogkni.dll Infected: Trojan.Win32.Mondera.gen 1
C:\Users\Katie\AppData\Local\Temp\tvnnbeaf.dll Infected: Trojan.Win32.Mondera.gen 1
C:\Users\Katie\AppData\Local\Temp\vlnkjuvf.dll Infected: Trojan.Win32.Mondera.gen 1
C:\Users\Katie\AppData\Local\Temp\woykijyl.dll Infected: Trojan.Win32.Mondera.gen 1
C:\Users\Katie\AppData\Local\Temp\ykcghnyw.dll Infected: Trojan.Win32.Mondera.gen 1
C:\Users\Katie\AppData\Local\Temp\ytdggqgk.dll Infected: Trojan.Win32.Mondera.gen 1
C:\Users\Katie\Desktop\kasp Infected: Trojan.Win32.Mondera.gen 1
C:\Users\Katie\Downloads\symanteccode.rar Infected: Trojan-Downloader.Win32.Small.ddp 1
C:\Users\Katie\Shared\02 Track 2.wma Infected: Trojan-Downloader.WMA.Wimad.l 1
C:\Users\Katie\Shared\Backstreet Boys - Helpless When She Smiles.wma Infected: Trojan-Downloader.WMA.GetCodec.b 1
C:\Users\Katie\Shared\bebo norman.mp3 Infected: Trojan-Downloader.WMA.Wimad.n 1
C:\Users\Katie\Shared\Rare Recording.wma Infected: Trojan-Downloader.WMA.Wimad.l 1
The selected area was scanned.
chuckjab
2008-06-11, 02:05
I just wanted to let you know that I have just completely cleaned out all of the temporary files on the computer as well as all history. In addition I have deleted the infected shared files that were at the end of the scan report.
pskelley
2008-06-11, 02:31
Thanks Charlie, Ken is home and he will pick up where he left off. He can use the information you have provided and you are in good hands:bigthumb:
Thanks...Phil
Hello Charley,
I was away for a much needed long weekend and my buddy Phil came though as always...Thanks buddy.
Lets run this tool to make sure all you cleaned out is gone.
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Run Kaspersky again and post the log and then post a new HJT log for one final check
chuckjab
2008-06-12, 04:17
Hello Again,
I have run the three scans that you told me to run. The ATF Cleaner found 14 files and deleted them. Kaspersky Scan found nothing as you can see and here is another hjt log. I think that I have finally cleared this all up and again I want to say Thank You for all of your help. You and the other members on here have went above and beyond what I expected and I want you to know that I really appriciate it. Thanks again and if I need to do anything else let me know.
Thanks, Charlie
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:03:00 PM, on 6/11/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\PROGRA~1\HEWLET~1\Shared\HPQTOA~1.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program
Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1
\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program
Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!
\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
/Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health
Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless
Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless
Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0
\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User
'?')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
(User '?')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User
'?')
O4 - HKUS\S-1-5-21-4194038908-3935335703-2413737941-1000\..\Run: [AIM] C:\Program
Files\AIM\aim.exe -cnetwait.odl (User '?')
O4 - S-1-5-21-4194038908-3935335703-2413737941-1000 Startup: OneNote 2007 Screen Clipper and
Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User '?')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft
Office\Office12\ONENOTEM.EXE
O4 - Global Startup: HP Connections.lnk = C:\Program Files\HP Connections\6811507\Program\HP
Connections.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare
software\bin\EasyShare.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12
\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1
\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} -
C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3
\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1
\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-
58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -
http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) -
http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) -
http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) -
http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {BE319D04-18BD-4B34-AECC-EE7CB610FCA9} (BewitchedGameClass Control) -
http://l.yimg.com/jh/games/web_games/sony/bewitched/main.cab
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-
Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner -
C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program
Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program
Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP
Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-
Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program
Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-
Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0
\SharedCOM\RoxMediaDB9.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program
Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing
Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 8848 bytes
Hello Charley,
Everything looks fine so your good to go.:bigthumb: One thing, I weeded though it but next time you have to post a HJT log make sure wordwrap is unchecked, it makes it easier to read on my end and these old eyes need all the help they can get:laugh:
Thanks for the kind words, all us helpers are volunteers and we do this because we like people like yourself and really despise the slime balls that write this garbage.
I am going to link you to some reading and free tools to install to help keep you more secure, keep in mind with Vista being new , most will work but some may not.
How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Safe Surfn
Ken