View Full Version : Vexed By Vitrumonde
MarkTheMeS
2008-11-29, 02:55
I need help removing virtumonde.prx, or virtumonde in general, please. After reading other posts, I have already downloaded Trend Micro HijackThis v2.0.2. I await further instructions.
Thank You,
MarkTheMeS
MeS™
pskelley
2008-12-01, 22:05
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
Posted above and pinned (sticky) to the top of this forum are the directions, did you read those? If you have read an followed the directions then post the HijackThis log plainly described in those directions, that will get us started.
Thanks
MarkTheMeS
2008-12-02, 12:49
Here's my Hijack This log. I should note that since posting my original request for help, I have run Malwarebytes' Anti-Malware program and that does seem to have helped, but the Spybot S&D scan seems to still be finding some element of Virtumonde.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:38:54 AM, on 12/2/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\Brmfrmps.exe
C:\WINNT\system32\BrmfRsmg.exe
C:\WINNT\system32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\igfxtray.exe
C:\WINNT\system32\cidaemon.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: (no name) - {A057A204-BACC-4D26-CEC4-75A487FD6484} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINNT\system32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1100465 -"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; AntivirXP08; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; .NET CLR 2.0.50727)" -"http://www.zapak.com/ztournaplay.zpk?gid=944&gameid=944&gnrid=&typeid=13&gname=Motocross%20Racing&type=72%20Hour%20Tournament&tournid=334&tourn_id=334"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O16 - DPF: ChatSpace Full Java Client 3.1.0.235 -
O16 - DPF: RaptisoftGameLoader -
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - http://www.iwin.com/global/premium/playfirst/trijinx/TriJinx.1.0.0.60.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.7.109.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1194808149466
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1222422980838
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.iwin.com/global/premium/gamehouse/luxor/mjolauncher.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {96816368-C1E3-414D-A193-63C3CC921990} -
O16 - DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} (WoF Control) - http://www.worldwinner.com/games/v57/wof/wof.cab
O16 - DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} (VaPgCtrl Class) - http://www.dgse.com/webcam/h263ctrl.cab
O16 - DPF: {A9DD5FE2-5567-4983-971F-C792375025A6} (PhoenixBody Class) -
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} -
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install3.5/installer.exe
O16 - DPF: {CBD8B1CB-2F5F-415F-93E8-A297B33DCBB2} (CentrinoCheck Control) -
O16 - DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} - http://entriq.vo.llnwd.net/o1/NBCUniversal/cabs/Entriq_3_4_0_15_Silent.cab
O16 - DPF: {D1548A26-B8F6-4E86-AE74-E7062CCC2E2A} (igLoader Content on Demand) - http://www.miniclip.com/igloader/igloader.CAB
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://3dlifeplayer.dl.3dvia.com/player/install/installer.exe
O16 - DPF: {DA80E089-4648-43D5-93B4-7F37917084E6} -
O16 - DPF: {DE0FB644-C59B-46D1-B650-88BA945BC98F} - http://entriq.vo.llnwd.net/o1/NBCUniversal/cabs/NBCUniversal_1_0_0_3.cab
O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} -
O16 - DPF: {E70E3E64-2793-4AEF-8CC8-F1606BE563B0} (WWSpades Control) - http://www.worldwinner.com/games/v47/wwspades/wwspades.cab
O20 - AppInit_DLLs: c:\winnt\system32\lovebise.dll c:\winnt\system32\zigomobo.dll ,
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINNT\system32\Brmfrmps.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
--
End of file - 6756 bytes
Thank you again for your help,
MarkTheMeS
MeS™
pskelley
2008-12-02, 12:58
I have run Malwarebytes' Anti-Malware program and that does seem to have helped,
Ahh...but did you read the pinned (sticky) directions at the top of this forum?
Do NOT run 'FIXES' before helpers have analyzed the HJT log
http://forums.spybot.info/showthread.php?t=16806
Not my favorite Operating System to work on since I have never owned one, but I will do my best. Since you ran MBAM already, please post the log from that scan and a uninstall list.
Post an uninstall list: Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
Image: http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg
Thanks...Phil
MarkTheMeS
2008-12-02, 14:56
Here's the log from my latest MBAM scan:
Malwarebytes' Anti-Malware 1.30
Database version: 1436
Windows 5.0.2195 Service Pack 4
12/2/2008 7:31:15 AM
mbam-log-2008-12-02 (07-31-15).txt
Scan type: Full Scan (A:\|C:\|D:\|E:\|F:\|G:\|)
Objects scanned: 119126
Time elapsed: 1 hour(s), 29 minute(s), 12 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
And here's the log from my initial MBAM scan after I realized my computer was infected with Virtumonde (Vundo):
Malwarebytes' Anti-Malware 1.30
Database version: 1436
Windows 5.0.2195 Service Pack 4
11/29/2008 11:41:09 PM
mbam-log-2008-11-29 (23-41-09).txt
Scan type: Full Scan (A:\|C:\|D:\|E:\|F:\|G:\|)
Objects scanned: 108203
Time elapsed: 1 hour(s), 28 minute(s), 9 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 4
Registry Keys Infected: 19
Registry Values Infected: 7
Registry Data Items Infected: 7
Folders Infected: 0
Files Infected: 13
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINNT\system32\zokufevi.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINNT\system32\gugefoje.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINNT\system32\dakapuso.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINNT\system32\guvutoho.dll (Trojan.Vundo) -> Delete on reboot.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53b17e65-3afb-4a43-9dad-1c8223631621} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{53b17e65-3afb-4a43-9dad-1c8223631621} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/winnt/downloaded program files/popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/winnt/downloaded program files/piratepoppers.1.0.0.24.dll (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{38d97cce-7243-4b6e-b6a8-dd872ad3eb33} (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6868afe5-f258-47dc-bc37-0821f96dc1d2} (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{49e67060-2c0d-415e-94c7-52a49f73b2f1} (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{49e67060-2c0d-415e-94c7-52a49f73b2f1} (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpmab9802dc (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINNT\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\rhcpvpj0enal (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINNT\Downloaded Program Files\PiratePoppers.1.0.0.24.dll (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tilemelopa (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo) -> Data: c:\winnt\system32\gugefoje.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo) -> Data: system32\gugefoje.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo) -> Data: c:\winnt\system32\guvutoho.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\winnt\system32\guvutoho.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo) -> Data: system32\guvutoho.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo) -> Data: c:\winnt\system32\zobirawa.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo) -> Data: system32\zobirawa.dll -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINNT\system32\zokufevi.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINNT\system32\ivefukoz.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINNT\system32\zuragiwu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINNT\system32\uwigaruz.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINNT\system32\dakapuso.dll (Trojan.BHO.H) -> Delete on reboot.
c:\WINNT\system32\gugefoje.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINNT\system32\guvutoho.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINNT\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\gw8p0v.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINNT\system32\zobirawa.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINNT\system32\gopejudi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINNT\Downloaded Program Files\PiratePoppers.1.0.0.24.dll (Adware.Agent) -> Quarantined and deleted successfully.
C:\WINNT\Downloaded Program Files\PiratePoppers.1.0.0.24.inf (Adware.Agent) -> Quarantined and deleted successfully.
Here's the Uninstall List from Hijackthis, also:
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player ActiveX
Adobe Reader 8.1.2
Adobe Shockwave Player
Apple Software Update
BOINC
Brother Drivers
Brother Extensions for Paperport
Brother MFL-Pro Suite
C-Media USB WDM Audio Driver
Direct Show Ogg Vorbis Filter (remove only)
DreamStation DXi2
Ezonics EZCam II
EZSuite
Google Earth
HijackThis 2.0.2
Hotfix for MDAC 2.53 (KB911562)
Hotfix for MDAC 2.53 (KB927779)
igLoader
igLoader 2,0,0,2
Intel(R) 810/810E/815/815E/815EM Chipset Graphics Driver Software
Intel(R) Processor Frequency ID Utility
Intel(R) Processor ID Utility
Internet Explorer Q903235
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 5
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) SE Runtime Environment 6 Update 1
Live Express
Logitech iTouch Software
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 1.1 Hotfix (KB947742)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Office XP Professional with FrontPage
mIRC
Mozilla Firefox (1.0.7)
Nullsoft Install System
PaperPort 8.0 SE
Picasa 2
Security Update for DirectX 9 (KB941568)
Security Update for DirectX 9 (KB951698)
Security Update for Windows 2000 (KB904706)
Security Update for Windows 2000 (KB923689)
Security Update for Windows 2000 (KB941569)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 7.1 (KB936782)
SoundMAXWDM
Spelling Dictionaries Support For Adobe Reader 8
Spybot - Search & Destroy
Update Rollup 1 for Windows 2000 SP4
USB Audio
Virtual Sound Canvas DXi
Windows 2000 Hotfix - KB842773
Windows 2000 Hotfix - KB883939
Windows 2000 Hotfix - KB890046
Windows 2000 Hotfix - KB893756
Windows 2000 Hotfix - KB894320
Windows 2000 Hotfix - KB896358
Windows 2000 Hotfix - KB896422
Windows 2000 Hotfix - KB896423
Windows 2000 Hotfix - KB896424
Windows 2000 Hotfix - KB896688
Windows 2000 Hotfix - KB896727
Windows 2000 Hotfix - KB897715
Windows 2000 Hotfix - KB899587
Windows 2000 Hotfix - KB899588
Windows 2000 Hotfix - KB899589
Windows 2000 Hotfix - KB900725
Windows 2000 Hotfix - KB901017
Windows 2000 Hotfix - KB901214
Windows 2000 Hotfix - KB902400
Windows 2000 Hotfix - KB904368
Windows 2000 Hotfix - KB905414
Windows 2000 Hotfix - KB905495
Windows 2000 Hotfix - KB905749
Windows 2000 Hotfix - KB905915
Windows 2000 Hotfix - KB908519
Windows 2000 Hotfix - KB908523
Windows 2000 Hotfix - KB908531
Windows 2000 Hotfix - KB911280
Windows 2000 Hotfix - KB911567
Windows 2000 Hotfix - KB912812
Windows 2000 Hotfix - KB912919
Windows 2000 Hotfix - KB913580
Windows 2000 Hotfix - KB914388
Windows 2000 Hotfix - KB914389
Windows 2000 Hotfix - KB916281
Windows 2000 Hotfix - KB917008
Windows 2000 Hotfix - KB917159
Windows 2000 Hotfix - KB917422
Windows 2000 Hotfix - KB917537
Windows 2000 Hotfix - KB917736
Windows 2000 Hotfix - KB917953
Windows 2000 Hotfix - KB918118
Windows 2000 Hotfix - KB918899
Windows 2000 Hotfix - KB920213
Windows 2000 Hotfix - KB920670
Windows 2000 Hotfix - KB920683
Windows 2000 Hotfix - KB920685
Windows 2000 Hotfix - KB920958
Windows 2000 Hotfix - KB921398
Windows 2000 Hotfix - KB921883
Windows 2000 Hotfix - KB922582
Windows 2000 Hotfix - KB922616
Windows 2000 Hotfix - KB922760
Windows 2000 Hotfix - KB923191
Windows 2000 Hotfix - KB923414
Windows 2000 Hotfix - KB923694
Windows 2000 Hotfix - KB923810
Windows 2000 Hotfix - KB923980
Windows 2000 Hotfix - KB924191
Windows 2000 Hotfix - KB924270
Windows 2000 Hotfix - KB924667
Windows 2000 Hotfix - KB925454
Windows 2000 Hotfix - KB925486
Windows 2000 Hotfix - KB925902
Windows 2000 Hotfix - KB926122
Windows 2000 Hotfix - KB926247
Windows 2000 Hotfix - KB926436
Windows 2000 Hotfix - KB927891
Windows 2000 Hotfix - KB928090
Windows 2000 Hotfix - KB928843
Windows 2000 Hotfix - KB929969
Windows 2000 Hotfix - KB930178
Windows 2000 Hotfix - KB931768
Windows 2000 Hotfix - KB931784
Windows 2000 Hotfix - KB932168
Windows 2000 Hotfix - KB933566
Windows 2000 Hotfix - KB933729
Windows 2000 Hotfix - KB935839
Windows 2000 Hotfix - KB935840
Windows 2000 Hotfix - KB936021
Windows 2000 Hotfix - KB937894
Windows 2000 Hotfix - KB938127
Windows 2000 Hotfix - KB938827
Windows 2000 Hotfix - KB941202
Windows 2000 Hotfix - KB941644
Windows 2000 Hotfix - KB941693
Windows 2000 Hotfix - KB943055
Windows 2000 Hotfix - KB943485
Windows 2000 Hotfix - KB944338
Windows 2000 Hotfix - KB945553
Windows 2000 Hotfix - KB947864
Windows 2000 Hotfix - KB948590
Windows 2000 Hotfix - KB948881
Windows 2000 Hotfix - KB950749
Windows 2000 Hotfix - KB950759
Windows 2000 Hotfix - KB950760
Windows 2000 Hotfix - KB950974
Windows 2000 Hotfix - KB951066
Windows 2000 Hotfix - KB951748
Windows 2000 Hotfix - KB952954
Windows 2000 Hotfix - KB953838
Windows 2000 Hotfix - KB953839
Windows 2000 Hotfix (SP5) Q818043
Windows Defender Signatures
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Media Player 7.1
Windows Media Player Hotfix [See Q828026 for more information]
WinZip
Yahoo! Messenger
Sorry that I got impatient and ran MBAM before hearing back from you. These bugs can just be so frustrating...
I'm just about to run a Spybot S&D scan, but I won't fix any problems that might be listed until I've read your next reply.
Thanks,
MarkTheMeS
MeS™
MarkTheMeS
2008-12-02, 15:55
I've run the Spybot S&D Scan I said I was going to do and at this point it shows no sign of Virtumonde. I haven't done anything since I ran the MBAM scan that got some of Virtumonde and the last Spybot S&D scan that still showed some of it, so I guess when I fixed the problems with that scan it may have gotten what had remained. The only other thing I can think of that may have helped, after reading some other posts in here, is that I ran those initial scans with my computer disconnected from the internet and I shutdown my computer for a few hours as well, but that's just a guess.
As I mentioned before, I'm not fixing anything that my most recent Spybot S&D scan found until I hear back from you. I don't want to assume that it's all cleared-up just yet, plus my amateur glance at the logs in Spybot S&D makes me thing there are still bits of Virtumonde, as well as other things, still lurking on my computer just waiting to be switched back on.
Patiently awaiting your reply,
MarkTheMeS
MeS™
pskelley
2008-12-02, 17:30
Thanks for the MBAM log, did you update (the folks who created MBAM for us are constantly updating the program) before you ran the new scan?
I am showing database version 1445 12/02/2008) but XP may be different than 2000?
Uninstall list: I look for malware and security issues and will not know all of your programs, but you should.
Hackers are using out of date programs to infect folks more and more,
Here is a small free tool that lets you know when something needs an update if you are interested:
http://secunia.com/vulnerability_scanning/personal/ While PSI runs in the System Tray for realtime notifications, I personally prefer to turn it off in MSConfig and run it from All Programs when I want to do a check.
Adobe Reader 8.1.2 <<< out of date, see this information:
http://news.cnet.com/8301-1009_3-10081618-83.html?tag=nl.e433
http://www.filehippo.com/download_adobe_reader/
(if you want a smaller program, look at this one)
Foxit Reader 2.3 for Windows
http://www.foxitsoftware.com/pdf/rd_intro.php
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 5
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) SE Runtime Environment 6 Update 1
All out of date and being exploited, see this:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
Be aware of this information so you can opt out of anything you do not want.
Microsoft Does MSN Toolbar Distribution Deal With Java:
http://searchengineland.com/microsoft-does-msn-toolbar-distribution-deal-with-java-15413.php
Mozilla Firefox (1.0.7) <<< if you are not going to run the newest version I suggest you uninstall Firefox completely.
http://www.mozilla.com/en-US/firefox/ <<< I am assuming this version will run on your OS.
To continue, it looks like you have the newest version of Spybot S&D 1.6 so update, immunize and scan to make sure it is scanning clean.
http://www.safer-networking.org/en/faq/index.html
What are you going to run for an antivirus program? Waste of time cleaning the computer without one. Here are three free programs, install only one.
http://free.grisoft.com/ww.download-avg-anti-virus-free-edition
How to Install Free version AVG 8.0 without LinkScanner feature
http://russelltexas.com/tutorials/avg8install.htm
http://www.avast.com/eng/avast_4_home.html
http://www.free-av.com/
Once installed and updated, scan the system and let me know how the computer runs. We still have a bit of cleaning to do.
Thanks...Phil
This topic has been archived due to inactivity.
As it has been five days or more since your last post, and your helper posted a response to which you did not reply, this topic has been archived and will not be reopened. If you still require help, please start a new topic and include a fresh HijackThis log and a link to this thread.
Applies only to the original poster, anyone else with similar problems please start a new topic.
Thank you Phil. :)