DeadByComputer
2009-01-30, 17:05
Well first off, I don't know a whole lot about computers yet, but I'm on my way to learning. If you can make advice or help simple it would be appreciated, but here's my problem. I was playing a game I've played for years and I know is completely safe, and I've not done anything differently but there are other people in my house that use this computer. While I was playing I received a notice "Internet explorer has found a virus and will begin scanning" Which seems horribly wrong to me, first because I never use internet explorer, and second because it has no scanning feature to it that I know of.
I ran Spybot - Search & Destroy to check if I had a virus and somehow I had 17. I removed them and rescanned immediately to make sure it worked. That number dropped to 13.
Every time I run spybot it says it cannot get rid of virtumonde.sci and somehow one of the viruses also deleted my system restore points, so I figured I'd ask for help.
I've also run Hijack this, Ad-Aware SE, and trendmicro's housecall65, but none could solve my problem.
This is a list from my last Spybot "fix", and I'm running it again currently.
--- Report generated: 2009-01-30 09:31 ---
Hint of the Day: Click the bar at the right of this to see more information! ()
Smitfraud-C.: [SBI $99619F8C] Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-2025429265-583907252-682003330-1003\Software\Microsoft\instkey
Virtumonde: [SBI $8F2A4A7E] Class ID (Registry key, fixed)
HKEY_CLASSES_ROOT\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
Virtumonde.generic: [SBI $1BB1339D] Browser helper object (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
Virtumonde.generic: [SBI $2F10E03B] Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
Virtumonde: [SBI $1D86E0B2] Configuration file (File, fixed)
C:\WINDOWS\Tasks\iynursxp.job
Virtumonde: [SBI $4D2BC948] Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim
Virtumonde: [SBI $779C9C0D] Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP
Virtumonde: [SBI $FD08B4B7] Configuration file (File, fixed)
C:\WINDOWS\system32\kUFPYccf.ini2
Virtumonde: [SBI $2A2DCEAC] Configuration file (File, fixed)
C:\WINDOWS\system32\kUFPYccf.ini
Virtumonde.Dll: [SBI $9D9A5FC6] Library (File, fixed)
C:\WINDOWS\system32\ddcDvuut.dll
Virtumonde.sci: [SBI $D87CA6BD] Class ID (Registry value, fixing failed)
HKEY_CLASSES_ROOT\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocServer32\=...C:\WINDOWS\system32\khfFWOEx.dll...
--- Spybot - Search & Destroy version: 1.6.0 (build: 20080707) ---
2008-07-07 blindman.exe (1.0.0.8)
2008-07-07 SDFiles.exe (1.6.0.4)
2008-07-07 SDMain.exe (1.0.0.6)
2008-07-07 SDShred.exe (1.0.2.3)
2008-07-07 SDUpdate.exe (1.6.0.8)
2008-07-07 SDWinSec.exe (1.0.0.12)
2008-07-07 SpybotSD.exe (1.6.0.30)
2008-09-16 TeaTimer.exe (1.6.3.25)
2008-11-07 unins000.exe (51.49.0.0)
2008-07-07 Update.exe (1.6.0.7)
2008-10-22 advcheck.dll (1.6.2.13)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2008-09-15 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2008-10-22 Tools.dll (2.1.6.8)
2009-01-22 Includes\Adware.sbi (*)
2009-01-22 Includes\AdwareC.sbi (*)
2009-01-22 Includes\Cookies.sbi (*)
2009-01-06 Includes\Dialer.sbi (*)
2009-01-22 Includes\DialerC.sbi (*)
2009-01-22 Includes\HeavyDuty.sbi (*)
2008-11-18 Includes\Hijackers.sbi (*)
2009-01-22 Includes\HijackersC.sbi (*)
2008-12-09 Includes\Keyloggers.sbi (*)
2009-01-22 Includes\KeyloggersC.sbi (*)
2008-11-18 Includes\Malware.sbi (*)
2009-01-28 Includes\MalwareC.sbi (*)
2008-12-16 Includes\PUPS.sbi (*)
2009-01-27 Includes\PUPSC.sbi (*)
2009-01-22 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2009-01-27 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2009-01-28 Includes\Spyware.sbi (*)
2009-01-28 Includes\SpywareC.sbi (*)
2008-06-03 Includes\Tracks.uti
2009-01-21 Includes\Trojans.sbi (*)
2009-01-27 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll
Sorry for the second post, couldn't find a way to edit the original. I've just read the "BEFORE you POST" and this is the log I received from my latest scan.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:25:40 AM, on 1/30/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\CACHEM~1\CachemanXP.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\SoftEther VPN Client 2.0\vpnclient.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\VM305_STI.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://housecall65.trendmicro.com/
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: C:\WINDOWS\VM305_STI.EXE VIMICRO USB PC Camera (ZC0305)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: DXWnd.lnk = C:\Program Files\DXWnd\DXwnd.exe
O4 - Startup: Winamp.lnk = C:\Program Files\Winamp\winamp.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/ocis/OSInfo.cab
O16 - DPF: {16095503-786F-4097-AED6-5D567A26D760} (SiS_OCX Control) - http://www.sis.com/ocis/SiSAutodetectNT.cab
O20 - AppInit_DLLs: vrbteu.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CachemanXP (CachemanXPService) - Outertech - C:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: ForceWare user log service (nSvcLog) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: PacketiX VPN Client (vpnclient) - SoftEther Corporation - C:\Program Files\SoftEther VPN Client 2.0\vpnclient.exe
--
End of file - 4367 bytes
--------------------------
FYI: "before You Post" ;)
[B]Can I edit my own posts?
In the Spybot-S&D forum, there is a 15 minute time frame to edit one's post.
In the Malware Removal Forum, members may not edit their posts. A helper may already be analysing the information given.
I ran Spybot - Search & Destroy to check if I had a virus and somehow I had 17. I removed them and rescanned immediately to make sure it worked. That number dropped to 13.
Every time I run spybot it says it cannot get rid of virtumonde.sci and somehow one of the viruses also deleted my system restore points, so I figured I'd ask for help.
I've also run Hijack this, Ad-Aware SE, and trendmicro's housecall65, but none could solve my problem.
This is a list from my last Spybot "fix", and I'm running it again currently.
--- Report generated: 2009-01-30 09:31 ---
Hint of the Day: Click the bar at the right of this to see more information! ()
Smitfraud-C.: [SBI $99619F8C] Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-2025429265-583907252-682003330-1003\Software\Microsoft\instkey
Virtumonde: [SBI $8F2A4A7E] Class ID (Registry key, fixed)
HKEY_CLASSES_ROOT\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
Virtumonde.generic: [SBI $1BB1339D] Browser helper object (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
Virtumonde.generic: [SBI $2F10E03B] Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
Virtumonde: [SBI $1D86E0B2] Configuration file (File, fixed)
C:\WINDOWS\Tasks\iynursxp.job
Virtumonde: [SBI $4D2BC948] Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim
Virtumonde: [SBI $779C9C0D] Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP
Virtumonde: [SBI $FD08B4B7] Configuration file (File, fixed)
C:\WINDOWS\system32\kUFPYccf.ini2
Virtumonde: [SBI $2A2DCEAC] Configuration file (File, fixed)
C:\WINDOWS\system32\kUFPYccf.ini
Virtumonde.Dll: [SBI $9D9A5FC6] Library (File, fixed)
C:\WINDOWS\system32\ddcDvuut.dll
Virtumonde.sci: [SBI $D87CA6BD] Class ID (Registry value, fixing failed)
HKEY_CLASSES_ROOT\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocServer32\=...C:\WINDOWS\system32\khfFWOEx.dll...
--- Spybot - Search & Destroy version: 1.6.0 (build: 20080707) ---
2008-07-07 blindman.exe (1.0.0.8)
2008-07-07 SDFiles.exe (1.6.0.4)
2008-07-07 SDMain.exe (1.0.0.6)
2008-07-07 SDShred.exe (1.0.2.3)
2008-07-07 SDUpdate.exe (1.6.0.8)
2008-07-07 SDWinSec.exe (1.0.0.12)
2008-07-07 SpybotSD.exe (1.6.0.30)
2008-09-16 TeaTimer.exe (1.6.3.25)
2008-11-07 unins000.exe (51.49.0.0)
2008-07-07 Update.exe (1.6.0.7)
2008-10-22 advcheck.dll (1.6.2.13)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2008-09-15 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2008-10-22 Tools.dll (2.1.6.8)
2009-01-22 Includes\Adware.sbi (*)
2009-01-22 Includes\AdwareC.sbi (*)
2009-01-22 Includes\Cookies.sbi (*)
2009-01-06 Includes\Dialer.sbi (*)
2009-01-22 Includes\DialerC.sbi (*)
2009-01-22 Includes\HeavyDuty.sbi (*)
2008-11-18 Includes\Hijackers.sbi (*)
2009-01-22 Includes\HijackersC.sbi (*)
2008-12-09 Includes\Keyloggers.sbi (*)
2009-01-22 Includes\KeyloggersC.sbi (*)
2008-11-18 Includes\Malware.sbi (*)
2009-01-28 Includes\MalwareC.sbi (*)
2008-12-16 Includes\PUPS.sbi (*)
2009-01-27 Includes\PUPSC.sbi (*)
2009-01-22 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2009-01-27 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2009-01-28 Includes\Spyware.sbi (*)
2009-01-28 Includes\SpywareC.sbi (*)
2008-06-03 Includes\Tracks.uti
2009-01-21 Includes\Trojans.sbi (*)
2009-01-27 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll
Sorry for the second post, couldn't find a way to edit the original. I've just read the "BEFORE you POST" and this is the log I received from my latest scan.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:25:40 AM, on 1/30/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\CACHEM~1\CachemanXP.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\SoftEther VPN Client 2.0\vpnclient.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\VM305_STI.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://housecall65.trendmicro.com/
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: C:\WINDOWS\VM305_STI.EXE VIMICRO USB PC Camera (ZC0305)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: DXWnd.lnk = C:\Program Files\DXWnd\DXwnd.exe
O4 - Startup: Winamp.lnk = C:\Program Files\Winamp\winamp.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/ocis/OSInfo.cab
O16 - DPF: {16095503-786F-4097-AED6-5D567A26D760} (SiS_OCX Control) - http://www.sis.com/ocis/SiSAutodetectNT.cab
O20 - AppInit_DLLs: vrbteu.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CachemanXP (CachemanXPService) - Outertech - C:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: ForceWare user log service (nSvcLog) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: PacketiX VPN Client (vpnclient) - SoftEther Corporation - C:\Program Files\SoftEther VPN Client 2.0\vpnclient.exe
--
End of file - 4367 bytes
--------------------------
FYI: "before You Post" ;)
[B]Can I edit my own posts?
In the Spybot-S&D forum, there is a 15 minute time frame to edit one's post.
In the Malware Removal Forum, members may not edit their posts. A helper may already be analysing the information given.