virtumonde

Status
Not open for further replies.
no

I saved them while I was still in Safe Mode.
When I turn on my computer in safe mode I can see them on the desktop.
Not on normal boot though.
I search for them in Search function; they show up as being in C administrator desktop, but when I go there they are not there, and they are not showing up on my actual desktop.
 
also

when I shut my computer down to check to see if they were on my desktop in safe mode, Windows automatically updated itself. Is that normal?
 
Red_Earth said:
I saved them while I was still in Safe Mode.
When I turn on my computer in safe mode I can see them on the desktop.
Not on normal boot though.
I search for them in Search function; they show up as being in C administrator desktop, but when I go there they are not there, and they are not showing up on my actual desktop.
Click to expand...

Can you open them and see what's there, if anything, then jot it down and post back here.
 
Red_Earth said:
when I shut my computer down to check to see if they were on my desktop in safe mode, Windows automatically updated itself. Is that normal?
Click to expand...
In Safe Mode? No, unless you ran Safe Mode with networking there would be no way to download the updates.
 
first run / light scan

Autoscan: completed 11 minutes ago (events: 18, objects: 506489, time: 03:15:07)
3/3/2010 3:03:15 PM Task started
3/3/2010 3:10:19 PM Detected: not-a-virus:AdWare.Win32.PurityScan.ak C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\60C92449.dll/CryptFF/PE_Patch.PECompact/PecBundle/PECompact
3/3/2010 3:10:19 PM Untreated: not-a-virus:AdWare.Win32.PurityScan.ak C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\60C92449.dll/CryptFF/PE_Patch.PECompact/PecBundle/PECompact Postponed
3/3/2010 3:46:38 PM Detected: Trojan.VBS.Small.bj C:\Qoobox\Quarantine\C\WINDOWS\IA\KE.vbs.vir
3/3/2010 3:46:38 PM Untreated: Trojan.VBS.Small.bj C:\Qoobox\Quarantine\C\WINDOWS\IA\KE.vbs.vir Postponed
3/3/2010 3:50:31 PM Detected: not-a-virus:AdWare.Win32.PurityScan.ak C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP18\A0005156.dll/CryptFF/PE_Patch.PECompact/PecBundle/PECompact
3/3/2010 3:50:31 PM Untreated: not-a-virus:AdWare.Win32.PurityScan.ak C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP18\A0005156.dll/CryptFF/PE_Patch.PECompact/PecBundle/PECompact Postponed
3/3/2010 3:51:16 PM Detected: not-a-virus:AdWare.Win32.WeatherBug.a C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP8\A0003422.exe/WiseSFXDropper/WISE0015.BIN
3/3/2010 3:51:16 PM Untreated: not-a-virus:AdWare.Win32.WeatherBug.a C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP8\A0003422.exe/WiseSFXDropper/WISE0015.BIN Postponed
3/3/2010 4:37:17 PM Detected: not-a-virus:AdWare.Win32.WeatherBug.a D:\I386\APPS\APP10003\src\CompaqPresario_Spring06.exe/WiseSFXDropper/WISE0015.BIN
3/3/2010 4:37:17 PM Untreated: not-a-virus:AdWare.Win32.WeatherBug.a D:\I386\APPS\APP10003\src\CompaqPresario_Spring06.exe/WiseSFXDropper/WISE0015.BIN Postponed
3/3/2010 4:37:17 PM Detected: not-a-virus:AdWare.Win32.WeatherBug.a D:\I386\APPS\APP10003\src\HPPavillion_Spring06.exe/WiseSFXDropper/WISE0015.BIN
3/3/2010 4:37:17 PM Untreated: not-a-virus:AdWare.Win32.WeatherBug.a D:\I386\APPS\APP10003\src\HPPavillion_Spring06.exe/WiseSFXDropper/WISE0015.BIN Postponed
3/3/2010 6:16:58 PM Detected: not-a-virus:AdWare.Win32.WeatherBug.a D:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP18\A0005158.exe/WiseSFXDropper/WISE0015.BIN
3/3/2010 6:16:58 PM Untreated: not-a-virus:AdWare.Win32.WeatherBug.a D:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP18\A0005158.exe/WiseSFXDropper/WISE0015.BIN Postponed
3/3/2010 6:16:58 PM Detected: not-a-virus:AdWare.Win32.WeatherBug.a D:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP18\A0005157.exe/WiseSFXDropper/WISE0015.BIN
3/3/2010 6:16:59 PM Untreated: not-a-virus:AdWare.Win32.WeatherBug.a D:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP18\A0005157.exe/WiseSFXDropper/WISE0015.BIN Postponed
3/3/2010 6:18:22 PM Task completed
 
2nd run / deep scan

Autoscan: completed 17 hours ago (events: 18, objects: 506489, time: 03:15:07)
Autoscan: completed 13 hours ago (events: 2, objects: 504374, time: 03:25:06)
3/3/2010 6:33:08 PM Task started
3/3/2010 9:58:14 PM Task completed


The first scan I paid close attention and clicked delete and quarantine as needed.

The second scan I left alone, and returned to a completed scan.
 
HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:36:15 PM, on 3/4/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\windows\system\hpsysdrv.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Belkin\F5D8053v4\BelkinWCUI.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Safari\Safari.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCCBHO.CPCCBHO - {22FC6CE8-7D47-479F-B74A-BFBB04ADB9AF} - C:\Program Files\Winferno\PC Confidential\PCCBHO.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Belkin Wireless Networking Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - C:\Program Files\Winferno\PC Confidential\PCConfidential.exe
O9 - Extra 'Tools' menuitem: PC Confidential - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - C:\Program Files\Winferno\PC Confidential\PCConfidential.exe
O9 - Extra button: PC Confidential - {925DAB62-F9AC-4221-806A-057BFB1014AA} - C:\Program Files\Winferno\PC Confidential\PCConfidential.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7319 bytes
 
Okay looks pretty good. We should do some cleanup.

Uninstall Combofix
  • Click START then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
The above procedure will:
  • Delete the following: ComboFix and its associated files and folders.
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.

You can also delete DDS and GMER.

Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how it's running too please.
 
no

I uninstalled avast.
I will reinstall after we are through or if we need it again.
I do not know what I am supposed to do.
I can only access ComboFix by clicking the icon on my desktop.
There is no start button.
or run for that matter.
Not that I see.
I double click combofix icon on my desktop and it starts running.
It launches quickly into a scan.
I dont see any run box.
No place to type. no time to type. No uninstall.

confused
 
The Start button is your Windows Start button, in the lower left hand corner of your monitor (normally but that can be different). Then you select run and it brings up the run dialogue box. Then you can type in or copy/paste the command Combofix /Uninstall.
 
hello

My computer seems to be running just fine.
Results of screen317's Security Check version 0.99.1
Windows XP Service Pack 2
Out of date service pack!!
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
ESET Online Scanner v3
WMIC entry does not exist for antivirus; attempting automatic update.
``````````````````````````````
Anti-malware/Other Utilities Check:
Spybot - Search & Destroy
HijackThis 2.0.2
Java DB 10.5.3.0
Java(TM) 6 Update 18
Java(TM) SE Development Kit 6 Update 18
Java Auto Updater
Out of date Java installed!
Adobe Reader 7.0.5
Out of date Adobe Reader installed!
``````````````````````````````
Process Check:
objlist.exe by Laurent
``````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````
 
Update!

Think other than doing all the updating and making sure you have protection in place, you are pretty much set.

As you can see from the report, you need to update your Windows Service Pack. I would suggest you set Windows to use Automatic Updates.

You also need to turn your Firewall on, or install one of the ones I recommend below.

Adobe Reader needs to be updated.

Also make sure to re-install either Avast or one of the other AV's I recommended.

Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. Here is a list of some free and evaluation versions to try:Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. Here are some free and evalutation versions that provide
better security than the Windows Firewall.For a tutorial on Firewalls and a listing of some other available ones see the link below:
Understanding and Using Firewalls

Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware

Install Winpatrol -
Use Winpatrol to take control of your PC and provide another layer of security.
Help file and tutorial can be found Here

Block unwanted parasites with a custom hosts file -
http://www.mvps.org/winhelp2002/hosts.htm

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly or set your computer to receive automatic updates. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Update all of your Anti-Malware programs regularly - Make sure you update all the programs I have listed and the ones you are currently running regularly. Without regular updates you Will Not be protected when new malicious programs are released.

Keep your applications up to date -
Use Secunia Personal Software Inspector to help stay on top of application updates that could leave your PC vulnerable to attack.

I'll leave the thread open a few days in case you have questions or issues.

Regards,
Dave
 
Status
Not open for further replies.
Back
Top