help with vertumonde.generic

**blackcat275** · 2008-01-17, 04:13

Hi guys

Having trouble getting rid of the Vertumonde.generic bestie.

I have run spybot a number of times in both normal a safe mode

Have a number of viruses on the system too, how can i get rid of these as I have already run the virus scanner a number of times and tried deleting them.

here are the logs

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - Folders:
C:\

Scan Statistics:
Total number of scanned objects: 48218
Number of viruses found: 11
Number of infected objects: 31
Number of suspicious objects: 0
Duration of the scan process: 00:42:52

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondegeneric.zip/opnoonl.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dlc skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondegeneric.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondegeneric1.zip/opnoonl.dll_old Infected: not-a-virus:AdWare.Win32.Virtumonde.dlc skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondegeneric1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondegeneric6.zip/opnoonl.dll_old Infected: not-a-virus:AdWare.Win32.Virtumonde.dlc skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondegeneric6.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBHOje.zip/prolooker.dll Infected: not-a-virus:AdWare.Win32.BHO.ta skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBHOje.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinRenos.zip/laf4.exe Infected: not-virus:Hoax.Win32.Renos.aos skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinRenos.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloadervdt4.zip/ictun.exe Infected: Trojan-Downloader.Win32.Zlob.frl skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloadervdt4.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Keith\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\game.class-506f6b50-4a163744.class Infected: Exploit.Java.Gimsh.a skipped
C:\Documents and Settings\Keith\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Keith\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Keith\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Keith\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Keith\Local Settings\History\History.IE5\MSHist012008011720080118\index.dat Object is locked skipped
C:\Documents and Settings\Keith\Local Settings\Temp\laf4.exe_old Infected: not-virus:Hoax.Win32.Renos.aos skipped
C:\Documents and Settings\Keith\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Keith\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Keith\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Keith\UserData\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\RECYCLER\S-1-5-21-1223188425-152140474-3975749824-1005\Dc1\count.jar-453fec19-7a516236.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\RECYCLER\S-1-5-21-1223188425-152140474-3975749824-1005\Dc1\count.jar-453fec19-7a516236.zip ZIP: infected - 1 skipped
C:\RECYCLER\S-1-5-21-1223188425-152140474-3975749824-1005\Dc1\eRT.jar-14e46f0-1f29a75d.zip/HiPointInstallShieldRT.class Infected: Trojan-Downloader.Java.OpenConnection.ap skipped
C:\RECYCLER\S-1-5-21-1223188425-152140474-3975749824-1005\Dc1\eRT.jar-14e46f0-1f29a75d.zip ZIP: infected - 1 skipped
C:\RECYCLER\S-1-5-21-1223188425-152140474-3975749824-1005\Dc1\eRT.jar-27406485-6f6ac201.zip/HiPointInstallShieldRT.class Infected: Trojan-Downloader.Java.OpenConnection.ap skipped
C:\RECYCLER\S-1-5-21-1223188425-152140474-3975749824-1005\Dc1\eRT.jar-27406485-6f6ac201.zip ZIP: infected - 1 skipped
C:\RECYCLER\S-1-5-21-1223188425-152140474-3975749824-1005\Dc1\pRT.jar-64395656-6db263e3.zip/HiPointInstallShieldRT.class Infected: Trojan-Downloader.Java.OpenConnection.ap skipped
C:\RECYCLER\S-1-5-21-1223188425-152140474-3975749824-1005\Dc1\pRT.jar-64395656-6db263e3.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{EE35F0D4-CB4F-4234-95C8-31EBA2F94C1F}\RP239\A0031396.dll Infected: not-a-virus:AdWare.Win32.HotBar.ch skipped
C:\System Volume Information\_restore{EE35F0D4-CB4F-4234-95C8-31EBA2F94C1F}\RP239\A0031399.dll Infected: not-a-virus:AdWare.Win32.180Solutions.bl skipped
C:\System Volume Information\_restore{EE35F0D4-CB4F-4234-95C8-31EBA2F94C1F}\RP239\A0031407.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.180Solutions.bj skipped
C:\System Volume Information\_restore{EE35F0D4-CB4F-4234-95C8-31EBA2F94C1F}\RP239\A0031407.exe/stream Infected: not-a-virus:AdWare.Win32.180Solutions.bj skipped
C:\System Volume Information\_restore{EE35F0D4-CB4F-4234-95C8-31EBA2F94C1F}\RP239\A0031407.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{EE35F0D4-CB4F-4234-95C8-31EBA2F94C1F}\RP239\A0031431.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dlc skipped
C:\System Volume Information\_restore{EE35F0D4-CB4F-4234-95C8-31EBA2F94C1F}\RP239\A0031432.dll Infected: not-a-virus:AdWare.Win32.BHO.ta skipped
C:\System Volume Information\_restore{EE35F0D4-CB4F-4234-95C8-31EBA2F94C1F}\RP240\A0031459.exe Infected: Trojan-Downloader.Win32.Zlob.frl skipped
C:\System Volume Information\_restore{EE35F0D4-CB4F-4234-95C8-31EBA2F94C1F}\RP240\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\fsehfcu.dll Infected: Trojan-Downloader.Win32.Bojo.ae skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_508.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

The Spybot log

--- Search result list ---
Virtumonde.generic: [SBI $1BB1339D] Browser helper object (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}

--- Spybot - Search & Destroy version: 1.5 (build: 20070830) ---

--- Process list ---
PID: 0 ( 0) [System]
PID: 504 ( 0) \SystemRoot\System32\smss.exe
size: 50688
PID: 556 ( 0) \??\C:\WINDOWS\system32\csrss.exe
size: 6144
PID: 580 ( 0) \??\C:\WINDOWS\system32\winlogon.exe
size: 502272
PID: 624 ( 0) C:\WINDOWS\system32\services.exe
size: 108032
MD5: C6CE6EEC82F187615D1002BB3BB50ED4
PID: 636 ( 0) C:\WINDOWS\system32\lsass.exe
size: 13312
MD5: 84885F9B82F4D55C6146EBF6065D75D2
PID: 780 ( 0) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 836 ( 0) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 876 ( 0) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 924 ( 0) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1020 ( 0) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1236 ( 0) C:\WINDOWS\Explorer.EXE
size: 1033216
MD5: 97BD6515465659FF8F3B7BE375B2EA87
PID: 1304 ( 0) C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
size: 17272
MD5: 591E7CDF35DE74D55CD462A13FBADE5E
PID: 1352 ( 0) C:\Program Files\Alwil Software\Avast4\ashServ.exe
size: 140664
MD5: DBBB6E20EC8C38902C4935B249AEBE2A
PID: 1492 ( 0) C:\WINDOWS\system32\Rundll32.exe
size: 33280
MD5: DA285490BBD8A1D0CE6623577D5BA1FF
PID: 1500 ( 0) C:\WINDOWS\system32\keyhook.exe
size: 249856
MD5: 0E9748A140A5A6A86379E1993B574F8E
PID: 1508 ( 0) C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
size: 32768
MD5: 7A011702C0AA86AD79EFA86E66F411DC
PID: 1524 ( 0) C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
size: 135168
MD5: 34FC457931D0F9C7CF2F1371764D715C
PID: 1532 ( 0) C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
size: 36975
MD5: 1F6573D67DD5DC06DD29EC7FCF81DC6F
PID: 1552 ( 0) C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
size: 53248
MD5: EFEA5551E578FF6FE52B5DB15CE13390
PID: 1568 ( 0) C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
size: 79224
MD5: 88D86112DD9F2BB6A603674706C7E846
PID: 1612 ( 0) C:\Program Files\Messenger\msmsgs.exe
size: 1694208
MD5: 74E6E96C6F0E2ECA4EDBB7F7A468F259
PID: 1716 ( 0) C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
size: 171448
MD5: 0FA44EA8B03ABA3E1D240B5A333D8E6A
PID: 1800 ( 0) C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 1460560
MD5: B7D4586BFC0DD6C3BE7DCCC252A3E97E
PID: 1948 ( 0) C:\WINDOWS\system32\sistray.exe
size: 331776
MD5: 75D2905CC72D4DEB2771EEF42A809C35
PID: 2004 ( 0) C:\WINDOWS\system32\spoolsv.exe
size: 57856
MD5: DA81EC57ACD4CDC3D4C51CF3D409AF9F
PID: 172 ( 0) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 4943184
MD5: C92780F50B8BB7A89E919585916494A9
PID: 352 ( 0) C:\WINDOWS\system32\slserv.exe
size: 45056
MD5: 495B6A1F09E2390D0B5D718CD260E541
PID: 372 ( 0) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1196 ( 0) C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
size: 247160
MD5: 36088BA16E85C081D7BC48725872D540
PID: 1004 ( 0) C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
size: 345464
MD5: 86ACF7955F4DB72880F61D724A97855A
PID: 2188 ( 0) C:\WINDOWS\System32\alg.exe
size: 44544
MD5: F1958FBF86D5C004CF19A5951A9514B7
PID: 2640 ( 0) C:\WINDOWS\system32\wuauclt.exe
size: 53080
MD5: F3E9065EB617A7E3A832A7976BFA021B
PID: 2788 ( 0) C:\Program Files\Internet Explorer\iexplore.exe
size: 93184
MD5: E7484514C0464642BE7B4DC2689354C8
PID: 544 ( 0) C:\WINDOWS\system32\NOTEPAD.EXE
size: 69120
MD5: 388B8FBC36A8558587AFC90FB23A3B99

Here is the HTJ log

Logfile of Trend Micro HijackThis v2.0.2
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\keyhook.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\sistray.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.optima.com.au
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - (no file)
O2 - BHO: (no name) - {8800AC00-6916-44CF-8E97-5BC152E4891D} - C:\WINDOWS\system32\pmkhe.dll (file missing)
O2 - BHO: (no name) - {8AC486A2-1DA6-4EF7-845B-B87F3C138869} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [{1290A33C-85F5-4164-A1BE-7DD299D4986A}] "C:\Program Files\CyberLink\PowerBackup\PBKScheduler.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{235D61FB-345A-4CD4-8FF6-A400281D453C}: Domain = nsw.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{6E49F710-E4E4-40D1-899B-673D3073F376}: Domain = nsw.bigpond.net.au
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

I have already run vundofix to no effect
What do you suggest

thanks for your help it is mucch appreciated.

**steamwiz** · 2008-01-17, 21:58

Hi

1. Delete your Spybot - Search & Destroy backups ...

how do I clean out the Spybot backups?

1. Run Spybot
2. Click on "Recovery" on the left side
3. Place a checkmark in all of the boxes on the right side
4. From the top menu click on "Purge selected items"
5. This will remove those backups.

--
2. Paste this into your address bar & click GO :-

C:\Documents and Settings\Keith\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\

Then delete this game.class-506f6b50-4a163744.class

--
3. Empty your RECYCLE bin

--
4. Find & delete this file :-

C:\WINDOWS\system32\fsehfcu.dll

--
5.

Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage:

http://www.bleepingcomputer.com/comb...o-use-combofix

Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt"

along with a new HijackThis log for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

steam

**blackcat275** · 2008-01-18, 00:22

Ok files have been deleted as requested

Here is the combofix log

ComboFix 08-01-18.3 - Keith 2008-01-18 9:56:16.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.69 [GMT 11:00]
Running from: C:\Documents and Settings\Keith\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Keith\Application Data\DriveCleaner Free
C:\Documents and Settings\Keith\Application Data\DriveCleaner Free\Logs\update.log
C:\Documents and Settings\Keith\err.log
C:\Documents and Settings\Keith\ResErrors.log
C:\Program Files\Helper
C:\WINDOWS\system32\ehkmp.ini
C:\WINDOWS\system32\ehkmp.ini2

.
((((((((((((((((((((((((( Files Created from 2007-12-17 to 2008-01-17 )))))))))))))))))))))))))))))))
.

2008-01-18 09:54 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-17 11:21 . 2005-04-12 09:59 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-01-17 11:21 . 2005-04-12 11:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\CyberLink
2008-01-16 15:55 . 2008-01-16 15:55 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-16 15:55 . 2008-01-16 15:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-16 15:06 . 2008-01-16 15:06 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-16 12:26 . 2008-01-16 12:26 <DIR> d-------- C:\VundoFix Backups
2008-01-16 09:51 . 2008-01-16 09:51 <DIR> d-------- C:\Program Files\Alwil Software
2008-01-16 09:51 . 2007-12-05 00:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-01-16 09:51 . 2004-01-09 21:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-01-16 09:51 . 2007-12-04 23:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-01-16 09:51 . 2007-12-05 01:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-16 09:51 . 2007-12-05 01:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-16 09:51 . 2007-12-05 01:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-16 09:51 . 2007-12-05 01:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-16 09:51 . 2007-12-05 01:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-01-15 17:02 . 2008-01-15 18:09 151 --a------ C:\WINDOWS\wininit.ini
2008-01-15 16:23 . 2008-01-15 16:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-15 16:11 . 2008-01-18 09:55 <DIR> d-------- C:\Documents and Settings\Keith\Application Data\U3
2008-01-15 11:08 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-01-15 11:08 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-01-15 11:08 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-01-15 11:08 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-01-09 00:26 . 2008-01-16 10:46 <DIR> d-------- C:\Program Files\VirusProtect 3.9
2008-01-09 00:26 . 2008-01-09 11:23 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-29 21:42 --------- d-----w C:\Documents and Settings\Keith\Application Data\Canon
2007-12-15 15:46 --------- d-----w C:\Documents and Settings\Keith\Application Data\CyberLink
2007-12-03 12:20 --------- d-----w C:\Program Files\Google
2007-11-24 13:17 2,100 ----a-w C:\Documents and Settings\Keith\Application Data\wklnhst.dat
2007-02-28 14:52 92,064 ----a-w C:\Documents and Settings\Keith\mqdmmdm.sys
2007-02-28 14:52 9,232 ----a-w C:\Documents and Settings\Keith\mqdmmdfl.sys
2007-02-28 14:52 79,328 ----a-w C:\Documents and Settings\Keith\mqdmserd.sys
2007-02-28 14:52 66,656 ----a-w C:\Documents and Settings\Keith\mqdmbus.sys
2007-02-28 14:52 6,208 ----a-w C:\Documents and Settings\Keith\mqdmcmnt.sys
2007-02-28 14:52 5,936 ----a-w C:\Documents and Settings\Keith\mqdmwhnt.sys
2007-02-28 14:52 4,048 ----a-w C:\Documents and Settings\Keith\mqdmcr.sys
2007-02-28 14:52 25,600 ----a-w C:\Documents and Settings\Keith\usbsermptxp.sys
2007-02-28 14:52 22,768 ----a-w C:\Documents and Settings\Keith\usbsermpt.sys
2004-10-11 09:46 205,312 ----a-w C:\Program Files\ltefx13n.dll
2004-01-19 04:31 153,600 ----a-w C:\Program Files\ltfil13n.DLL
2004-01-19 03:31 27,648 ----a-w C:\Program Files\lfiff13n.dll
2004-01-19 03:31 20,480 ----a-w C:\Program Files\lfCUT13n.dll
2004-01-19 02:31 453,120 ----a-w C:\Program Files\ltkrn13n.dll
2004-01-19 02:12 89,600 ----a-w C:\Program Files\Lfcgm13n.dll
2004-01-19 01:49 278,016 ----a-w C:\Program Files\LFJ2K13n.dll
2004-01-19 01:49 180,736 ----a-w C:\Program Files\Lfpng13n.dll
2004-01-19 01:47 76,800 ----a-w C:\Program Files\Lfwmf13n.dll
2004-01-19 01:47 509,440 ----a-w C:\Program Files\LFCMW13n.dll
2004-01-19 01:45 420,352 ----a-w C:\Program Files\LFCMP13n.DLL
2004-01-19 01:44 143,872 ----a-w C:\Program Files\lftif13n.dll
2004-01-19 01:36 65,536 ----a-w C:\Program Files\Lfpct13n.dll
2004-01-19 01:36 56,832 ----a-w C:\Program Files\lfpsd13n.dll
2004-01-19 01:36 26,624 ----a-w C:\Program Files\lfpcx13n.dll
2004-01-19 01:36 19,968 ----a-w C:\Program Files\lfpcd13n.dll
2004-01-19 01:36 18,944 ----a-w C:\Program Files\lfmsp13n.dll
2004-01-19 01:35 20,992 ----a-w C:\Program Files\lfimg13n.dll
2004-01-19 01:35 18,944 ----a-w C:\Program Files\lfmac13n.dll
2004-01-19 01:34 31,744 ----a-w C:\Program Files\lfclp13n.dll
2004-01-19 01:34 30,208 ----a-w C:\Program Files\lfbmp13n.dll
2004-01-19 01:33 444,928 ----a-w C:\Program Files\ltimg13n.dll
2004-01-19 01:32 265,216 ----a-w C:\Program Files\LTDIS13n.dll
2000-05-01 18:17 212,480 ----a-w C:\Program Files\PCDLIB32.DLL
1999-11-18 13:00 284,032 ----a-w C:\Program Files\XceedZip.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8800AC00-6916-44CF-8E97-5BC152E4891D}]
C:\WINDOWS\system32\pmkhe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8AC486A2-1DA6-4EF7-845B-B87F3C138869}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 03:24 1694208]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [2002-07-12 21:15 106496]
"SiSPower"="SiSPower.dll" [2004-09-02 16:47 49152 C:\WINDOWS\system32\SiSPower.dll]
"SiS Windows KeyHook"="C:\WINDOWS\system32\keyhook.exe" [2004-09-02 14:44 249856]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-07-15 02:07 32768]
"{1290A33C-85F5-4164-A1BE-7DD299D4986A}"="C:\Program Files\CyberLink\PowerBackup\PBKScheduler.exe" [2004-06-08 19:33 69721]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe" [2005-03-04 04:36 36975]
"mmtask"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2006-01-17 13:03 53248]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-05 00:00 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 23:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Utility Tray.lnk - C:\WINDOWS\system32\sistray.exe [2005-04-12 09:59:57]

R3 CONAN;CONAN;C:\WINDOWS\system32\drivers\o2mmb.sys [2004-02-12 05:18]
R3 MbxStby;MbxStby;C:\WINDOWS\system32\drivers\MbxStby.sys [2004-01-28 15:00]
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys [2007-02-27 14:31]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-18 10:00:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-18 10:03:33 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-17 23:03:21
.
2008-01-15 07:27:08 --- E O F ---

and here is the HTJ log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:09:29 AM, on 18/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\keyhook.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\sistray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.optima.com.au
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {8800AC00-6916-44CF-8E97-5BC152E4891D} - C:\WINDOWS\system32\pmkhe.dll (file missing)
O2 - BHO: (no name) - {8AC486A2-1DA6-4EF7-845B-B87F3C138869} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [{1290A33C-85F5-4164-A1BE-7DD299D4986A}] "C:\Program Files\CyberLink\PowerBackup\PBKScheduler.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{235D61FB-345A-4CD4-8FF6-A400281D453C}: Domain = nsw.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{6E49F710-E4E4-40D1-899B-673D3073F376}: Domain = nsw.bigpond.net.au
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 4763 bytes

Thanks for you help

**steamwiz** · 2008-01-18, 21:43

Hi

You are running an out-of-date version of java

Go to add/remove programs and uninstall any earlier versions ...

Then You can go here and install the latest version of Java.

http://java.sun.com/javase/downloads/index.jsp

Scroll down the page to 'Java Runtime Environment (JRE) 6 Update 4' and press the 'Download' button.

Running an out-of-date version of java is an infection risk.

Then ....

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word Registry:: is on the first line of the text file you save (no blank line above it, & no space in front of it)

Code:

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8800AC00-6916-44CF-8E97-5BC152E4891D}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8AC486A2-1DA6-4EF7-845B-B87F3C138869}]

Save this as "CFScript.txt"

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

ALSO ...

Please run a new KASPERSKY ONLINE SCAN & post the log ...

steam

Thread: help with vertumonde.generic

Thread Tools

Display

help with vertumonde.generic

Posting Permissions