Virtumonde, perhaps with a twist

**Sadekuuro** · 2008-01-25, 23:14

Alright, so I had managed to acquire this trojan last month before leaving on vacation, and had been unable to remove it. All special utilities failed as well as daily-updated online scanners. Spybot would find it, but was unable to remove it; most missed it entirely.

When I returned, I was unable to boot up my computer at all. It was freezing up, having CMOS and power issues. That appears to have been rooted in a hardware issue I have finally solved, and now my system (a rather old PC) is running again. Still have Virtumonde.

However, it now seems to have compromised the very software that is failing to remove the problem. Adware now crashes upon loading (worked fine before), and Spybot loads but searching for updates fails to find anything. I uninstalled and reinstalled, only to find the same thing (so now my Spybot is hilariously out of date).

If someone could help me remove this menace without having to purge my hard drive, that would be terrific.

**Sadekuuro** · 2008-01-26, 02:07

Sorry, home now, so here is the HJT log:

Code:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:05:17 PM, on 1/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\eMule\emule.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=3448&clcid=0x0409
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [90554a2c] rundll32.exe "C:\WINDOWS\system32\xjrpavvl.dll",b
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

--
End of file - 4175 bytes

**Sadekuuro** · 2008-01-28, 21:32

I was eventually able to update Spybot, so it's not completely crippled. It found a Virtumonde DLL (which it hadn't before) but is unable to remove it, even during startup.

Anyone?

**Shaba** · 2008-01-30, 11:43

Hi Sadekuuro

Rename HijackThis.exe to Sadekuuro.exe and post back a fresh HijackThis log, please

**Sadekuuro** · 2008-01-31, 06:28

Code:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:27:34 PM, on 1/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Gaim\gaim.exe
C:\Program Files\FruityLoops 3.56\FruityLoops.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\Sadekuuro.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=3448&clcid=0x0409
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {16C4CC4D-559A-40CA-927A-F59BD019E904} - C:\WINDOWS\system32\rlfxwcaw.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {E44B55D3-9FA7-41DE-A1D9-FCB5AAEEABFE} - C:\WINDOWS\system32\jkhhg.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [90554a2c] rundll32.exe "C:\WINDOWS\system32\olyiuyxo.dll",b
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

--
End of file - 4792 bytes

Thanks!

**Shaba** · 2008-01-31, 11:25

Hi

1. Download combofix from any of these links and save it to Desktop:
Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here

Post:

- a fresh HijackThis log
- combofix report

**Sadekuuro** · 2008-02-01, 02:29

After the ComboFix reboot I noticed that my browser settings were adjusted somehow, as it told me Firefox was no longer default for some reason, and a new icon for IE appeared on the desktop. Unfortunately my internet and cable are out at home so I'm now posting this from my lab, but I have the logs:

Code:

ComboFix 08-02.01.1 - Loren 2008-01-31 10:32:29.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.444 [GMT -8:00]
Running from: C:\Documents and Settings\Loren\Desktop\ComboFix.exe
 * Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\jkhhg.dll
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\aerkouec.ini
C:\WINDOWS\system32\ajapnidg.ini
C:\WINDOWS\system32\amjyttlo.ini
C:\WINDOWS\system32\bagcplif.ini
C:\WINDOWS\system32\bjohribv.ini
C:\WINDOWS\system32\blbiwyle.ini
C:\WINDOWS\system32\bocfsifk.ini
C:\WINDOWS\system32\bpbcrtwl.dll
C:\WINDOWS\system32\bqmsrbug.dll
C:\WINDOWS\system32\bwtgurdr.ini
C:\WINDOWS\system32\caeuhiih.ini
C:\WINDOWS\system32\cbkdcvpn.ini
C:\WINDOWS\system32\cdbcsfge.ini
C:\WINDOWS\system32\ceuokrea.dll
C:\WINDOWS\system32\cgrvnded.ini
C:\WINDOWS\system32\civxdniv.ini
C:\WINDOWS\system32\ciygxhhm.dll
C:\WINDOWS\system32\ckclyswy.dll
C:\WINDOWS\system32\ckiggbej.ini
C:\WINDOWS\system32\clvmeepn.ini
C:\WINDOWS\system32\cnxskief.dll
C:\WINDOWS\system32\cvsxqtkj.ini
C:\WINDOWS\system32\cwejbcmn.ini
C:\WINDOWS\system32\cxtgjgcv.dll
C:\WINDOWS\system32\cygejjbu.ini
C:\WINDOWS\system32\ddtcsdfv.ini
C:\WINDOWS\system32\ecaodhlf.dll
C:\WINDOWS\system32\egacgqvq.ini
C:\WINDOWS\system32\ejqgtiwm.ini
C:\WINDOWS\system32\etvpumlk.ini
C:\WINDOWS\system32\eyachfot.ini
C:\WINDOWS\system32\eytssjrs.ini
C:\WINDOWS\system32\feiksxnc.ini
C:\WINDOWS\system32\fffponbq.ini
C:\WINDOWS\system32\fjwveqlo.ini
C:\WINDOWS\system32\fkaqlspx.ini
C:\WINDOWS\system32\flhdoace.ini
C:\WINDOWS\system32\flhwkesi.ini
C:\WINDOWS\system32\furvayug.ini
C:\WINDOWS\system32\gdetatuy.ini
C:\WINDOWS\system32\ghhkj.ini
C:\WINDOWS\system32\ghhkj.ini2
C:\WINDOWS\system32\gtirpsej.dll
C:\WINDOWS\system32\gubrsmqb.ini
C:\WINDOWS\system32\gvyphnxl.dll
C:\WINDOWS\system32\hfmkkddm.ini
C:\WINDOWS\system32\hfuhthms.ini
C:\WINDOWS\system32\hgyjoklb.ini
C:\WINDOWS\system32\hogsxcsv.ini
C:\WINDOWS\system32\hpwukkwx.ini
C:\WINDOWS\system32\hwumcmtt.ini
C:\WINDOWS\system32\hxwlxokm.ini
C:\WINDOWS\system32\iaouslea.ini
C:\WINDOWS\system32\ibapaqud.ini
C:\WINDOWS\system32\igwlbsyt.ini
C:\WINDOWS\system32\ihmnjwos.ini
C:\WINDOWS\system32\ipivumxj.ini
C:\WINDOWS\system32\ivpwfene.ini
C:\WINDOWS\system32\ixrokqgk.ini
C:\WINDOWS\system32\jbidcxwp.ini
C:\WINDOWS\system32\jejgxbme.ini
C:\WINDOWS\system32\jespritg.ini
C:\WINDOWS\system32\jkhhg.dll
C:\WINDOWS\system32\jmjwqoxd.ini
C:\WINDOWS\system32\jpenguqm.ini
C:\WINDOWS\system32\jpmwvdud.ini
C:\WINDOWS\system32\jsfmqhwi.ini
C:\WINDOWS\system32\jtfkqrba.ini
C:\WINDOWS\system32\jwfqlbpt.dll
C:\WINDOWS\system32\jwqwvovw.ini
C:\WINDOWS\system32\jxmuvipi.dll
C:\WINDOWS\system32\jyolnxdf.ini
C:\WINDOWS\system32\kbuelibc.ini
C:\WINDOWS\system32\kfgtfmcv.ini
C:\WINDOWS\system32\kfisfcob.dll
C:\WINDOWS\system32\kholqhum.dll
C:\WINDOWS\system32\klmupvte.dll
C:\WINDOWS\system32\kpmilgws.ini
C:\WINDOWS\system32\ktbtunal.ini
C:\WINDOWS\system32\kuvqprai.ini
C:\WINDOWS\system32\kwnxhkmf.ini
C:\WINDOWS\system32\kyqmowro.ini
C:\WINDOWS\system32\lefoucwp.dll
C:\WINDOWS\system32\lmmrrhhc.ini
C:\WINDOWS\system32\lugkboje.ini
C:\WINDOWS\system32\lvvaprjx.ini
C:\WINDOWS\system32\lwiyvocv.ini
C:\WINDOWS\system32\lwtrcbpb.ini
C:\WINDOWS\system32\lxnhpyvg.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mddkkmfh.dll
C:\WINDOWS\system32\mhhxgyic.ini
C:\WINDOWS\system32\muhqlohk.ini
C:\WINDOWS\system32\neirovvy.ini
C:\WINDOWS\system32\nkiuuxst.ini
C:\WINDOWS\system32\nmoxdlkn.ini
C:\WINDOWS\system32\nphhuqpr.dll
C:\WINDOWS\system32\nrkyqply.ini
C:\WINDOWS\system32\nrpnajnn.ini
C:\WINDOWS\system32\nxtkjveo.ini
C:\WINDOWS\system32\oevjktxn.dll
C:\WINDOWS\system32\ohokxqxq.dll
C:\WINDOWS\system32\ojdjowrf.ini
C:\WINDOWS\system32\olttyjma.dll
C:\WINDOWS\system32\olyiuyxo.dll
C:\WINDOWS\system32\oojruboc.ini
C:\WINDOWS\system32\owqvljdr.ini
C:\WINDOWS\system32\oxyuiylo.ini
C:\WINDOWS\system32\paeewtvh.ini
C:\WINDOWS\system32\phfwlsfg.ini
C:\WINDOWS\system32\plcqdkvi.ini
C:\WINDOWS\system32\ppxjmwvk.ini
C:\WINDOWS\system32\psxnovhl.ini
C:\WINDOWS\system32\ptvogojf.ini
C:\WINDOWS\system32\pwcuofel.ini
C:\WINDOWS\system32\qrwairhm.ini
C:\WINDOWS\system32\qxaecsus.ini
C:\WINDOWS\system32\qxqxkoho.ini
C:\WINDOWS\system32\rncooajw.ini
C:\WINDOWS\system32\rokgaqaa.ini
C:\WINDOWS\system32\rpquhhpn.ini
C:\WINDOWS\system32\rqbdicrt.ini
C:\WINDOWS\system32\rqvfvisx.ini
C:\WINDOWS\system32\rthjfijc.ini
C:\WINDOWS\system32\rtjiofju.ini
C:\WINDOWS\system32\rturpfhy.ini
C:\WINDOWS\system32\sieteyrl.ini
C:\WINDOWS\system32\skhvijmb.ini
C:\WINDOWS\system32\soalouee.ini
C:\WINDOWS\system32\spnuhfun.ini
C:\WINDOWS\system32\tbmkwolw.ini
C:\WINDOWS\system32\tidewbjx.dll
C:\WINDOWS\system32\tlrnggyv.dll
C:\WINDOWS\system32\tlveaggv.ini
C:\WINDOWS\system32\tpblqfwj.ini
C:\WINDOWS\system32\trgoocvr.ini
C:\WINDOWS\system32\tvbrfdwl.ini
C:\WINDOWS\system32\txpetdtg.ini
C:\WINDOWS\system32\txxkudpm.ini
C:\WINDOWS\system32\tysblwgi.dll
C:\WINDOWS\system32\ugqmmtck.ini
C:\WINDOWS\system32\uhiaemeo.ini
C:\WINDOWS\system32\uimkfcsg.ini
C:\WINDOWS\system32\ulbmrckx.ini
C:\WINDOWS\system32\urbxkarg.ini
C:\WINDOWS\system32\uyhhcenm.ini
C:\WINDOWS\system32\vaetotgc.ini
C:\WINDOWS\system32\vawtkcin.ini
C:\WINDOWS\system32\vcgjgtxc.ini
C:\WINDOWS\system32\vdywyjrv.ini
C:\WINDOWS\system32\vgmkujfa.ini
C:\WINDOWS\system32\vgxrnoba.ini
C:\WINDOWS\system32\vhlltcli.ini
C:\WINDOWS\system32\vpjvnspw.ini
C:\WINDOWS\system32\vroarubl.ini
C:\WINDOWS\system32\vsfcmdtk.ini
C:\WINDOWS\system32\vuqnnsmy.ini
C:\WINDOWS\system32\vyggnrlt.ini
C:\WINDOWS\system32\wdevoins.ini
C:\WINDOWS\system32\wgkikioh.ini
C:\WINDOWS\system32\wnlvogjy.ini
C:\WINDOWS\system32\wpdvpfoi.ini
C:\WINDOWS\system32\wtnnucvf.ini
C:\WINDOWS\system32\wvovwqwj.dll
C:\WINDOWS\system32\wxhltsda.ini
C:\WINDOWS\system32\xacyyliv.ini
C:\WINDOWS\system32\xebwkqet.ini
C:\WINDOWS\system32\xjbwedit.ini
C:\WINDOWS\system32\xjrpavvl.dll
C:\WINDOWS\system32\xkcrmblu.dll
C:\WINDOWS\system32\xoihhsxg.ini
C:\WINDOWS\system32\xtglobfy.ini
C:\WINDOWS\system32\xwkkuwph.dll
C:\WINDOWS\system32\yabpkmok.ini
C:\WINDOWS\system32\ylnauoby.ini
C:\WINDOWS\system32\yqehwoox.ini
C:\WINDOWS\system32\ywsylckc.ini

.
(((((((((((((((((((((((((   Files Created from 2008-01-01 to 2008-02-01  )))))))))))))))))))))))))))))))
.

2008-01-28 11:27 . 2008-01-28 11:27	26,688	--a------	C:\WINDOWS\system32\rlfxwcaw.dll
2008-01-25 17:04 . 2008-01-25 17:04	<DIR>	d--------	C:\Program Files\Trend Micro

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
9999-08-26 05:02	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-01 18:35	---------	d-----w	C:\Program Files\Mozilla Thunderbird
2008-01-31 02:50	---------	d-----w	C:\Documents and Settings\Loren\Application Data\.gaim
2008-01-29 18:48	---------	d-----w	C:\Program Files\eMule
2008-01-27 06:14	---------	d-----w	C:\Program Files\Soulseek
2007-12-13 19:08	---------	d-----w	C:\Documents and Settings\Sadekuuro\Application Data\Apple Computer
2007-12-08 04:06	---------	d-----w	C:\Program Files\Lavasoft
2007-12-08 04:06	---------	d-----w	C:\Documents and Settings\Loren\Application Data\Lavasoft
2007-12-08 01:14	---------	d-----w	C:\Documents and Settings\Loren\Application Data\vlc
2007-12-08 00:53	---------	d-----w	C:\Documents and Settings\Sadekuuro\Application Data\Talkback
2007-12-08 00:00	---------	d-----w	C:\Program Files\Windows Live Safety Center
2007-12-07 20:29	---------	d-----w	C:\Program Files\VideoLAN
2007-12-07 20:23	---------	d-----w	C:\Program Files\SopCast
2007-12-07 09:10	---------	d-----w	C:\Documents and Settings\Sadekuuro\Application Data\Lavasoft
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{16C4CC4D-559A-40CA-927A-F59BD019E904}]
2008-01-28 11:27	26688	--a------	C:\WINDOWS\system32\rlfxwcaw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 19:00 94208]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 02:50 139320]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe" [2003-10-07 08:48 147514]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2006-09-07 15:16 155648]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 15:45 278528]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-08 15:40 282624]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 21:32 53248]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]

R3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2004-08-03 14:29]

*Newly Created Service* - ENTDRV51
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-01 10:50:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully 
hidden files: 0 

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-02-01 10:51:31 - machine was rebooted
ComboFix-quarantined-files.txt  2008-02-01 18:51:27
.
2008-01-25 18:29:20	--- E O F ---

Code:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:55:55 AM, on 2/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\Sadekuuro.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=3448&clcid=0x0409
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {16C4CC4D-559A-40CA-927A-F59BD019E904} - C:\WINDOWS\system32\rlfxwcaw.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

--
End of file - 4468 bytes

**Shaba** · 2008-02-01, 11:11

Hi

Much better

Open notepad and copy/paste the text in the quotebox below into it:

Code:

File::
C:\WINDOWS\system32\rlfxwcaw.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{16C4CC4D-559A-40CA-927A-F59BD019E904}]

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

**Sadekuuro** · 2008-02-02, 01:08

ComboFix didn't ask for a reboot this time (although it reset my web browsers again).

Here's the file it brought up (just titled log.txt rather than Combofix.txt):

Code:

ComboFix 08-02.01.1 - Loren 2008-02-02 16:00:41.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.670 [GMT -8:00]
Running from: C:\Documents and Settings\Loren\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Loren\Desktop\CFScript.txt
 * Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\system32\rlfxwcaw.dll
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\rlfxwcaw.dll

.
(((((((((((((((((((((((((   Files Created from 2008-01-02 to 2008-02-02  )))))))))))))))))))))))))))))))
.

2008-01-25 17:04 . 2008-01-25 17:04	<DIR>	d--------	C:\Program Files\Trend Micro

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
9999-08-26 05:02	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-02 23:50	---------	d-----w	C:\Program Files\Mozilla Thunderbird
2008-02-02 04:19	---------	d-----w	C:\Documents and Settings\Loren\Application Data\.gaim
2008-01-29 18:48	---------	d-----w	C:\Program Files\eMule
2008-01-27 06:14	---------	d-----w	C:\Program Files\Soulseek
2007-12-18 00:44	958,682	--sha-w	C:\WINDOWS\system32\soalouee.tmp
2007-12-13 19:08	---------	d-----w	C:\Documents and Settings\Sadekuuro\Application Data\Apple Computer
2007-12-08 04:06	---------	d-----w	C:\Program Files\Lavasoft
2007-12-08 04:06	---------	d-----w	C:\Documents and Settings\Loren\Application Data\Lavasoft
2007-12-08 01:14	---------	d-----w	C:\Documents and Settings\Loren\Application Data\vlc
2007-12-08 00:53	---------	d-----w	C:\Documents and Settings\Sadekuuro\Application Data\Talkback
2007-12-08 00:00	---------	d-----w	C:\Program Files\Windows Live Safety Center
2007-12-07 20:29	---------	d-----w	C:\Program Files\VideoLAN
2007-12-07 20:23	---------	d-----w	C:\Program Files\SopCast
2007-12-07 09:10	---------	d-----w	C:\Documents and Settings\Sadekuuro\Application Data\Lavasoft
2007-11-07 09:26	721,920	----a-w	C:\WINDOWS\system32\lsasrv.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 19:00 94208]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 02:50 139320]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe" [2003-10-07 08:48 147514]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2006-09-07 15:16 155648]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 15:45 278528]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-08 15:40 282624]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 21:32 53248]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]

R3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2004-08-03 14:29]

*Newly Created Service* - ENTDRV51
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-02 16:02:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully 
hidden files: 0 

**************************************************************************
.
Completion time: 2008-02-02 16:02:59
ComboFix-quarantined-files.txt  2008-02-03 00:02:50
ComboFix2.txt  2008-02-01 18:51:32
.
2008-01-25 18:29:20	--- E O F ---

And HJT...

Code:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:08:48 PM, on 2/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\Sadekuuro.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=3448&clcid=0x0409
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

--
End of file - 4383 bytes

**Shaba** · 2008-02-02, 11:06

Hi

Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:

o Scan using the following Anti-Virus database:

+ Extended (If available otherwise Standard)

o Scan Options:

+ Scan Archives
+ Scan Mail Bases
Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post.

Note: This scanner will work with Internet Explorer Only!

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Post:

- a fresh HijackThis log
- kaspersky report

Thread: Virtumonde, perhaps with a twist

Thread Tools

Display

Virtumonde, perhaps with a twist

Posting Permissions