Virtumonde Help!

**Virus Hater** · 2008-06-19, 10:44

Been trying to get rid of this piece of trash for about an hour. Pop-ups, Redirects, Forced downloads, you name it this virus has it. Please assist asap!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:42:20 AM, on 6/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {13F20E4F-F379-41EA-8F80-CCAAE787362A} - C:\WINDOWS\system32\cbXOHXRj.dll
O2 - BHO: {b198df4b-50b5-1659-07e4-f8e4cc2924e2} - {2e4292cc-4e8f-4e70-9561-5b05b4fd891b} - C:\WINDOWS\system32\mdtpdnhr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {D60E8461-3EF4-42E2-A2F8-7D4CE176C4C3} - C:\WINDOWS\system32\rqRJBTKB.dll (file missing)
O2 - BHO: (no name) - {E2A9016A-1CC8-4888-A271-F119D92E853E} - C:\WINDOWS\system32\vtUomjKc.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\msconfig.exe /auto
O4 - HKLM\..\Run: [74e5ce9e] rundll32.exe "C:\WINDOWS\system32\ipuhdmop.dll",b
O4 - HKLM\..\Run: [BM77d6fd02] Rundll32.exe "C:\WINDOWS\system32\dpdivgnf.dll",s
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.0.0.0.0
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: http://www.utorrent.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O20 - Winlogon Notify: cbXOHXRj - C:\WINDOWS\SYSTEM32\cbXOHXRj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe

--
End of file - 4681 bytes

**ken545** · 2008-06-19, 21:43

Hello Virus Hater

Welcome to Safer Networking.

Please read Before YouPost
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.

Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

O2 - BHO: (no name) - {13F20E4F-F379-41EA-8F80-CCAAE787362A} - C:\WINDOWS\system32\cbXOHXRj.dll
O2 - BHO: {b198df4b-50b5-1659-07e4-f8e4cc2924e2} - {2e4292cc-4e8f-4e70-9561-5b05b4fd891b} - C:\WINDOWS\system32\mdtpdnhr.dll
O2 - BHO: (no name) - {D60E8461-3EF4-42E2-A2F8-7D4CE176C4C3} - C:\WINDOWS\system32\rqRJBTKB.dll (file missing)
O2 - BHO: (no name) - {E2A9016A-1CC8-4888-A271-F119D92E853E} - C:\WINDOWS\system32\vtUomjKc.dll

O4 - HKLM\..\Run: [74e5ce9e] rundll32.exe "C:\WINDOWS\system32\ipuhdmop.dll",b
O4 - HKLM\..\Run: [BM77d6fd02] Rundll32.exe "C:\WINDOWS\system32\dpdivgnf.dll",s

O20 - Winlogon Notify: cbXOHXRj - C:\WINDOWS\SYSTEM32\cbXOHXRj.dll

Download: DelDomains and save it to the desktop.

Close all open windows and your browser
Right Click DelDomains.inf and select > Install
Reboot your computer

Internet Explorer is needed to run this properly.

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected. <-- Don't forget to do this
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply along with a New Hijackthis log.

**Virus Hater** · 2008-06-20, 00:44

Thank you, it seems that I can finally browse google in peace. Anyway here are the logs again so you can make sure I didn't miss anything.

Malwarebytes:
Malwarebytes' Anti-Malware 1.17
Database version: 870

6:41:59 PM 6/19/2008
mbam-log-6-19-2008 (18-41-59).txt

Scan type: Quick Scan
Objects scanned: 37323
Time elapsed: 16 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\THE INTERNET\Local Settings\Temp\winvsnet.exe (Rogue.AntiSpyMaster) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\THE INTERNET\Local Settings\Temp\snapsnet.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\THE INTERNET\Local Settings\Temp\rasesnet.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HiJackTHis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:44:24 PM, on 6/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Notepad++\notepad++.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe

--
End of file - 3221 bytes

**ken545** · 2008-06-20, 03:04

Looking good, but there may be more to remove.

Please download ATF Cleaner by Atribune to your desktop.

This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

**Virus Hater** · 2008-07-02, 02:39

I have been busy and have not had time to reply to my previous topic, so it ended up in the archives. I also along with the Vitumonde issue feel as though I have a new issue with my csrss.exe in my processes. This post is to continue off of this topic:
http://forums.spybot.info/showthread...620#post203620

Combofix log
ComboFix 08-06-30.2 - THE INTERNET 2008-07-01 20:06:26.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.39 [GMT -4:00]
Running from: C:\Documents and Settings\THE INTERNET\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\Config\csrss.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\BKTBJRqr.ini
C:\WINDOWS\system32\BKTBJRqr.ini2
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\cKjmoUtv.ini
C:\WINDOWS\system32\cKjmoUtv.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\pomdhupi.ini
C:\WINDOWS\system32\urnkxala.ini
C:\WINDOWS\system32\vaoajtle.ini
C:\WINDOWS\system32\xgcrsvhh.dll

----- BITS: Possible infected sites -----

hxxp://www.hhdsoftware.com
hxxp://dna65.fastaccess.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IPRIP
-------\Service_Iprip

((((((((((((((((((((((((( Files Created from 2008-06-02 to 2008-07-02 )))))))))))))))))))))))))))))))
.

2008-07-01 19:15 . 2008-07-01 19:35 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-01 19:15 . 2008-07-01 19:15 124,688 --a------ C:\WINDOWS\system32\MSWINSCK.OCX
2008-07-01 01:41 . 2008-07-01 01:41 <DIR> d-------- C:\Program Files\Quicknation
2008-06-30 01:05 . 2008-06-30 01:05 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2008-06-30 01:05 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-06-30 01:05 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-06-30 01:05 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-06-29 12:02 . 2008-06-29 12:02 <DIR> d-------- C:\Program Files\uTorrent
2008-06-26 01:58 . 2008-06-26 01:58 <DIR> d-------- C:\Program Files\Pivot Stickfigure Animator
2008-06-25 00:06 . 2008-06-25 00:06 <DIR> d-------- C:\Program Files\Duplicate FREE Edition
2008-06-23 17:30 . 2008-06-23 17:30 <DIR> d-------- C:\Documents and Settings\THE INTERNET\Application Data\Yahoo!
2008-06-23 17:30 . 2008-06-23 17:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-06-23 17:27 . 2008-06-23 17:27 <DIR> d-------- C:\Program Files\Common Files\SWF Studio
2008-06-23 17:26 . 2008-06-23 17:26 <DIR> d-------- C:\Program Files\Yahoo!
2008-06-23 17:23 . 2008-06-23 17:23 <DIR> d-------- C:\Program Files\The Weather Channel FW
2008-06-23 17:23 . 2008-05-15 15:29 1,084,528 --a------ C:\WINDOWS\system32\TWCSaver.scr
2008-06-23 17:23 . 2006-10-30 12:39 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2008-06-19 18:21 . 2008-06-19 18:21 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-19 18:21 . 2008-06-19 18:21 <DIR> d-------- C:\Documents and Settings\THE INTERNET\Application Data\Malwarebytes
2008-06-19 18:21 . 2008-06-19 18:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-19 18:21 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-19 18:21 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-19 04:41 . 2008-06-19 04:41 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-19 03:59 . 2008-07-01 19:58 <DIR> d-------- C:\Documents and Settings\THE INTERNET\Application Data\SiteAdvisor
2008-06-19 03:59 . 2008-06-19 03:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-06-19 03:59 . 2008-06-19 03:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-06-19 02:07 . 2008-06-19 02:07 95 --a------ C:\WINDOWS\wininit.ini
2008-06-18 14:11 . 2008-06-19 03:46 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-16 22:28 . 2008-06-19 07:17 110,396 --a------ C:\WINDOWS\BM77d6fd02.xml
2008-06-16 16:19 . 2008-06-18 10:13 <DIR> d-------- C:\WINDOWS\system32\netrax01
2008-06-16 16:19 . 2008-06-16 16:19 <DIR> d-------- C:\Temp\itmp4
2008-06-16 16:19 . 2008-06-16 16:19 <DIR> d-------- C:\Temp
2008-06-15 22:44 . 2008-06-16 08:39 <DIR> d-------- C:\Documents and Settings\THE INTERNET\Contacts
2008-06-15 21:56 . 2008-06-15 21:56 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-06-15 21:42 . 2008-06-15 21:54 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-06-15 21:41 . 2008-06-19 03:47 <DIR> d-------- C:\Program Files\Windows Live
2008-06-15 21:41 . 2008-06-15 21:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-06-15 07:29 . 2008-06-15 07:29 <DIR> d-------- C:\Program Files\Red Kawa
2008-06-14 16:07 . 2008-06-14 16:07 15,216 --a------ C:\Documents and Settings\THE INTERNET\Application Data\GDIPFONTCACHEV1.DAT
2008-06-13 21:25 . 2008-06-22 06:03 <DIR> d-------- C:\Program Files\PeerGuardian2
2008-06-07 06:06 . 2008-06-07 06:08 13 --a------ C:\WINDOWS\system32\WinSys32.crc
2008-06-07 06:05 . 1998-06-17 04:00 18,944 --a------ C:\WINDOWS\system32\BORLNDMM.DLL
2008-06-07 06:04 . 2008-06-07 06:09 <DIR> d-------- C:\Program Files\CoffeeCup Software
2008-06-06 19:21 . 2008-06-06 19:21 <DIR> d-------- C:\Program Files\Notepad++
2008-06-06 19:21 . 2008-06-06 19:22 <DIR> d-------- C:\Documents and Settings\THE INTERNET\Application Data\Notepad++
2008-06-04 13:50 . 2008-06-04 13:50 <DIR> d-------- C:\Program Files\AskSBar

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-02 00:14 --------- d-----w C:\Documents and Settings\THE INTERNET\Application Data\AVG7
2008-07-02 00:11 --------- d-----w C:\Documents and Settings\THE INTERNET\Application Data\uTorrent
2008-07-01 23:07 --------- d-----w C:\Documents and Settings\THE INTERNET\Application Data\FileZilla
2008-06-23 09:20 --------- d-----w C:\Program Files\FileZilla FTP Client
2008-06-19 07:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-01 07:46 --------- d-----w C:\Program Files\ImageConverter Plus
2008-06-01 07:18 --------- d-----w C:\Program Files\IrfanView
2008-05-31 08:00 --------- d-----w C:\Documents and Settings\THE INTERNET\Application Data\LimeWire
2008-05-31 07:49 --------- d-----w C:\Program Files\LimeWire
2008-05-28 06:32 --------- d-----w C:\Program Files\HHD Software
2008-05-28 06:11 --------- d-----w C:\Program Files\Java
2008-05-27 15:14 --------- d-----w C:\Documents and Settings\THE INTERNET\Application Data\Lavasoft
2008-05-27 02:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-05-27 02:01 12,219,983 ------w C:\avg7qt.dat
2008-05-26 22:30 --------- d-----w C:\Documents and Settings\THE INTERNET\Application Data\DivX
2008-05-25 15:33 --------- d-----w C:\Documents and Settings\THE INTERNET\Application Data\Talkback
2008-05-22 14:57 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-22 14:57 --------- d-----w C:\Documents and Settings\THE INTERNET\Application Data\AdobeUM
2008-05-15 14:52 --------- d-----w C:\Program Files\Google
2008-05-13 18:36 --------- d-----w C:\Program Files\DivX
2008-05-10 21:39 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\AVG7
2008-05-06 14:38 --------- d-----w C:\Program Files\Common Files\Java
2008-05-02 18:17 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-05-02 18:07 --------- d-----w C:\Program Files\Common Files\SupportSoft
2008-05-02 18:07 --------- d-----w C:\Program Files\BellSouth
2008-05-02 17:54 53,934 ----a-w C:\Program Files\INSTALL.LOG
2008-05-02 17:54 --------- d-----w C:\Program Files\BellSouth Application Management
2008-05-02 17:53 --------- d-----w C:\Program Files\Common Files\Motive
2008-05-02 17:43 --------- d-----w C:\Program Files\AT&T
2008-05-02 17:43 --------- d-----w C:\Documents and Settings\THE INTERNET\Application Data\AT&T
2008-05-02 17:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\AT&T
2008-05-02 17:41 --------- d-----w C:\Documents and Settings\THE INTERNET\Application Data\Motive
2008-05-02 01:38 499,712 ------w C:\WINDOWS\system32\msvcp71.dll
2008-05-02 01:38 348,160 ------w C:\WINDOWS\system32\msvcr71.dll
2008-05-02 01:38 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2008-05-02 01:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-05-02 01:32 --------- d-----w C:\Program Files\Radialpoint
2008-05-02 01:32 --------- d-----w C:\Program Files\InstallShield Installation Information
2008-05-02 01:32 --------- d-----w C:\Program Files\Common Files\PestPatrol
2008-05-02 01:32 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-02 01:32 --------- d-----w C:\Program Files\Common Files\Command Software
2008-05-02 01:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Radialpoint
2008-05-02 01:25 --------- d-----w C:\Program Files\att-nap
2008-05-02 01:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Motive
2008-05-02 01:10 --------- d-----w C:\Program Files\microsoft frontpage
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B54388D6-613B-493D-9AB3-7366753D991B}]
2007-02-17 02:59 868424 --a------ C:\PROGRA~1\QUICKN~1\torrent.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 11:34 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-05-01 22:56 579584]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"MsmqIntCert"="mqrt.dll" [2004-08-03 20:56 177152 C:\WINDOWS\system32\mqrt.dll]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-05-01 22:50 219136]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HelpCenter4.1]
--a------ 2007-06-28 19:02 198184 C:\Program Files\BellSouth\HelpCenter40b\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISW.exe]
--a------ 2007-05-03 13:12 2061816 C:\Program Files\AT&T\Internet Security Wizard\ISW.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-08-04 01:06 1667584 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 11:34 5724184 C:\Program Files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PeerGuardian]
--a------ 2005-09-18 18:40 1421824 C:\Program Files\PeerGuardian2\pg2.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\att-nap\\McciBrowser.exe"=
"C:\\WINDOWS\\system32\\mqsvc.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\FileZilla FTP Client\\filezilla.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"1900:UDP"= 1900:UDP:@xpsp2res.dll,-22007
"2869:TCP"= 2869:TCP:@xpsp2res.dll,-22008
"139:TCP"= 139:TCP:@xpsp2res.dll,-22004
"445:TCP"= 445:TCP:@xpsp2res.dll,-22005
"137:UDP"= 137:UDP:@xpsp2res.dll,-22001
"138:UDP"= 138:UDP:@xpsp2res.dll,-22002
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundRouterRequest"= 0 (0x0)
"AllowInboundTimestampRequest"= 0 (0x0)
"AllowInboundMaskRequest"= 0 (0x0)
"AllowOutboundDestinationUnreachable"= 0 (0x0)
"AllowOutboundSourceQuench"= 0 (0x0)
"AllowOutboundParameterProblem"= 0 (0x0)
"AllowOutboundTimeExceeded"= 0 (0x0)
"AllowRedirect"= 0 (0x0)
"AllowOutboundPacketTooBig"= 0 (0x0)
"AllowInboundEchoRequest"= 1 (0x1)

R2 McciCMService;McciCMService;"C:\Program Files\Common Files\Motive\McciCMService.exe" [2008-01-28 16:56]
S3 MREMP50;MREMP50 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS [2007-01-19 13:53]
S3 MREMP50a64;MREMP50a64 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS []
S3 MRESP50;MRESP50 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS [2007-01-19 13:53]
S3 MRESP50a64;MRESP50a64 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS []
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe [2004-08-03 20:56]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe [2004-08-03 20:56]
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe [2004-08-03 20:56]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe [2004-08-03 20:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{509df6c2-17bb-11dd-9483-806d6172696f}]
\Shell\AutoRun\command - F:\AT&T_High_Speed_Internet_Service.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-07-01 21:08:05 C:\WINDOWS\Tasks\{329BB0AF-EF3A-474C-BD8E-E978B2651A4D}_THEINTER-11015A_THE INTERNET.job"
- C:\WINDOWS\system32\mobsync.exeQ /Schedule=
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-74e5ce9e - C:\WINDOWS\system32\alaxknru.dll
MSConfigStartUp-BM77d6fd02 - C:\WINDOWS\system32\hiyvvnuq.dll
MSConfigStartUp-Weather - C:\Program Files\AWS\WeatherBug\Weather.exe
MSConfigStartUp-µTorrent - (no file)

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-01 20:13:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\msdtc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\drwtsn32.exe
.
**************************************************************************
.
Completion time: 2008-07-01 20:16:15 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-02 00:16:02

Pre-Run: 30,514,176,000 bytes free
Post-Run: 30,847,455,232 bytes free

238 --- E O F --- 2008-05-02 02:54:16
HiJackThis
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:37:06 PM, on 7/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: XBTB06148 - {B54388D6-613B-493D-9AB3-7366753D991B} - C:\PROGRA~1\QUICKN~1\torrent.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe

--
End of file - 4160 bytes Thanks!

**ken545** · 2008-07-07, 13:34

Hello,

Server was down, sorry, I merged both your threads and am looking at them now, be back in a bit. Please just paste the reports in, do not quote or code them

ken

**ken545** · 2008-07-08, 02:16

Hello,

With being off line for a bit we all kind of fell behind. Your logs look good

You have a toolbar by Softomate, you can read about it here and make up your own mind if you want it on your system.
http://www.castlecops.com/clsid-35246.html

You also have the AskToolbar, read about this also.
http://www.castlecops.com/tk34314-ASKSBAR_DLL.html

Let me know if you want to get rid of them? How are things running now??

**Virus Hater** · 2008-07-10, 05:01

Originally Posted by ken545

Hello,

With being off line for a bit we all kind of fell behind. Your logs look good

You have a toolbar by Softomate, you can read about it here and make up your own mind if you want it on your system.
http://www.castlecops.com/clsid-35246.html

You also have the AskToolbar, read about this also.
http://www.castlecops.com/tk34314-ASKSBAR_DLL.html

Let me know if you want to get rid of them? How are things running now??

Yes, I would like to know how to get rid of both of them. As for my computer, it is running a lot faster, thank you.

**ken545** · 2008-07-10, 11:01

Hello,

You can remove these entries with HJT
O2 - BHO: XBTB06148 - {B54388D6-613B-493D-9AB3-7366753D991B} - C:\PROGRA~1\QUICKN~1\torrent.dll G
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL

Open Hijackthis

Go to Misc Tools> Open Uninstall Manager.
Click on Save List.
The list will open in Notepad.
Copy and Paste the List into this thread

Thread: Virtumonde Help!

Thread Tools

Display

Virtumonde Help!

Virtumonde/csrss Help

Posting Permissions