Virtumonde :-(

[Kippen]

Fingers crossed



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:04:32 AM, on 5/09/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\system32\spoolsv.exe
H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
H:\WINDOWS\ATKKBService.exe
H:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
H:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
H:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
H:\Program Files\Bonjour\mDNSResponder.exe
H:\Program Files\Common Files\LightScribe\LSSrvc.exe
H:\WINDOWS\System32\nvsvc32.exe
H:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\Explorer.EXE
H:\WINDOWS\RTHDCPL.EXE
H:\WINDOWS\system32\RUNDLL32.EXE
H:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
H:\Program Files\iTunes\iTunesHelper.exe
H:\Program Files\Messenger\msmsgs.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
H:\Program Files\BitTorrent\bittorrent.exe
H:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
H:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe
H:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
H:\Program Files\NETGEAR\WG111v2\WG111v2.exe
H:\Program Files\NETGEAR\WG311v3\WG311v3.exe
H:\Program Files\PC Connectivity Solution\ServiceLayer.exe
H:\Program Files\iPod\bin\iPodService.exe
H:\WINDOWS\system32\wscntfy.exe
H:\WINDOWS\system32\wuauclt.exe
H:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
H:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
H:\Program Files\Internet Explorer\iexplore.exe
H:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
H:\Documents and Settings\Dave\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {0902444F-14DB-461C-B556-48EF6844CA36} - (no file)
O2 - BHO: (no name) - {3D5F439A-FE59-42C9-9837-83B12D482861} - (no file)
O2 - BHO: (no name) - {46ED40DE-EC4C-4E98-BE51-DEF4AD8E0434} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {60A9D301-4AE4-4C9F-B03C-8DC732453B9F} - (no file)
O2 - BHO: (no name) - {7305DDB5-BAF5-44E1-BB27-3463421B2F3A} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - H:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {B944A5BD-0DC4-4BEC-BBA1-EED0193DF081} - (no file)
O2 - BHO: (no name) - {EFFAE085-DE33-4E7D-83E5-9E70FF07A604} - (no file)
O2 - BHO: (no name) - {F422DE04-F10E-44CC-B1DA-98206AE2B711} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - H:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE H:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] H:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Photo Downloader] "H:\Program Files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe"
O4 - HKLM\..\Run: [36X Raid Configurer] H:\WINDOWS\System32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [AppleSyncNotifier] H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "H:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "H:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "H:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "H:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BitTorrent] "H:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [PC Suite Tray] "H:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [Nokia.PCSync] "H:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe" /NoDialog
O4 - HKCU\..\Run: [AdobeUpdater] H:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] H:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] H:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] H:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] H:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] H:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] H:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = H:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NETGEAR WG111v2 Smart Wizard.lnk = H:\Program Files\NETGEAR\WG111v2\WG111v2.exe
O4 - Global Startup: NETGEAR WG311v3 Smart Wizard.lnk = H:\Program Files\NETGEAR\WG311v3\WG311v3.exe
O8 - Extra context menu item: Append to existing PDF - res://H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - H:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.line6.net
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab56986.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/...oUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1183531326546
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary...o.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O23 - Service: Adobe LM Service - Adobe Systems - H:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - H:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - H:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple Inc. - H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - H:\WINDOWS\ATKKBService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - H:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - H:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - H:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - H:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - H:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Macromedia Licensing Service - Macromedia - H:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NBService - Nero AG - H:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - H:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - H:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - H:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - H:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 12100 bytes

[steamwiz]

Hi

Looking good

I believe teatimer may be interfering with the removal of some orphan (empty) registry keys... it would do do harm to leave them, but let's try & remove them ...

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.

THEN ...

Disconnect from the internet Close ALL browser windows (including this one) - run hijackthis and tick to fix (check the box next to) the list below.........when all are ticked (checked) click the Fix Checked button at the bottom. :-

O2 - BHO: (no name) - {0902444F-14DB-461C-B556-48EF6844CA36} - (no file)
O2 - BHO: (no name) - {3D5F439A-FE59-42C9-9837-83B12D482861} - (no file)
O2 - BHO: (no name) - {46ED40DE-EC4C-4E98-BE51-DEF4AD8E0434} - (no file)

O2 - BHO: (no name) - {60A9D301-4AE4-4C9F-B03C-8DC732453B9F} - (no file)
O2 - BHO: (no name) - {7305DDB5-BAF5-44E1-BB27-3463421B2F3A} - (no file)

O2 - BHO: (no name) - {B944A5BD-0DC4-4BEC-BBA1-EED0193DF081} - (no file)
O2 - BHO: (no name) - {EFFAE085-DE33-4E7D-83E5-9E70FF07A604} - (no file)
O2 - BHO: (no name) - {F422DE04-F10E-44CC-B1DA-98206AE2B711} - (no file)


Restart your computer.

Run hijackthis again & see if those entries are still there ?

Re-enable "real-time protection" with teatimer

steam

[Kippen]

Thankyou... the O2 - BHO entries listed above are gone.
Is there anything else I need to do now? Do you need another HJT log?



Thanks sooo much steam your easy to follow instructions and quick replies have been great.

Cheers

Kippen

[steamwiz]

Hi

No need to see another hijackthis log

If you have no further problems ...

Before you leave the site ...

Please Have a look here at ways to keep your computer safe :-

So how did I get infected in the first place? By TonyKlein > http://forums.spybot.info/showthread.php?t=279

Happy surfing

steam

[Kippen]

Thanks heaps....no more problems. Yeww!

I will be kepping my PC safe from now on

Cheers
Kippen

[steamwiz]

Hi

You're very welcome

As this thread is resolved, it is now locked.

If the original poster would like it re-opened, please send me a PM with a link to this thread.

cheers

steam