Virtumonde Infection Help Please

**zu921** · 2008-10-19, 14:46

I have the nasty trojan and unsuccessfully removed it. I used Malwarebyte's Anti-malware and of course, Spybot. I thought they've removed them but my research shows that there's a lot of cleaning up to do.

A help on this will be highly appreciated. Thanks!

Here's my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:41:57 PM, on 10/19/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
E:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\igfxtray.exe
E:\WINDOWS\system32\hkcmd.exe
E:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
E:\Program Files\Synaptics\SynTP\SynTPLpr.exe
E:\Program Files\Synaptics\SynTP\SynTPEnh.exe
E:\PROGRA~1\Grisoft\AVG7\avgcc.exe
E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\WINDOWS\system32\rundll32.exe
E:\WINDOWS\system32\cxbmtpya.exe
E:\WINDOWS\system32\rundll32.exe
E:\Documents and Settings\User\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://alifeinbloom.blogspot.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] E:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] E:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [eabconfg.cpl] E:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [WatchDog] E:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [NeroCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SynTPLpr] E:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] E:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [YSearchProtection] "E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "E:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [4248531e] rundll32.exe "E:\WINDOWS\system32\nobiyjwl.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [YSearchProtection] E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [RegCom32] E:\DOCUME~1\User\LOCALS~1\Temp\IXP004.TMP\svchost.exe
O4 - HKUS\S-1-5-18\..\Run: [Norton SystemWorks] "E:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Norton SystemWorks] "E:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: DVD Check.lnk = E:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - Global Startup: Microtek Scanner Finder.lnk = E:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://E:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://E:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://E:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Yahoo! Search - file:///E:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///E:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///E:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///E:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://E:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...0/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...23/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O20 - AppInit_DLLs: uimkbo.dll twyjee.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - E:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - E:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

--
End of file - 9142 bytes

**peku006** · 2008-10-19, 16:19

Hello and Welcome to the forums!

My name is peku006 and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:

If you don't know, stop and ask! Don't keep going on.
Please reply to this thread. Do not start a new topic.
Please continue to respond until I give you the "All Clear"

If you follow these instructions, everything should go smoothly.

We will begin with ComboFix. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.

**zu921** · 2008-10-19, 16:56

Thank you so much for your prompt help. I will surely keep you posted.

And again, THANK YOU!

**zu921** · 2008-10-19, 17:53

Unfortunately, the Windows XP CD needed is not with me nor there is a chance for me to get it from the friend from whom we bought this laptop. Just FYI. Can still we still find a solution to this?

Thanks, peku006.

**peku006** · 2008-10-19, 18:16

Hi zu921

the Windows XP CD is not needed..........

If you have ComboFix present, please delete it from your computer

Please do the following...

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

**zu921** · 2008-10-20, 14:36

Hello peku006!

Here's my Combofix log:

ComboFix 08-10-19.04 - User 2008-10-20 20:27:54.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.544 [GMT 8:00]
Running from: E:\Documents and Settings\User\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-09-20 to 2008-10-20 )))))))))))))))))))))))))))))))
.

2008-10-19 20:50 . 2008-10-19 20:50 <DIR> d-------- E:\Program Files\Trend Micro
2008-10-18 22:55 . 2008-10-18 22:55 <DIR> d-------- E:\Program Files\Lavasoft
2008-10-18 22:55 . 2008-10-18 23:03 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Lavasoft
2008-10-18 22:51 . 2008-10-18 22:51 <DIR> d-------- E:\Program Files\Common Files\Wise Installation Wizard
2008-10-18 21:54 . 2008-10-18 21:54 <DIR> d-------- E:\VundoFix Backups
2008-10-18 21:51 . 2008-10-18 21:51 <DIR> d-------- E:\Documents and Settings\User\Application Data\Malwarebytes
2008-10-18 21:50 . 2008-10-18 21:50 <DIR> d-------- E:\Program Files\Malwarebytes' Anti-Malware
2008-10-18 21:50 . 2008-10-18 21:50 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-18 21:50 . 2008-10-16 20:25 38,496 --a------ E:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-18 21:50 . 2008-10-16 20:25 15,504 --a------ E:\WINDOWS\system32\drivers\mbam.sys
2008-10-16 23:12 . 2008-10-19 16:55 208 --a------ E:\WINDOWS\wininit.ini
2008-10-16 20:44 . 2008-10-16 20:44 <DIR> d-------- E:\Documents and Settings\User\Application Data\ESET
2008-10-16 20:12 . 2008-10-16 20:12 262,144 --a------ E:\ntuser.dat
2008-10-15 18:51 . 2008-08-14 18:11 2,189,184 -----c--- E:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-15 18:51 . 2008-08-14 18:09 2,145,280 -----c--- E:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-10-15 18:51 . 2008-08-14 17:33 2,066,048 -----c--- E:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-10-15 18:51 . 2008-08-14 17:33 2,023,936 -----c--- E:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-10-15 18:46 . 2008-09-08 18:41 333,824 -----c--- E:\WINDOWS\system32\dllcache\srv.sys
2008-10-15 18:44 . 2008-09-15 20:12 1,846,400 -----c--- E:\WINDOWS\system32\dllcache\win32k.sys
2008-10-05 00:00 . 2008-10-05 00:00 <DIR> d-------- E:\Program Files\Alwil Software
2008-10-04 14:20 . 2008-10-04 14:20 <DIR> d-------- E:\Program Files\Common Files\Windows Live
2008-10-03 23:14 . 2008-10-03 23:14 <DIR> d-------- E:\Program Files\BUFFALO
2008-10-03 23:14 . 2007-05-18 16:04 15,872 --a------ E:\WINDOWS\system32\drivers\bfturboh.sys
2008-09-30 22:29 . 2008-09-30 22:29 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Fugazo
2008-09-30 22:28 . 2008-09-30 23:18 <DIR> d-------- E:\Program Files\Fashion Fits
2008-09-30 11:51 . 2008-09-30 20:23 <DIR> d-------- E:\Program Files\Believe In Santa
2008-09-30 11:37 . 2008-09-30 20:22 <DIR> d-------- E:\Program Files\Dr Daisy Pet Vet
2008-09-30 11:20 . 2008-09-30 11:35 <DIR> d-------- E:\Program Files\Happy Hour
2008-09-30 09:47 . 2008-09-30 09:47 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Gogii
2008-09-30 09:43 . 2008-09-30 22:35 <DIR> d-------- E:\Program Files\Babysitting Mania
2008-09-30 08:45 . 2008-09-30 08:45 <DIR> d-------- E:\Program Files\Farm Frenzy
2008-09-30 07:52 . 2008-09-30 07:53 <DIR> d-------- E:\Program Files\Daycare Nightmare
2008-09-30 07:27 . 2008-09-30 07:27 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Sandlot Games
2008-09-30 07:26 . 2008-09-30 20:22 <DIR> d-------- E:\Program Files\Cake Mania
2008-09-29 21:21 . 2008-09-29 21:21 4,096 --a------ E:\WINDOWS\d3dx.dat
2008-09-29 21:17 . 2008-09-30 07:51 <DIR> d-------- E:\Program Files\Sallys Salon

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-20 05:06 --------- d-----w E:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-19 15:46 --------- d-----w E:\Documents and Settings\User\Application Data\AVG7
2008-10-18 23:36 --------- d-----w E:\Documents and Settings\User\Application Data\Yahoo!
2008-10-17 00:53 --------- d-----w E:\Documents and Settings\Guest\Application Data\AVG7
2008-10-17 00:52 --------- d-----w E:\Documents and Settings\Guest\Application Data\Yahoo!
2008-10-16 12:40 --------- d-----w E:\Program Files\ESET
2008-10-16 12:40 --------- d-----w E:\Documents and Settings\All Users\Application Data\ESET
2008-10-16 12:12 --------- d-----w E:\Documents and Settings\All Users\Application Data\yahoo!
2008-10-04 16:06 --------- d-----w E:\Program Files\Spybot - Search & Destroy
2008-09-30 03:38 --------- d-----w E:\Documents and Settings\All Users\Application Data\PlayFirst
2008-09-15 12:12 1,846,400 ----a-w E:\WINDOWS\system32\win32k.sys
2008-09-11 11:56 --------- d-----w E:\Documents and Settings\All Users\Application Data\Skype
2008-09-09 06:35 --------- d-----w E:\Documents and Settings\User\Application Data\DNA
2008-09-09 06:14 --------- d-----w E:\Program Files\Common Files\Teleca Shared
2008-09-08 23:18 --------- d-----w E:\Program Files\DNA
2008-09-08 10:41 333,824 ----a-w E:\WINDOWS\system32\drivers\srv.sys
2008-08-26 07:24 826,368 ----a-w E:\WINDOWS\system32\wininet.dll
2008-08-21 18:24 --------- d-----w E:\Program Files\UnzipThemAll
2008-08-14 10:11 2,189,184 ----a-w E:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 09:33 2,066,048 ----a-w E:\WINDOWS\system32\ntkrnlpa.exe
2007-01-10 19:10 88 -csh--r E:\WINDOWS\system32\D2941CCD26.sys
2007-07-26 04:29 3,766 -csha-w E:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="E:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]
"YSearchProtection"="E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="E:\WINDOWS\system32\igfxtray.exe" [2005-01-23 155648]
"HotKeysCmds"="E:\WINDOWS\system32\hkcmd.exe" [2005-01-23 126976]
"eabconfg.cpl"="E:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-04 290816]
"WatchDog"="E:\Program Files\InterVideo\DVD Check\DVDCheck.exe" [2005-07-05 184320]
"NeroCheck"="E:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648]
"QuickTime Task"="E:\Program Files\QuickTime\qttask.exe" [2006-03-28 155648]
"SunJavaUpdateSched"="E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"SynTPLpr"="E:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]
"SynTPEnh"="E:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]
"AVG7_CC"="E:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-10-17 590848]
"YSearchProtection"="E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"DiskeeperSystray"="E:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2005-11-22 221184]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="E:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-30 219136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 E:\WINDOWS\system32\narrator.exe]

E:\Documents and Settings\User\Start Menu\Programs\Startup\
Adobe Gamma.lnk - E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-01-22 113664]

E:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 217193]
DVD Check.lnk - E:\Program Files\InterVideo\DVD Check\DVDCheck.exe [2006-01-24 184320]
Microtek Scanner Finder.lnk - E:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe [2006-04-08 335872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byXOfeeB]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iiffCSji]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkKdbAQ]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=uimkbo.dll twyjee.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll

[HKLM\~\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=E:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=E:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"E:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"E:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"E:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"E:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"E:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"E:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"E:\\Program Files\\DNA\\btdna.exe"=
"E:\\Program Files\\BitComet\\BitComet.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"19251:TCP"= 19251:TCP:BitComet 19251 TCP
"19251:UDP"= 19251:UDP:BitComet 19251 UDP

S3 bfturboh;BUFFALO TurboUSB for HD Filter;E:\WINDOWS\system32\drivers\bfturboh.sys [2007-05-18 15872]
S3 SE2Ebus;Sony Ericsson Device 046 Driver driver (WDM);E:\WINDOWS\system32\DRIVERS\SE2Ebus.sys [2006-11-10 61600]
S3 SE2Emdfl;Sony Ericsson Device 046 USB WMC Modem Filter;E:\WINDOWS\system32\DRIVERS\SE2Emdfl.sys [2006-11-10 9360]
S3 SE2Emdm;Sony Ericsson Device 046 USB WMC Modem Driver;E:\WINDOWS\system32\DRIVERS\SE2Emdm.sys [2006-11-10 97184]
S3 SE2Emgmt;Sony Ericsson Device 046 USB WMC Device Management Drivers (WDM);E:\WINDOWS\system32\DRIVERS\SE2Emgmt.sys [2006-11-10 88688]
S3 se2End5;Sony Ericsson Device 046 USB Ethernet Emulation SEMC46 (NDIS);E:\WINDOWS\system32\DRIVERS\se2End5.sys [2006-11-10 18704]
S3 SE2Eobex;Sony Ericsson Device 046 USB WMC OBEX Interface;E:\WINDOWS\system32\DRIVERS\SE2Eobex.sys [2006-11-10 86560]
S3 se2Eunic;Sony Ericsson Device 046 USB Ethernet Emulation SEMC46 (WDM);E:\WINDOWS\system32\DRIVERS\se2Eunic.sys [2006-11-10 90800]

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
- - - - ORPHANS REMOVED - - - -

BHO-{4B00B903-D83E-4EF9-AF02-7694EF4C21FE} - (no file)
BHO-{67DF6AEE-CC10-4973-82FE-3DE5A9D404BF} - (no file)
BHO-{E2FBCF45-5461-47FE-9438-F15F10571027} - (no file)
BHO-{F25255EB-A335-4016-9205-F34D77555ADB} - (no file)
BHO-{F4A33694-ED5C-4968-89F3-BF3EE11DFCC1} - (no file)

.
------- Supplementary Scan -------
.
FireFox -: Profile - E:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\h00quznt.Default User\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://alifeinbloom.blogspot.com/
FF -: plugin - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\browser\nppdf32.dll
FF -: plugin - E:\Program Files\DNA\plugins\npbtdna.dll
FF -: plugin - E:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF -: plugin - E:\Program Files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-20 20:29:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2008-10-20 20:33:00
ComboFix-quarantined-files.txt 2008-10-20 12:31:55
ComboFix2.txt 2008-10-20 12:13:31

Pre-Run: 14,653,415,424 bytes free
Post-Run: 14,641,049,600 bytes free

169 --- E O F --- 2008-10-15 13:09:04

**peku006** · 2008-10-20, 17:06

Hi zu921

Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

Please reply with

a fresh HijackThis log

Thanks peku006

**zu921** · 2008-10-21, 00:26

Hello peku006! I also removed my bitcomet, FYI. Here's my recent HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:24:29 AM, on 10/21/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
E:\WINDOWS\system32\spoolsv.exe
E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
E:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\igfxtray.exe
E:\WINDOWS\system32\hkcmd.exe
E:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
E:\Program Files\Synaptics\SynTP\SynTPLpr.exe
E:\Program Files\Synaptics\SynTP\SynTPEnh.exe
E:\PROGRA~1\Grisoft\AVG7\avgcc.exe
E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe
E:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://alifeinbloom.blogspot.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - E:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - (no file)
O2 - BHO: (no name) - {4B00B903-D83E-4EF9-AF02-7694EF4C21FE} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {67DF6AEE-CC10-4973-82FE-3DE5A9D404BF} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {E2FBCF45-5461-47FE-9438-F15F10571027} - (no file)
O2 - BHO: (no name) - {F25255EB-A335-4016-9205-F34D77555ADB} - (no file)
O2 - BHO: (no name) - {F4A33694-ED5C-4968-89F3-BF3EE11DFCC1} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] E:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] E:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [eabconfg.cpl] E:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [WatchDog] E:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [NeroCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SynTPLpr] E:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] E:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [YSearchProtection] "E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "E:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [YSearchProtection] E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [RegCom32] E:\DOCUME~1\User\LOCALS~1\Temp\IXP004.TMP\svchost.exe
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: DVD Check.lnk = E:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - Global Startup: Microtek Scanner Finder.lnk = E:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O8 - Extra context menu item: &Yahoo! Search - file:///E:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///E:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///E:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///E:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...0/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...23/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O20 - AppInit_DLLs: uimkbo.dll twyjee.dll
O20 - Winlogon Notify: byXOfeeB - E:\WINDOWS\
O20 - Winlogon Notify: iiffCSji - E:\WINDOWS\
O20 - Winlogon Notify: jkkKdbAQ - E:\WINDOWS\
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - E:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - E:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

--
End of file - 9323 bytes

Thank you so much!

**peku006** · 2008-10-21, 07:14

Hi zu921

1 - Remove bad HijackThis entries

Run HijackThis
Click on the Scan button
Put a check beside all of the items listed below (if present):
- O2 - BHO: (no name) - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - (no file)
  O2 - BHO: (no name) - {4B00B903-D83E-4EF9-AF02-7694EF4C21FE} - (no file)
  O2 - BHO: (no name) - {67DF6AEE-CC10-4973-82FE-3DE5A9D404BF} - (no file)
  O2 - BHO: (no name) - {E2FBCF45-5461-47FE-9438-F15F10571027} - (no file)
  O2 - BHO: (no name) - {F25255EB-A335-4016-9205-F34D77555ADB} - (no file)
  O2 - BHO: (no name) - {F4A33694-ED5C-4968-89F3-BF3EE11DFCC1} - (no file)
  O4 - HKCU\..\Run: [RegCom32] E:\DOCUME~1\User\LOCALS~1\Temp\IXP004.TMP\svchost.exe
  O20 - AppInit_DLLs: uimkbo.dll twyjee.dll
  O20 - Winlogon Notify: byXOfeeB - E:\WINDOWS\
  O20 - Winlogon Notify: iiffCSji - E:\WINDOWS\
  O20 - Winlogon Notify: jkkKdbAQ - E:\WINDOWS\
Close all open windows and browsers/email, etc...
Click on the "Fix Checked" button
When completed, close the application.

2 - Clean temp files

Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.Double-click ATF Cleaner.exe to open it.

Under Main choose:
- Windows Temp
  Current User Temp
  All Users Temp
  Temporary Internet Files
  Prefetch
  Java Cache
  *The other boxes are optional*
  Then click the Empty Selected button.
if you use Firefox:
- Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
if you use Opera:
- Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program

3 - Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

Double-click on Download_mbam-setup.exe to install the application.
When the installation begins, follow the prompts and do not make any changes to default settings.
When installation has finished, make sure you leave both of these checked:
Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware
Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

If an update is found, the program will automatically update itself.
Press the OK button to close that box and continue.
If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.

On the Scanner tab:

Make sure the "Perform full scan" option is selected.
Then click on the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button
The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

Click on the Show Results button to see a list of any malware that was found.
Make sure that everything is checked, and click Remove Selected.
When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
The log can also be found here:

C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

4 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

5 - Status Check
Please reply with

1. the Malwarebytes' Anti-Malware Log
2. a fresh HijackThis log
How is the computer running now?

Thanks peku006

**zu921** · 2008-10-21, 15:59

Hello again, peku006! I hope you are doing well.

Here's my fresh mbam-log (found 5 vundo.trojan and were successfully deleted):

Malwarebytes' Anti-Malware 1.29
Database version: 1299
Windows 5.1.2600 Service Pack 3

10/21/2008 9:52:10 PM
mbam-log-2008-10-21 (21-52-10).txt

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 114877
Time elapsed: 2 hour(s), 58 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
E:\System Volume Information\_restore{7607B9D7-28FA-47B3-8E30-66FE14C6741B}\RP308\A0081814.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
E:\System Volume Information\_restore{7607B9D7-28FA-47B3-8E30-66FE14C6741B}\RP308\A0081815.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
E:\System Volume Information\_restore{7607B9D7-28FA-47B3-8E30-66FE14C6741B}\RP308\A0081824.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
E:\System Volume Information\_restore{7607B9D7-28FA-47B3-8E30-66FE14C6741B}\RP308\A0081825.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
E:\System Volume Information\_restore{7607B9D7-28FA-47B3-8E30-66FE14C6741B}\RP308\A0081826.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

Thread: Virtumonde Infection Help Please

Thread Tools

Display

Virtumonde Infection Help Please

Tags for this Thread

Posting Permissions