Results 1 to 10 of 46

Thread: Virtumonde

Hybrid View

Previous Post Previous Post   Next Post Next Post
  1. #1
    Junior Member
    Join Date
    Oct 2008
    Posts
    26

    Default Virtumonde

    About year and a half ago, I contracted the Virtumonde/Vundo nonsense. There was very little effective information on it back then, and I managed to incapacitate it with a combination of tools, registry edits, and manual file deletions, one tool being a cleaner made specifically for Vundo malware. I killed it to the point where it no longer seemed to be functioning, and that was good enough at the time. I do not believe I removed it entirely, and until now it has been dormant. Today, out of the middle of nowhere, I got a popup tab in FireFox. This being the first unexpected ad I'd seen in about a year, I ran Spybot, and sure enough, Virtumonde is back. I kindly request assistance in removing this plague completely, once and for all from my computer. My HJT log follows:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:29:43 PM, on 10/27/2008
    Platform: Windows XP SP3, v.3311 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.3311)
    Boot mode: Normal

    Running processes:
    F:\WINDOWS\System32\smss.exe
    F:\WINDOWS\system32\winlogon.exe
    F:\Program Files\AVG\AVG8\avgrsx.exe
    F:\WINDOWS\system32\services.exe
    F:\WINDOWS\system32\lsass.exe
    F:\WINDOWS\system32\svchost.exe
    F:\WINDOWS\System32\svchost.exe
    F:\WINDOWS\system32\spoolsv.exe
    F:\WINDOWS\system32\netdde.exe
    F:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
    F:\Program Files\Bonjour\mDNSResponder.exe
    F:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
    F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    F:\WINDOWS\system32\inetsrv\inetinfo.exe
    F:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    F:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
    F:\WINDOWS\system32\nvsvc32.exe
    F:\Program Files\Orb Networks\Orb\bin\OrbMediaService.exe
    F:\Program Files\Orb Networks\Orb\bin\OrbTray.exe
    F:\Program Files\Common Files\Portrait Displays\Drivers\pdisrvc.exe
    F:\WINDOWS\system32\ctfmon.exe
    F:\WINDOWS\system32\tcpsvcs.exe
    F:\WINDOWS\system32\svchost.exe
    F:\WINDOWS\Explorer.EXE
    F:\WINDOWS\system32\conime.exe
    F:\Program Files\Orb Networks\Orb\bin\Orb.exe
    F:\Program Files\Unlocker\UnlockerAssistant.exe
    F:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    F:\Program Files\Google\Gmail Notifier\gnotify.exe
    F:\WINDOWS\system32\taskswitch.exe
    F:\Program Files\UltraMon\UltraMon.exe
    F:\WINDOWS\system32\rundll32.exe
    F:\PROGRA~1\AVG\AVG8\avgtray.exe
    F:\WINDOWS\system32\rundll32.exe
    F:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
    F:\Program Files\UltraMon\UltraMonTaskbar.exe
    F:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
    F:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
    F:\WINDOWS\system32\RUNDLL32.EXE
    F:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe
    F:\Program Files\PeerGuardian2\pg2.exe
    F:\Program Files\Microsoft ActiveSync\wcescomm.exe
    F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    F:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    F:\Program Files\Gateway\EzTune\DTHtml.exe
    F:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
    F:\PROGRA~1\MI3AA1~1\rapimgr.exe
    F:\Program Files\Portrait Displays\Pivot Software\floater.exe
    F:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
    F:\WINDOWS\system32\wscntfy.exe
    F:\Program Files\Microsoft ActiveSync\WCESMgr.exe
    F:\Program Files\SpeedFan\speedfan.exe
    F:\WINDOWS\System32\svchost.exe
    F:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
    F:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    F:\WINDOWS\system32\rundll32.exe
    F:\WINDOWS\system32\rundll32.exe
    F:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe
    F:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe
    F:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    F:\WINDOWS\explorer.exe
    F:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    F:\Program Files\Mozilla Firefox\firefox.exe

    O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com
    O1 - Hosts: 208.69.57.87game01.us.segaonline.jp
    O1 - Hosts: 208.69.57.87 patch01.us.segaonline.jp
    O1 - Hosts: 208.69.57.87 game01.psobb.segaonline.jp
    O1 - Hosts: 208.69.57.87 patch01.psobb.segaonline.jp
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [UnlockerAssistant] F:\Program Files\Unlocker\UnlockerAssistant.exe -H
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
    O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] F:\Program Files\Google\Gmail Notifier\gnotify.exe
    O4 - HKLM\..\Run: [CoolSwitch] F:\WINDOWS\system32\taskswitch.exe
    O4 - HKLM\..\Run: [UltraMon] "F:\Program Files\UltraMon\UltraMon.exe" /auto
    O4 - HKLM\..\Run: [IMJPMIG8.1] "F:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [MSPY2002] F:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] F:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] F:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [36X Raid Configurer] F:\WINDOWS\system32\xRaidSetup.exe boot
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [AVG8_TRAY] F:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [DiscWizardMonitor.exe] F:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
    O4 - HKLM\..\Run: [AcronisTimounterMonitor] F:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
    O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "F:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe"
    O4 - HKLM\..\Run: [JMB36X IDE Setup] F:\WINDOWS\RaidTool\xInsIDE.exe
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [PivotSoftware] "F:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe"
    O4 - HKLM\..\Run: [DT GWY] F:\Program Files\Common Files\Portrait Displays\Shared\DT_startup.exe -GWY
    O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "F:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
    O4 - HKCU\..\Run: [PeerGuardian] F:\Program Files\PeerGuardian2\pg2.exe
    O4 - HKCU\..\Run: [H/PC Connection Agent] "F:\Program Files\Microsoft ActiveSync\wcescomm.exe"
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [Orb] "F:\Program Files\Orb Networks\Orb\bin\OrbTray.exe" /background
    O4 - HKCU\..\Run: [swg] F:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [NVIDIA nTune] "F:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
    O4 - HKCU\..\Run: [Google Update] "F:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
    O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\Run: [Orb] F:\Program Files\Winamp Remote\bin\OrbTray.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Orb] F:\Program Files\Winamp Remote\bin\OrbTray.exe (User 'Default user')
    O4 - Startup: Gateway Rightside.lnk = ?
    O4 - Startup: SpeedFan.lnk = F:\Program Files\SpeedFan\speedfan.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://F:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://F:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://F:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://F:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://F:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://F:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://F:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Download with GetRight Pro - F:\PROGRA~1\Getright\GRdownload.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Open with GetRight Pro Browser - F:\PROGRA~1\Getright\GRbrowse.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - F:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
    O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - F:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe
    O9 - Extra button: WebCloner - {ADFCCE65-DF10-46fd-B04A-53CCBE2A0795} - F:\WINDOWS\system32\shdocvw.dll
    O9 - Extra 'Tools' menuitem: &WebCloner - {ADFCCE65-DF10-46fd-B04A-53CCBE2A0795} - F:\WINDOWS\system32\shdocvw.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - F:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
    O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - F:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: f:\windows\system32\nwprovau.dll
    O16 - DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} (Dldrv2 Control) - http://download.gigabyte.com.tw/object/Dldrv.ocx
    O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/game...lugin11USA.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1201577205390
    O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/game...Plugin9USA.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - F:\Program Files\AVG\AVG8\avgpp.dll
    O20 - AppInit_DLLs: avgrsstx.dll wcmdbk.dll
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - F:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - F:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
    O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - F:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
    O23 - Service: Autodesk Licensing Service - Autodesk - F:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
    O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - F:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - F:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - F:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - F:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - F:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Google Updater Service (gusvc) - Google - F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: nTune Service (nTuneService) - NVIDIA - F:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: O&O Defrag - O&O Software GmbH - F:\WINDOWS\system32\oodag.exe
    O23 - Service: OrbMediaService - Orb Networks - F:\Program Files\Orb Networks\Orb\bin\OrbMediaService.exe
    O23 - Service: Portrait Displays SDK Service (PdiService) - Portrait Displays, Inc. - F:\Program Files\Common Files\Portrait Displays\Drivers\pdisrvc.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - F:\Program Files\WinPcap\rpcapd.exe
    O24 - Desktop Component 0: (no name) - (no file)
    O24 - Desktop Component 1: (no name) - (no file)

    --
    End of file - 13906 bytes

  2. #2
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Hi SonicSmash

    To access the Uninstall Manager you would do the following:

    1. Start HijackThis
    2. Click on the Config button
    3. Click on the Misc Tools button
    4. Click on the Open Uninstall Manager button.

    You will now be presented with a screen similar to the one below:



    5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  3. #3
    Junior Member
    Join Date
    Oct 2008
    Posts
    26

    Default

    When I hit save, HJT closed without saving anything. I renamed HJT and tried again. Worked that time. Let me give you the first four entries since HJT makes them unreadable:
    アカツキ電光戦記 (Akatsuki Blitzkampf)
    Torrent
    東方風神録 ver 1.00a (Touhou Fuujinroku)
    東方緋想天 Ver1.04 (Touhou Hisouten)

    This is the actual log:

    ?A?J?c?Ld?o?i?L
    ?ETorrent
    ??u???_?^ ver 1.00a
    ??uezV Ver1.04
    c??d?e Uwabami Breakers Ver.C73
    7-Zip 4.42
    7-Zip Addon Pack
    Ad-Aware
    Add or Remove Adobe Creative Suite 3 Master Collection
    Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
    Adobe After Effects CS3
    Adobe After Effects CS3 Presets
    Adobe Anchor Service CS3
    Adobe Asset Services CS3
    Adobe Bridge CS3
    Adobe Bridge Start Meeting
    Adobe BridgeTalk Plugin CS3
    Adobe Camera Raw 4.0
    Adobe CMaps
    Adobe Color - Photoshop Specific
    Adobe Color Common Settings
    Adobe Color EU Extra Settings
    Adobe Color JA Extra Settings
    Adobe Color NA Recommended Settings
    Adobe Contribute CS3
    Adobe Creative Suite 3 Master Collection
    Adobe Default Language CS3
    Adobe Device Central CS3
    Adobe Dreamweaver CS3
    Adobe Encore CS3
    Adobe Encore CS3 Codecs
    Adobe ExtendScript Toolkit 2
    Adobe ExtendScript Toolkit 2
    Adobe Extension Manager CS3
    Adobe Fireworks CS3
    Adobe Flash CS3
    Adobe Flash Player 9 ActiveX
    Adobe Flash Player Plugin
    Adobe Flash Video Encoder
    Adobe Fonts All
    Adobe Help Viewer CS3
    Adobe Illustrator CS3
    Adobe InDesign CS3
    Adobe InDesign CS3 Icon Handler
    Adobe Linguistics CS3
    Adobe MotionPicture Color Files
    Adobe PDF Library Files
    Adobe Photoshop CS3
    Adobe Premiere Pro CS3
    Adobe Premiere Pro CS3 Functional Content
    Adobe Premiere Pro CS3 Third Party Content
    Adobe Reader 7.0.8
    Adobe Reader for Pocket PC 2.0
    Adobe Setup
    Adobe Setup
    Adobe Shockwave Player
    Adobe SING CS3
    Adobe Soundbooth CS3
    Adobe Soundbooth CS3 Codecs
    Adobe Stock Photos CS3
    Adobe Type Support
    Adobe Update Manager CS3
    Adobe Version Cue CS3 Client
    Adobe Version Cue CS3 Server {ko_KR}
    Adobe Video Profiles
    Adobe WAS CS3
    Adobe WinSoft Linguistics Plugin
    Adobe XMP DVA Panels CS3
    Adobe XMP Panels CS3
    AG_SYS Screen Saver
    AGEIA PhysX v7.09.13
    AHV content for Acrobat and Flash
    Alt-Tab Task Switcher Powertoy for Windows XP
    A-Mac Address Change 5.3
    Anvil Studio
    AOL Instant Messenger
    Apple Software Update
    ASIO4ALL
    Aspell English Dictionary-0.50-2
    Assegai Screen Saver
    Audacity 1.3.5 (Unicode)
    AutoCAD 2008 - English
    Autodesk DWF Viewer 7
    Avanquest update
    AVG Free 8.0
    AVPM-Setup
    BitPim 1.0.4.20071224
    BLM 2.6.5
    BT8010 Control Center version 1.3
    Calculator Powertoy for Windows XP
    Canon ScanGear Toolbox CS 2.2
    CCleaner (remove only)
    CD/DVD-ROM Generator 2.00
    CmdHere Powertoy For Windows XP
    Collab
    Compact Wireless-G USB Adapter
    Compatibility Pack for the 2007 Office system
    Conduits Pocket Artist
    Cortex Command Build 20
    Dell Printer Software Uninstall
    DESCENT II
    DivX Web Player
    Dynamic Library v1.03
    EGX Screen Saver
    ElectricSheep 2.6.6
    Enhanced Sound Card Driver 8.0
    EPSON Printer Software
    Exact Audio Copy 0.95b4
    EzTune
    FEAR
    Feisar Screen Saver
    feisar_saver
    Final Fantasy VII - Ultima Edition
    Final Fantasy VII XP Patch
    FL Studio 8
    Flash Renamer 6.02
    Game Maker 6.1
    Game Maker 7.0
    Geiss2 for Winamp 2x (remove only)
    GIF Movie Gear 4.1.2
    GNU Aspell 0.50-3
    Google Earth
    Google Gears
    Google Gmail Notifier
    Google SketchUp 6
    Google SketchUp 6
    Google Talk (remove only)
    Google Toolbar for Internet Explorer
    Google Updater
    Goteki Screen Saver
    GTK+ Runtime 2.10.11 rev b (remove only)
    GUILTY GEAR XX ?RELOAD
    Guitar Pro 5.0
    Hamachi 1.0.2.2
    Hex Workshop v5
    HijackThis 2.0.2
    Hotfix for Microsoft .NET Framework 3.0 (KB932471)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    hx2000b WM5 Drivers Update
    ID3-TagIT 3
    IIS 6.0 Resource Kit Tools
    ijji - Gunz
    ijji Auto Installer
    IL Download Manager
    Image Resizer Powertoy for Windows XP
    iPAQ Micro Keyboard
    IrisAPE 1.0
    IsoBuster 2.1
    J2SE Runtime Environment 5.0 Update 11
    J2SE Runtime Environment 5.0 Update 7
    Java(TM) 6 Update 2
    Java(TM) 6 Update 3
    Java(TM) 6 Update 5
    Java(TM) 6 Update 7
    Java(TM) SE Development Kit 6 Update 1
    Java(TM) SE Runtime Environment 6 Update 1
    JCreator LE 4.00
    JMB36X Raid Configurer
    KAWAI ?X?R?A?v???[???[4.0
    KAWAI ?X?R?A?v???[???[FX
    KeyControl v1.02 (remove only)
    K-Lite Codec Pack 2.77 Full
    ksColorPick
    LiveUpdate
    Lunia
    LuniaGSP
    M3 GAME Manager Uninstall
    Magic ISO Maker v5.3 (build 0216)
    Magic ISO Maker v5.4 (build 0239)
    Magic ISO Maker v5.4 (build 0251)
    Manga Reader v1.2.6
    MapleStory
    Marvell Miniport Driver
    Matrix-ks
    MELTY BLOOD Act Cadenza Ver.B WindowsA
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Hotfix (KB928366)
    Microsoft .NET Framework 1.1 SP1 with KB886903 Hotfix
    Microsoft .NET Framework 2.0 Service Pack 1
    Microsoft .NET Framework 2.0 Service Pack 1 Language Pack - JPN
    Microsoft .NET Framework 3.0 Service Pack 1
    Microsoft .NET Framework 3.0 Service Pack 1 Language Pack - JPN
    Microsoft .NET Framework 3.5
    Microsoft .NET Framework 3.5
    Microsoft .NET Framework 3.5 Language Pack - u?{?e
    Microsoft .NET Framework 3.5 Language Pack - jpn
    Microsoft ActiveSync
    Microsoft AppLocale
    Microsoft Bootvis
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Corporation RATTV3
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
    Microsoft Office Professional Edition 2003
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 Express Edition - ENU
    Microsoft Visual C++ 2005 Express Edition - ENU
    Microsoft Visual C++ 2005 Express Edition - ENU Service Pack 1 (KB926748)
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual J# 2.0 Redistributable Package
    Microsoft Visual J# 2005 Express Edition - ENU
    Microsoft Visual J# 2005 Express Edition - ENU
    Microsoft Visual J# 2005 Express Edition - ENU Service Pack 1 (KB926750)
    Microsoft Windows Application Compatibility Database
    middle_man
    Ml_Icons 0.3
    Motorola Driver Installation
    Motorola Phone Tools
    Motorola PST
    Mozilla Firefox (3.0.3)
    Mozilla Thunderbird (1.5.0.10)
    MSXML 4.0 SP2 (KB925672)
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    MSXML 6.0 Parser (KB933579)
    Mulimedia Logic
    Nero 7.2.3.2
    NetBeans IDE 5.5
    NVIDIA Drivers
    NVIDIA nTune
    O&O Defrag Professional Edition
    OpenOffice.org Installer 1.0
    Orb
    PackageFactory for U3 (build 100)
    Pandora's GUI
    PDAwin TV remote controller
    PDF Settings
    PeerGuardian 2.0
    Phantasy Star Online Blue Burst 1.0
    Piranha Screen Saver
    Pivot Software
    Playlist Creator 3
    Pocket RAR documentation
    PoiZone
    Power Tab Editor 1.7
    PowerDVD
    PowerISO
    PowerQuest PartitionMagic 8.0
    Project64 1.6
    PSP Video 9 2.25
    Qirex Screen Saver
    QPST
    QuickGamma 2.0.0.3
    QuickTime
    QuickTime Alternative 1.81
    RAGNAROK BATTLE OFFLINE 1.0
    RapidLeecher Ultimate 2007
    RBO Extra Scenario Vol.1
    RBO Extra Scenario Vol.2
    RBO Extra Scenario Vol.3
    Real Alternative 1.50
    Realtek High Definition Audio Driver
    Regular Expression Laboratory 1.0
    SDK
    Seagate?DiscWizard
    Security Task Manager 1.7d
    Security Update for CAPICOM (KB931906)
    Security Update for CAPICOM (KB931906)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows XP (KB941569)
    Send To Extensions PowerToy
    Sony Sound Forge 8.0d
    Sothink SWF Decompiler
    SpaceCowboy
    SpeedFan (remove only)
    Spybot - Search & Destroy
    Spybot - Search & Destroy 1.5.2.20
    SqrSoftR Advanced Crossfading (remove only)
    SSH Secure Shell
    Stereogram Explorer 2.4
    Stereogram Screensaver v1.0
    System Requirements Lab
    TCPMP
    Thermal Analysis Tool
    Triakis Screen Saver
    Tweak UI
    UltraFXP (remove only)
    UltraISO Premium V8.2
    UltraMon
    Update for Windows Media Player 10 (KB926251)
    VideoLAN VLC media player 0.8.6d
    Viewpoint Media Player
    ViewSonic Monitor Drivers
    Virtual Desktop Manager Powertoy for Windows XP
    Visual IRC 2.0
    vixy converter uninstall
    VNC Free Edition 4.1.2
    WD Diagnostics
    WIBU-KEY Setup (WIBU-KEY Remove)
    Winamp
    Winamp 5 Color Editor (remove only)
    Winamp Wecker
    Windows Imaging Component
    Windows Installer 3.1 (KB893803)
    Windows Installer Clean Up
    Windows Media Format 11 runtime
    Windows Media Format 11 runtime
    Windows Media Player 10 Hotfix - KB894476
    Windows Media Player 11
    Windows Media Player 11
    Windows Presentation Foundation
    Windows Sniper
    Windows Support Tools
    Windows XP Service Pack 3
    WinHTTrack Website Copier 3.41-3
    WinMobile Torrent
    WinPcap 4.0.1
    WinRAR archiver
    WinRAR Themes Addon
    XML Paper Specification Shared Components Language Pack 1.0
    YAMAHA Digital Music Notebook

    Thanks

  4. #4
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

    Torrent
    WinMobile Torrent


    I'd like you to read the this thread.

    Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

    Please run a new uninstall list scan when finished and post the log back here.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  5. #5
    Junior Member
    Join Date
    Oct 2008
    Posts
    26

    Default

    Please note that the problem has worsened. I can no longer reliably boot my computer without resorting to safe mode.

    Here is the log:

    ?A?J?c?Lgd?o?i?L
    g??u???_?^ ver 1.00a
    g??uheezgV Ver1.04
    c?N?d?e Uwabami Breakers Ver.C73
    7-Zip 4.42
    7-Zip Addon Pack
    Ad-Aware
    Add or Remove Adobe Creative Suite 3 Master Collection
    Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
    Adobe After Effects CS3
    Adobe After Effects CS3 Presets
    Adobe Anchor Service CS3
    Adobe Asset Services CS3
    Adobe Bridge CS3
    Adobe Bridge Start Meeting
    Adobe BridgeTalk Plugin CS3
    Adobe Camera Raw 4.0
    Adobe CMaps
    Adobe Color - Photoshop Specific
    Adobe Color Common Settings
    Adobe Color EU Extra Settings
    Adobe Color JA Extra Settings
    Adobe Color NA Recommended Settings
    Adobe Contribute CS3
    Adobe Creative Suite 3 Master Collection
    Adobe Default Language CS3
    Adobe Device Central CS3
    Adobe Dreamweaver CS3
    Adobe Encore CS3
    Adobe Encore CS3 Codecs
    Adobe ExtendScript Toolkit 2
    Adobe ExtendScript Toolkit 2
    Adobe Extension Manager CS3
    Adobe Fireworks CS3
    Adobe Flash CS3
    Adobe Flash Player 9 ActiveX
    Adobe Flash Player Plugin
    Adobe Flash Video Encoder
    Adobe Fonts All
    Adobe Help Viewer CS3
    Adobe Illustrator CS3
    Adobe InDesign CS3
    Adobe InDesign CS3 Icon Handler
    Adobe Linguistics CS3
    Adobe MotionPicture Color Files
    Adobe PDF Library Files
    Adobe Photoshop CS3
    Adobe Premiere Pro CS3
    Adobe Premiere Pro CS3 Functional Content
    Adobe Premiere Pro CS3 Third Party Content
    Adobe Reader 7.0.8
    Adobe Reader for Pocket PC 2.0
    Adobe Setup
    Adobe Setup
    Adobe Shockwave Player
    Adobe SING CS3
    Adobe Soundbooth CS3
    Adobe Soundbooth CS3 Codecs
    Adobe Stock Photos CS3
    Adobe Type Support
    Adobe Update Manager CS3
    Adobe Version Cue CS3 Client
    Adobe Version Cue CS3 Server {ko_KR}
    Adobe Video Profiles
    Adobe WAS CS3
    Adobe WinSoft Linguistics Plugin
    Adobe XMP DVA Panels CS3
    Adobe XMP Panels CS3
    AG_SYS Screen Saver
    AGEIA PhysX v7.09.13
    AHV content for Acrobat and Flash
    Alt-Tab Task Switcher Powertoy for Windows XP
    A-Mac Address Change 5.3
    Anvil Studio
    AOL Instant Messenger
    Apple Software Update
    ASIO4ALL
    Aspell English Dictionary-0.50-2
    Assegai Screen Saver
    Audacity 1.3.5 (Unicode)
    AutoCAD 2008 - English
    Autodesk DWF Viewer 7
    Avanquest update
    AVG Free 8.0
    AVPM-Setup
    BitPim 1.0.4.20071224
    BLM 2.6.5
    BT8010 Control Center version 1.3
    Calculator Powertoy for Windows XP
    Canon ScanGear Toolbox CS 2.2
    CCleaner (remove only)
    CD/DVD-ROM Generator 2.00
    CmdHere Powertoy For Windows XP
    Collab
    Compact Wireless-G USB Adapter
    Compatibility Pack for the 2007 Office system
    Conduits Pocket Artist
    Cortex Command Build 20
    Dell Printer Software Uninstall
    DESCENT II
    DivX Web Player
    Dynamic Library v1.03
    EGX Screen Saver
    ElectricSheep 2.6.6
    Enhanced Sound Card Driver 8.0
    EPSON Printer Software
    Exact Audio Copy 0.95b4
    EzTune
    FEAR
    Feisar Screen Saver
    feisar_saver
    Final Fantasy VII - Ultima Edition
    Final Fantasy VII XP Patch
    FL Studio 8
    Flash Renamer 6.02
    Game Maker 6.1
    Game Maker 7.0
    Geiss2 for Winamp 2x (remove only)
    GIF Movie Gear 4.1.2
    GNU Aspell 0.50-3
    Google Earth
    Google Gears
    Google Gmail Notifier
    Google SketchUp 6
    Google SketchUp 6
    Google Talk (remove only)
    Google Toolbar for Internet Explorer
    Google Updater
    Goteki Screen Saver
    GTK+ Runtime 2.10.11 rev b (remove only)
    GUILTY GEAR XX ?hRELOAD
    Guitar Pro 5.0
    Hamachi 1.0.2.2
    Hex Workshop v5
    HijackThis 2.0.2
    Hotfix for Microsoft .NET Framework 3.0 (KB932471)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    hx2000b WM5 Drivers Update
    ID3-TagIT 3
    IIS 6.0 Resource Kit Tools
    ijji - Gunz
    ijji Auto Installer
    IL Download Manager
    Image Resizer Powertoy for Windows XP
    iPAQ Micro Keyboard
    IrisAPE 1.0
    IsoBuster 2.1
    J2SE Runtime Environment 5.0 Update 7
    Java(TM) 6 Update 2
    Java(TM) 6 Update 3
    Java(TM) 6 Update 5
    Java(TM) 6 Update 7
    Java(TM) SE Development Kit 6 Update 1
    Java(TM) SE Runtime Environment 6 Update 1
    JCreator LE 4.00
    JMB36X Raid Configurer
    KAWAI ?X?R?A?v???[???[4.0
    KAWAI ?X?R?A?v???[???[FX
    KeyControl v1.02 (remove only)
    K-Lite Codec Pack 2.77 Full
    ksColorPick
    LiveUpdate
    Lunia
    LuniaGSP
    M3 GAME Manager Uninstall
    Magic ISO Maker v5.3 (build 0216)
    Magic ISO Maker v5.4 (build 0239)
    Magic ISO Maker v5.4 (build 0251)
    Manga Reader v1.2.6
    MapleStory
    Marvell Miniport Driver
    Matrix-ks
    MELTY BLOOD Act Cadenza Ver.B WindowshA
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Hotfix (KB928366)
    Microsoft .NET Framework 1.1 SP1 with KB886903 Hotfix
    Microsoft .NET Framework 2.0 Service Pack 1
    Microsoft .NET Framework 2.0 Service Pack 1 Language Pack - JPN
    Microsoft .NET Framework 3.0 Service Pack 1
    Microsoft .NET Framework 3.0 Service Pack 1 Language Pack - JPN
    Microsoft .NET Framework 3.5
    Microsoft .NET Framework 3.5
    Microsoft .NET Framework 3.5 Language Pack - gu?{?e
    Microsoft .NET Framework 3.5 Language Pack - jpn
    Microsoft ActiveSync
    Microsoft AppLocale
    Microsoft Bootvis
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Corporation RATTV3
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
    Microsoft Office Professional Edition 2003
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 Express Edition - ENU
    Microsoft Visual C++ 2005 Express Edition - ENU
    Microsoft Visual C++ 2005 Express Edition - ENU Service Pack 1 (KB926748)
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual J# 2.0 Redistributable Package
    Microsoft Visual J# 2005 Express Edition - ENU
    Microsoft Visual J# 2005 Express Edition - ENU
    Microsoft Visual J# 2005 Express Edition - ENU Service Pack 1 (KB926750)
    Microsoft Windows Application Compatibility Database
    middle_man
    Ml_Icons 0.3
    Motorola Driver Installation
    Motorola Phone Tools
    Motorola PST
    Mozilla Firefox (3.0.3)
    Mozilla Thunderbird (1.5.0.10)
    MSXML 4.0 SP2 (KB925672)
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    MSXML 6.0 Parser (KB933579)
    Mulimedia Logic
    Nero 7.2.3.2
    NetBeans IDE 5.5
    NVIDIA Drivers
    NVIDIA nTune
    O&O Defrag Professional Edition
    OpenOffice.org Installer 1.0
    Orb
    PackageFactory for U3 (build 100)
    Pandora's GUI
    PDAwin TV remote controller
    PDF Settings
    PeerGuardian 2.0
    Phantasy Star Online Blue Burst 1.0
    Piranha Screen Saver
    Pivot Software
    Playlist Creator 3
    Pocket RAR documentation
    PoiZone
    Power Tab Editor 1.7
    PowerDVD
    PowerISO
    PowerQuest PartitionMagic 8.0
    Project64 1.6
    PSP Video 9 2.25
    Qirex Screen Saver
    QPST
    QuickGamma 2.0.0.3
    QuickTime
    QuickTime Alternative 1.81
    RAGNAROK BATTLE OFFLINE 1.0
    RapidLeecher Ultimate 2007
    RBO Extra Scenario Vol.1
    RBO Extra Scenario Vol.2
    RBO Extra Scenario Vol.3
    Real Alternative 1.50
    Realtek High Definition Audio Driver
    Regular Expression Laboratory 1.0
    SDK
    Seagate?DiscWizard
    Security Task Manager 1.7d
    Security Update for CAPICOM (KB931906)
    Security Update for CAPICOM (KB931906)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows XP (KB941569)
    Send To Extensions PowerToy
    Sony Sound Forge 8.0d
    Sothink SWF Decompiler
    SpaceCowboy
    SpeedFan (remove only)
    Spybot - Search & Destroy
    Spybot - Search & Destroy 1.5.2.20
    SqrSoftR Advanced Crossfading (remove only)
    SSH Secure Shell
    Stereogram Explorer 2.4
    Stereogram Screensaver v1.0
    System Requirements Lab
    TCPMP
    Thermal Analysis Tool
    Triakis Screen Saver
    Tweak UI
    UltraFXP (remove only)
    UltraISO Premium V8.2
    UltraMon
    Update for Windows Media Player 10 (KB926251)
    VideoLAN VLC media player 0.8.6d
    Viewpoint Media Player
    ViewSonic Monitor Drivers
    Virtual Desktop Manager Powertoy for Windows XP
    Visual IRC 2.0
    vixy converter uninstall
    VNC Free Edition 4.1.2
    WD Diagnostics
    WIBU-KEY Setup (WIBU-KEY Remove)
    Winamp
    Winamp 5 Color Editor (remove only)
    Winamp Wecker
    Windows Imaging Component
    Windows Installer 3.1 (KB893803)
    Windows Installer Clean Up
    Windows Media Format 11 runtime
    Windows Media Format 11 runtime
    Windows Media Player 10 Hotfix - KB894476
    Windows Media Player 11
    Windows Media Player 11
    Windows Presentation Foundation
    Windows Sniper
    Windows Support Tools
    Windows XP Service Pack 3
    WinHTTrack Website Copier 3.41-3
    WinPcap 4.0.1
    WinRAR archiver
    WinRAR Themes Addon
    XML Paper Specification Shared Components Language Pack 1.0
    YAMAHA Digital Music Notebook

  6. #6
    Junior Member
    Join Date
    Oct 2008
    Posts
    26

    Default

    I also cannot access the safer-networking.org website or the spybot.info forums any longer. I am using a second computer for this right now.

  7. #7
    Junior Member
    Join Date
    Oct 2008
    Posts
    26

    Default

    There is one small, additional problem that seems to have appeared around the time the malware did. The fonts in my Firefox browser are all bold in some areas that weren't like that before. Like the Google search results. In IE they are all italicized, also something that wasn't like that before. Any idea what happened? I tried messing with the text size, zoom and settings and it doesn't change anything.

  8. #8
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    That is most likely settings issue.

    Anyway, before we come to that, let's remove some malware:

    We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:

    1. Run Spybot-S&D in Advanced Mode.
    2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
    3. On the left hand side, Click on Tools
    4. Then click on the Resident Icon in the List
    5. Uncheck "Resident TeaTimer" and OK any prompts.
    6. Restart your computer.

    Open notepad and copy/paste the text in the codebox below into it:

    Code:
    File::
    F:\WINDOWS\system32\osavyfsh.ini
    F:\WINDOWS\system32\ajxfnfbb.ini
    F:\WINDOWS\system32\pughinfp.ini
    
    Folder::
    F:\Program Files\uTorrent
    F:\Documents and Settings\Administrator\Application Data\uTorrent
    
    Registry::
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
    Save this as "CFScript"

    Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

    Combofix should never take more that 20 minutes including the reboot if malware is detected.
    If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
    If that happened we want to know, and also what process you had to end.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  9. #9
    Junior Member
    Join Date
    Oct 2008
    Posts
    26

    Default

    Computer hung in the middle of ComboFix. Computer no longer starts. After Windows loading screen, screen goes black and nothing happens afterward. Safe mode too.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •