And yet another Virtumonde among other things

**Jammen690** · 2009-01-20, 04:35

scan complete. Here is the log
New log after system reboot.

Malwarebytes' Anti-Malware 1.33
Database version: 1654
Windows 5.1.2600 Service Pack 3

1/19/2009 10:33:42 PM
mbam-log-2009-01-19 (22-33-42).txt

Scan type: Full Scan (C:\|)
Objects scanned: 202256
Time elapsed: 1 hour(s), 7 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 27

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\Temp\ntdll64.dll (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\antispywarexp2009 (Rogue.AntispywareXP) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\homeview (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xjaniw (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{69a8a868-f0a6-4dff-a194-cece47d259b3}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.156;85.255.112.190 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\chkopiaw.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\senekamdxsaqll.dll.vir (Trojan.Seneka) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\efcCsqpo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\gfjtxvoj.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\kfextrfh.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\pcvjuh.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\pmnnMgEv.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\xcujfl.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\seneka.sys.vir (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\senekasvltpvjt.sys.vir (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{98AB4CD7-6F8A-4E8C-BF4A-1E61E6FC5054}\RP53\A0004813.dll (Rogue.AntivirusPro2009) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{98AB4CD7-6F8A-4E8C-BF4A-1E61E6FC5054}\RP54\A0004988.dll (Rogue.AntivirusPro2009) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{98AB4CD7-6F8A-4E8C-BF4A-1E61E6FC5054}\RP55\A0006046.dll (Rogue.AntivirusPro2009) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{98AB4CD7-6F8A-4E8C-BF4A-1E61E6FC5054}\RP163\A0021008.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{98AB4CD7-6F8A-4E8C-BF4A-1E61E6FC5054}\RP163\A0021018.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{98AB4CD7-6F8A-4E8C-BF4A-1E61E6FC5054}\RP163\A0021021.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{98AB4CD7-6F8A-4E8C-BF4A-1E61E6FC5054}\RP163\A0021030.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{98AB4CD7-6F8A-4E8C-BF4A-1E61E6FC5054}\RP163\A0021045.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{98AB4CD7-6F8A-4E8C-BF4A-1E61E6FC5054}\RP163\A0021057.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{98AB4CD7-6F8A-4E8C-BF4A-1E61E6FC5054}\RP163\A0021059.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{98AB4CD7-6F8A-4E8C-BF4A-1E61E6FC5054}\RP163\A0021078.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{98AB4CD7-6F8A-4E8C-BF4A-1E61E6FC5054}\RP163\A0020992.dll (Trojan.Seneka) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{98AB4CD7-6F8A-4E8C-BF4A-1E61E6FC5054}\RP163\A0021151.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ffkuz.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\odamukimu.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\ozajoviq.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\ntdll64.dll (Trojan.FakeAlert) -> Delete on reboot.

**Jammen690** · 2009-01-20, 05:16

New HJT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:15:07 PM, on 1/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\java.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\dumprep.exe
C:\WINDOWS\system32\dumprep.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {062990B9-6E57-40D9-BE51-F0FCB2A190E0} - (no file)
O2 - BHO: (no name) - {1C428C8D-B7A6-4B4D-A43F-9D66D8442F23} - (no file)
O2 - BHO: (no name) - {1EDC07F9-DC25-4630-99C1-CA11CFB0D26D} - (no file)
O2 - BHO: (no name) - {2230D878-9489-4D30-8F67-663575F87E3B} - (no file)
O2 - BHO: (no name) - {2838B912-1276-4D6E-8AC0-952F52E80EC4} - (no file)
O2 - BHO: (no name) - {2B44BA60-C2B3-410E-9050-6B7EDD2C8EBB} - (no file)
O2 - BHO: (no name) - {45DE8515-C8BE-42BE-A58A-D93A32BED1EB} - (no file)
O2 - BHO: (no name) - {5737A3AA-BB3A-4502-ACED-AF39E324EC1D} - (no file)
O2 - BHO: (no name) - {5CBD930F-D300-445C-B521-CB0F3C4AD889} - (no file)
O2 - BHO: (no name) - {604F6BB4-546B-4BD6-B9B2-75CA292E5C47} - (no file)
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - (no file)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {784DB16F-F9A0-4360-AFA3-07359F24D9CA} - (no file)
O2 - BHO: (no name) - {7BD77EEF-4AE5-4D36-A777-B2D6920293D7} - (no file)
O2 - BHO: (no name) - {7FBAE3B9-98CC-4D02-B562-6EB45D154337} - (no file)
O2 - BHO: (no name) - {81706E4D-1CA2-4703-AC71-66E25A48791D} - (no file)
O2 - BHO: (no name) - {84CCBB3F-45A0-4D0A-8432-D9F8D7735B90} - (no file)
O2 - BHO: (no name) - {9F04FCB5-6F23-4737-A4DC-BDA7AFD8B0FF} - (no file)
O2 - BHO: (no name) - {A07B5C99-8B1C-4388-8BB6-6DEAEEA0B35E} - (no file)
O2 - BHO: (no name) - {A4D4BACD-2EFE-465E-8FBD-09DCAF8EB2FE} - (no file)
O2 - BHO: (no name) - {D083534D-4E28-402D-946E-FB8E87961884} - (no file)
O2 - BHO: (no name) - {D69E913D-7A6C-43EB-B025-121C2A1538A6} - (no file)
O2 - BHO: (no name) - {DCFD8053-1C75-427A-94B5-72593C16FA50} - (no file)
O2 - BHO: (no name) - {ED9A5EEC-BED5-4E54-A183-C87848F91CDA} - (no file)
O2 - BHO: (no name) - {F3982346-B138-4D68-92DE-B722A24356F7} - (no file)
O2 - BHO: (no name) - {FA7A0F3A-EE35-485E-906D-230588C6FB03} - (no file)
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [58d27dcb] rundll32.exe "C:\WINDOWS\system32\xndbnuga.dll",b
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Xfire.lnk.disabled
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.antimalwareguard.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.antimalwareguard.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O20 - Winlogon Notify: pmnLDtQK - C:\WINDOWS\
O23 - Service: Application Driver Auto Removal Service (01) (appdrvrem01) - Protection Technology - C:\WINDOWS\System32\appdrvrem01.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - c:\Program Files\Ares Ultra\chatServer.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InstallShield Licensing Service - Macrovision - C:\Program Files\Common Files\InstallShield Shared\Service\InstallShield Licensing Service.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7337 bytes

**shelf life** · 2009-01-20, 23:08

hi,

ok good. we will use hjt now: but first disable spybots tea timer so it wont go nuts:

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.
-----------------------------------

start HJT, click the "Scan" button. check the items below, close any open windows, then click "Fixed checked"

*select all that say (no file) on the end:*

O2 - BHO: (no name) - {062990B9-6E57-40D9-BE51-F0FCB2A190E0} - (no file)
O2 - BHO: (no name) - {1C428C8D-B7A6-4B4D-A43F-9D66D8442F23} - (no file)
O2 - BHO: (no name) - {1EDC07F9-DC25-4630-99C1-CA11CFB0D26D} - (no file)

O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll

O4 - HKLM\..\Run: [58d27dcb] rundll32.exe "C:\WINDOWS\system32\xndbnuga.dll",b

O15 - Trusted Zone: *.antimalwareguard.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.antimalwareguard.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O20 - Winlogon Notify: pmnLDtQK - C:\WINDOWS\

try to update MBAM and run it once more. Post the MBAM log and a new hjt log.

If you are familiar with your router then you should check its set up and make sure that its DNS Server is not in the form of 85.255.112.xyz

**Jammen690** · 2009-01-21, 01:16

Ok all programs update now. Its going to take 30-45 minutes to conduct mbam scan. Should I have it fix what it finds. I want to know before i post logs.

**shelf life** · 2009-01-21, 02:10

hi,

yes have it fix what it finds.

**Jammen690** · 2009-01-21, 02:26

Malwarebytes' Anti-Malware 1.33
Database version: 1673
Windows 5.1.2600 Service Pack 3

1/20/2009 8:25:17 PM
mbam-log-2009-01-20 (20-25-17).txt

Scan type: Full Scan (C:\|)
Objects scanned: 202438
Time elapsed: 1 hour(s), 6 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

**Jammen690** · 2009-01-21, 02:26

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:26:32 PM, on 1/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\java.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Xfire.lnk.disabled
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Application Driver Auto Removal Service (01) (appdrvrem01) - Protection Technology - C:\WINDOWS\System32\appdrvrem01.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - c:\Program Files\Ares Ultra\chatServer.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InstallShield Licensing Service - Macrovision - C:\Program Files\Common Files\InstallShield Shared\Service\InstallShield Licensing Service.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 4861 bytes

**shelf life** · 2009-01-21, 23:16

hi,

ok good. cruise around make sure the page re-directs are gone. Check your routers set-up to make sure its DNS server option dosnt show the ip range 85.255....( some trojans might change it, mainly if you are using the default password etc, which you shouldnt be)

c:\Program Files\Ares Ultra

This is not the official Ares p2p client. It is a ripped off clone. Hope you didnt pay money.

There is also much malware that is distributed via the networks.
take a look at this topic on my web page:
http://www.virusvault.us/p2p.html

**Jammen690** · 2009-01-22, 00:52

No more pop ups or anything. I ran a scan with both Symantec and Spybot, no viruses found but i still have Virtumonde.Generic, and Virtumonde.prx. Also how do I check the router settings.

**shelf life** · 2009-01-22, 02:19

how do I check the router settings.

If the trojan had changed them you would still be getting page re-directs.

you would type in your browser:

http://192.168.1.1

to get to its interface, which is really just a web page.
take a look here also:
http://www.linksysbycisco.com/US/en/support#

read this also:
http://arstechnica.com/guides/tweaks...s-security.ars
http://www.practicallynetworked.com/...ess_secure.htm

Spybot is finding those?
post the lines from the spybot scan that show those
probably harmless registry leftovers.

Thread: And yet another Virtumonde among other things

Thread Tools

Display

Results: Mbam log

Results: HJT log

Posting Permissions