Results 1 to 10 of 10

Thread: Fraud.Sysguard, Virtumonde, WinSpyWareProtect, jenksysguard.exe, fvhrsysguard.exe

  1. #1
    Junior Member
    Join Date
    Jul 2007
    Location
    MidAtlantic, U.S.A. & Tanzania, E.A.
    Posts
    22

    Default Fraud.Sysguard, Virtumonde, WinSpyWareProtect, jenksysguard.exe, fvhrsysguard.exe

    Greetings

    11/06/09 3:39 pm Drive by download
    WinPatrol asking if OK for new start up programs: NO

    Steps I took:
    WinPatrol to shut down IE
    CCleaner
    Searched Files created on 11/06/09 at time of drive by

    Found:
    C:\WINDOWS\Prefetch\JENKSYSGUARD.EXE-26B3D3DB.pf
    C:\WINDOWS\Prefetch\REGSVR32.EXE-396DEA2C.pf
    C:\WINDOWS\Prefetch\OP[1].EXE-135CA8B5.pf
    C:\WINDOWS\Prefetch\CMD.EXE-034B0549.pf
    C:\WINDOWS\Prefetch\WISPTIS.EXE-1AD43041.pf
    C:\WINDOWS\Prefetch\ACROBAT.EXE-37DF90AA.pf
    C:\Documents and Settings\DavDenRusSki\Local Settings\Application Data\kycssw\jenksysguard.exe
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1832\A0242102.exe

    Ran Spybot, found & fixed:
    Fraud.Sysguard
    WinSpyWareProtect

    The files I found are still there.

    :: ::

    11/11/09 12:15 pm Drive by download
    WinPatrol asking if OK for new start up programs: NO
    Pop up message from system tray with Spybot Immunize logo saying I have virus to download program: Did not engage with message.

    Steps I took:
    WinPatrol to shut down IE
    CCleaner
    Searched Files created on 11/11/09 at time of drive by

    Found:
    C:\WINDOWS\SYSTEM32\~.exe
    C:\WINDOWS\Prefetch\~.EXE-10AA984B.pf
    C:\WINDOWS\Prefetch\FVHRSYSGUARD.EXE-255D32DE.pf
    C:\Documents and Settings\DavDenRusSki\Local Settings\Application Data\ikvvyn\ fvhrsysguard.exe

    Ran Spybot, found & fixed:
    Fraud.Sysguard
    Virtumonde
    WinSpyWareProtect

    The files I found are still there with the exception of, C:\WINDOWS\SYSTEM32\~.exe

    I have not closed Spybot
    I have not downloaded MS Updates that are ready as I fear spreading or activating whatever.
    I have run "ERUNT" and backed up "System registry" only.

    Thank you for your help.
    :: ::

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 1:45:30 PM, on 11/11/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16915)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\Program Files\AVG\AVG8\avgrsx.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
    C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
    C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
    C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://apod.nasa.gov/apod/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = IE7
    O2 - BHO: (no name) - AutorunsDisabled - (no file)
    O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O2 - BHO: ZoneAlarm Toolbar Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
    O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
    O3 - Toolbar: ZoneAlarm Toolbar - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
    O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
    O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\RunOnce: [SpybotDeletingC5632] cmd.exe /c del "C:\WINDOWS\SchedLgU.Txt"
    O4 - HKLM\..\RunOnce: [SpybotDeletingA1110] command.com /c del "C:\WINDOWS\SchedLgU.Txt"
    O4 - HKLM\..\RunOnce: [SpybotDeletingC446] cmd.exe /c del "C:\WINDOWS\SchedLgU.Txt"
    O4 - HKCU\..\RunOnce: [SpybotDeletingD7973] cmd.exe /c del "C:\WINDOWS\SchedLgU.Txt"
    O4 - HKCU\..\RunOnce: [SpybotDeletingB2943] command.com /c del "C:\WINDOWS\SchedLgU.Txt"
    O4 - HKCU\..\RunOnce: [SpybotDeletingD1158] cmd.exe /c del "C:\WINDOWS\SchedLgU.Txt"
    O4 - HKUS\S-1-5-21-2710597939-3187016515-2077082144-1053\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'The David's')
    O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
    O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
    O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
    O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/download...2/axofupld.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab
    O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} (Java Plug-in 1.4.2_03) -
    O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.5.0_11) -
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\E_S00RP1.EXE
    O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
    O23 - Service: getPlus(R) Helper - Unknown owner - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe (file missing)
    O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: ZoneAlarm ForceField IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
    O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
    O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
    O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe
    O23 - Service: Epson Printer Status Agent4 (StatusAgent4) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\SAgent4.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
    --
    End of file - 7668 bytes
    "Return to old watering holes for more than water; friends and dreams are there to meet you."
    ~ African proverb

  2. #2
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi,

    Download DDS and save it to your desktop from here or here or here.
    Disable any script blocker, and then double click dds.scr to run the tool.
    • When done, DDS will open two (2) logs:
      1. DDS.txt
      2. Attach.txt
    • Save both reports to your desktop. Post them back to your topic.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  3. #3
    Junior Member
    Join Date
    Jul 2007
    Location
    MidAtlantic, U.S.A. & Tanzania, E.A.
    Posts
    22

    Default Requested logs. Thank you for your time Blade81.

    DDS (Ver_09-10-26.01) - NTFSx86
    Run by DavDenRusSki at 12:28:10.76 on Tue 11/17/2009
    Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_05
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3326.2912 [GMT -5:00]
    AV: ZoneAlarm Extreme Security Antivirus *On-access scanning disabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
    FW: ZoneAlarm Extreme Security Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
    ============== Running Processes ===============
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
    C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\DOCUME~1\DAVDEN~1\Desktop\dds.scr
    ============== Pseudo HJT Report ===============
    uSearchMigratedDefaultURL =
    uStart Page = hxxp://apod.nasa.gov/apod/
    uWindow Title = IE7
    mWindow Title = IE7
    BHO: AutorunsDisabled - No File
    BHO: {089fd14d-132b-48fc-8861-0048ae113215} - c:\program files\siteadvisor\6261\SiteAdv.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
    BHO: ZoneAlarm Toolbar Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
    TB: McAfee SiteAdvisor: {0bf43445-2f28-4351-9252-17fe6e806aa0} - c:\program files\siteadvisor\6261\SiteAdv.dll
    TB: ZoneAlarm Toolbar: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
    TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
    TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
    TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
    TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
    EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
    mRun: [IAAnotif] c:\program files\intel\intel application accelerator\iaanotif.exe
    mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
    mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
    mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
    mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
    dRunOnce: [RunNarrator] Narrator.exe
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - {B119EB0C-C021-46CF-85B0-34A760E0D5FE} - c:\program files\iepro\iepro.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    DPF: Microsoft XML Parser for Java
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
    DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
    DPF: {6F750202-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
    DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
    DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}
    DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}
    DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
    Handler: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - c:\program files\siteadvisor\6261\SiteAdv.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    ================= FIREFOX ===================
    FF - ProfilePath - c:\docume~1\davden~1\applic~1\mozilla\firefox\profiles\6shrei5i.default\
    FF - prefs.js: browser.startup.homepage - hxxp://fodors.com/forums/threadselect.jsp?fid=4
    FF - component: c:\program files\checkpoint\zaforcefield\trustchecker\components\MozillaExtensions.dll
    FF - component: c:\program files\checkpoint\zaforcefield\trustchecker\components\TrustCheckerMozillaPlugin.dll
    FF - component: c:\program files\siteadvisor\6261\ff\components\FFHook.dll
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
    ============= SERVICES / DRIVERS ===============
    R2 ISWKL;ZoneAlarm ForceField ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2009-4-17 25208]
    R2 IswSvc;ZoneAlarm ForceField IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2009-4-17 439664]
    R3 icsak;icsak;c:\program files\checkpoint\zaforcefield\ak\icsak.sys [2009-4-17 35448]
    S3 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2008-10-28 156968]
    S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\nos\bin\getplus_helpersvc.exe --> c:\program files\nos\bin\getPlus_HelperSvc.exe [?]
    S4 gupdate1c97c0d1e54e113;Google Update Service (gupdate1c97c0d1e54e113);c:\program files\google\update\GoogleUpdate.exe [2009-1-21 133104]
    S4 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
    S4 LinksysUpdater;Linksys Updater;c:\program files\linksys\linksys updater\bin\LinksysUpdater.exe [2008-6-26 204800]
    =============== Created Last 30 ================
    2009-11-07 15:29:44 68683 ----a-w- C:\WPorder.jpg
    ==================== Find3M ====================
    2009-11-17 17:06:08 4212 ---ha-w- c:\windows\system32\zllictbl.dat
    2009-10-21 04:08:54 3598336 ----a-w- c:\windows\system32\dllcache\mshtml.dll
    2009-09-24 00:05:04 72584 ----a-w- c:\windows\zllsputility.exe
    2009-09-24 00:04:56 1238408 ----a-w- c:\windows\system32\zpeng25.dll
    2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
    2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
    2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
    2009-09-04 21:03:36 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
    2009-08-28 10:28:59 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
    2009-08-28 10:28:59 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
    2009-08-27 05:18:44 634648 ----a-w- c:\windows\system32\dllcache\iexplore.exe
    2009-08-27 05:18:41 161792 ------w- c:\windows\system32\dllcache\ieakui.dll
    2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
    2009-08-26 08:00:21 247326 ------w- c:\windows\system32\dllcache\strmdll.dll
    ============= FINISH: 12:29:07.06 ===============


    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    DDS (Ver_09-10-26.01)
    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume2
    Install Date: 9/9/2004 7:02:31 PM
    System Uptime: 11/17/2009 12:20:49 PM (0 hours ago)
    Motherboard: Dell Inc. | | 0J3492
    Processor: Intel(R) Pentium(R) 4 CPU 3.20GHz | Microprocessor | 3192/800mhz
    ==== Disk Partitions =========================
    A: is Removable
    C: is FIXED (NTFS) - 145 GiB total, 52.872 GiB free.
    D: is CDROM ()
    E: is CDROM ()
    ==== Disabled Device Manager Items =============
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: 1394 Net Adapter
    Device ID: V1394\NIC1394\1106ED8623C04
    Manufacturer: Microsoft
    Name: 1394 Net Adapter
    PNP Device ID: V1394\NIC1394\1106ED8623C04
    Service: NIC1394
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: 1394 Net Adapter
    Device ID: V1394\NIC1394\80035537D100
    Manufacturer: Microsoft
    Name: 1394 Net Adapter #2
    PNP Device ID: V1394\NIC1394\80035537D100
    Service: NIC1394
    ==== System Restore Points ===================
    RP1752: 8/20/2009 7:13:05 AM - System Checkpoint
    RP1753: 8/21/2009 8:13:04 AM - System Checkpoint
    RP1754: 8/22/2009 9:13:00 AM - System Checkpoint
    RP1755: 8/23/2009 10:13:03 AM - System Checkpoint
    RP1756: 8/24/2009 11:13:01 AM - System Checkpoint
    RP1757: 8/25/2009 1:15:00 PM - System Checkpoint
    RP1758: 8/26/2009 2:00:22 AM - Software Distribution Service 3.0
    RP1759: 8/27/2009 2:13:07 AM - System Checkpoint
    RP1760: 8/28/2009 3:13:04 AM - System Checkpoint
    RP1761: 8/29/2009 4:13:04 AM - System Checkpoint
    RP1762: 8/30/2009 5:13:04 AM - System Checkpoint
    RP1763: 8/31/2009 6:13:07 AM - System Checkpoint
    RP1764: 9/1/2009 7:13:08 AM - System Checkpoint
    RP1765: 9/2/2009 8:13:04 AM - System Checkpoint
    RP1766: 9/3/2009 9:13:03 AM - System Checkpoint
    RP1767: 9/4/2009 10:13:04 AM - System Checkpoint
    RP1768: 9/5/2009 11:32:04 AM - System Checkpoint
    RP1769: 9/6/2009 12:12:47 PM - System Checkpoint
    RP1770: 9/7/2009 1:12:47 PM - System Checkpoint
    RP1771: 9/8/2009 2:12:46 PM - System Checkpoint
    RP1772: 9/9/2009 2:17:45 PM - System Checkpoint
    RP1773: 9/10/2009 2:00:20 AM - Software Distribution Service 3.0
    RP1774: 9/11/2009 2:16:53 AM - System Checkpoint
    RP1775: 9/12/2009 3:16:53 AM - System Checkpoint
    RP1776: 9/13/2009 4:16:44 AM - System Checkpoint
    RP1777: 9/14/2009 5:16:44 AM - System Checkpoint
    RP1778: 9/15/2009 6:16:45 AM - System Checkpoint
    RP1779: 9/16/2009 7:16:44 AM - System Checkpoint
    RP1780: 9/17/2009 8:24:50 AM - System Checkpoint
    RP1781: 9/18/2009 9:16:44 AM - System Checkpoint
    RP1782: 9/19/2009 10:58:19 AM - System Checkpoint
    RP1783: 9/20/2009 11:16:36 AM - System Checkpoint
    RP1784: 9/21/2009 12:16:33 PM - System Checkpoint
    RP1785: 9/22/2009 1:16:36 PM - System Checkpoint
    RP1786: 9/23/2009 2:16:36 PM - System Checkpoint
    RP1787: 9/24/2009 3:16:35 PM - System Checkpoint
    RP1788: 9/25/2009 4:23:06 PM - System Checkpoint
    RP1789: 9/26/2009 5:17:41 PM - System Checkpoint
    RP1790: 9/27/2009 6:30:25 PM - System Checkpoint
    RP1791: 9/28/2009 7:28:10 PM - System Checkpoint
    RP1792: 9/29/2009 8:07:27 PM - System Checkpoint
    RP1793: 9/30/2009 9:19:22 PM - System Checkpoint
    RP1794: 10/1/2009 10:07:25 PM - System Checkpoint
    RP1795: 10/2/2009 11:07:25 PM - System Checkpoint
    RP1796: 10/4/2009 12:00:14 AM - System Checkpoint
    RP1797: 10/5/2009 8:31:22 AM - System Checkpoint
    RP1798: 10/6/2009 8:46:26 AM - System Checkpoint
    RP1799: 10/7/2009 9:46:26 AM - System Checkpoint
    RP1800: 10/8/2009 10:37:41 AM - System Checkpoint
    RP1801: 10/9/2009 11:37:38 AM - System Checkpoint
    RP1802: 10/10/2009 3:34:29 PM - System Checkpoint
    RP1803: 10/11/2009 7:25:21 PM - System Checkpoint
    RP1804: 10/12/2009 10:57:53 PM - System Checkpoint
    RP1805: 10/14/2009 12:51:21 AM - System Checkpoint
    RP1806: 10/15/2009 1:39:05 AM - System Checkpoint
    RP1807: 10/16/2009 2:00:19 AM - Software Distribution Service 3.0
    RP1808: 10/17/2009 2:28:30 AM - System Checkpoint
    RP1809: 10/18/2009 2:42:30 AM - System Checkpoint
    RP1810: 10/19/2009 3:26:12 AM - System Checkpoint
    RP1811: 10/20/2009 4:23:59 AM - System Checkpoint
    RP1812: 10/21/2009 5:00:00 AM - System Checkpoint
    RP1813: 10/22/2009 5:37:47 AM - System Checkpoint
    RP1814: 10/23/2009 2:00:19 AM - Software Distribution Service 3.0
    RP1815: 10/24/2009 2:22:00 AM - System Checkpoint
    RP1816: 10/25/2009 3:21:59 AM - System Checkpoint
    RP1817: 10/26/2009 4:21:50 AM - System Checkpoint
    RP1818: 10/27/2009 5:21:50 AM - System Checkpoint
    RP1819: 10/28/2009 5:48:15 AM - System Checkpoint
    RP1820: 10/29/2009 6:48:14 AM - System Checkpoint
    RP1821: 10/30/2009 7:48:14 AM - System Checkpoint
    RP1822: 10/31/2009 8:26:26 AM - System Checkpoint
    RP1823: 11/1/2009 2:26:31 PM - Configured Seagate Manager Installer
    RP1824: 11/2/2009 4:00:40 PM - System Checkpoint
    RP1825: 11/4/2009 12:22:39 AM - System Checkpoint
    RP1826: 11/4/2009 3:00:17 AM - Software Distribution Service 3.0
    RP1827: 11/5/2009 3:26:44 AM - System Checkpoint
    RP1828: 11/6/2009 4:26:43 AM - System Checkpoint
    RP1829: 11/7/2009 5:26:43 AM - System Checkpoint
    RP1830: 11/8/2009 5:26:43 AM - System Checkpoint
    RP1831: 11/9/2009 7:47:00 AM - System Checkpoint
    RP1832: 11/10/2009 8:27:38 AM - System Checkpoint
    RP1833: 11/11/2009 8:45:58 PM - System Checkpoint
    RP1834: 11/12/2009 2:00:19 AM - Software Distribution Service 3.0
    RP1835: 11/13/2009 2:22:52 AM - System Checkpoint
    RP1836: 11/14/2009 3:22:50 AM - System Checkpoint
    RP1837: 11/15/2009 4:22:51 AM - System Checkpoint
    RP1838: 11/16/2009 5:22:41 AM - System Checkpoint
    RP1839: 11/17/2009 6:02:14 AM - System Checkpoint
    RP1840: 11/17/2009 12:19:05 PM - Removed AVG 8.0
    RP1841: 11/17/2009 12:20:19 PM - Installed AVG 8.0
    ==== Installed Programs ======================

    Adobe Acrobat 6.0 Professional
    Adobe Flash Player 10 ActiveX
    Adobe Illustrator 10
    Adobe Photoshop 7.0
    Adobe Photoshop Elements 2.0
    Adobe SVG Viewer 3.0
    America Online (Choose which version to remove)
    AnswerWorks 4.0 Runtime - English
    AnswerWorks 5.0 English Runtime
    AOL Uninstaller (Choose which Products to Remove)
    Apple Mobile Device Support
    Apple Software Update
    ATI Control Panel
    ATI Display Driver
    Autodesk DWF Viewer
    Banctec Service Agreement
    Broadcom Advanced Control Suite 2
    BUM
    Calculator Powertoy for Windows XP
    Camera Access Library
    Camera Support Core Library
    Camera Window DS
    Camera Window DVC
    Camera Window MC
    Canon Camera Access Library
    Canon Camera Support Core Library
    Canon Camera Window DC_DV 5 for ZoomBrowser EX
    Canon Camera Window DC_DV 6 for ZoomBrowser EX
    Canon Camera Window DSLR 5 for ZoomBrowser EX
    Canon Camera Window MC 6 for ZoomBrowser EX
    Canon MovieEdit Task for ZoomBrowser EX
    Canon PhotoRecord
    Canon RAW Image Task for ZoomBrowser EX
    Canon Utilities Digital Photo Professional 1.6.1
    Canon ZoomBrowser EX (E)
    CCleaner (remove only)
    cg4ie (remove only)
    Citrix Presentation Server Client
    Creative MediaSource
    Defraggler (remove only)
    Dell Digital Jukebox Driver
    Dell Media Experience
    Dell Networking Guide
    EasyCleaner
    EPSON Printer Software
    ERUNT 1.1j
    Google Earth
    Google Earth Plugin
    Google Update
    GoToMeeting 2.0.0.124
    Help and Support Customization
    HighMAT Extension to Microsoft Windows XP CD Writing Wizard
    HijackThis 2.0.2
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Internet Explorer 7 (KB947864)
    Hotfix for Windows XP (KB954550-v5)
    IE7Pro
    Intel Application Accelerator
    Internet Explorer Default Page
    iPod for Windows 2005-09-23
    ItsDeductible Express
    iTunes
    Java(TM) 6 Update 2
    Java(TM) 6 Update 3
    Java(TM) 6 Update 5
    KODAK EASYSHARE Gallery Easy Upload, v2.0
    KODAK EASYSHARE Gallery Upload ActiveX Control
    Linksys EasyLink Advisor
    Macromedia Dreamweaver MX 2004
    Macromedia Extension Manager
    Macromedia Fireworks MX 2004
    Macromedia Flash MX 2004
    Macromedia FreeHand MXa
    Macromedia Shockwave Player
    Magnifier Powertoy for Windows XP
    McAfee SiteAdvisor
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB953297)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft Money 2004
    Microsoft Money 2004 System Pack
    Microsoft National Language Support Downlevel APIs
    Microsoft Office 2000 Premium
    Microsoft Office FrontPage 2003
    Microsoft Office Professional Edition 2003
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Visual Studio 6.0 Enterprise Edition
    Modem Event Monitor
    Modem Helper
    Modem On Hold
    MovieEdit Task
    Mozilla Firefox (2.0.0.14)
    Mozilla Thunderbird (2.0.0.18)
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MUSICMATCH® Jukebox
    Picasa 2
    PowerDVD 5.1
    Pure Networks Platform
    Qualxserve Service Agreement
    QuickTime
    RAW Image Task
    Seagate Manager Installer
    Security Update for Windows Internet Explorer 7 (KB937143)
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB939653)
    Security Update for Windows Internet Explorer 7 (KB942615)
    Security Update for Windows Internet Explorer 7 (KB944533)
    Security Update for Windows Internet Explorer 7 (KB950759)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 7 (KB969897)
    Security Update for Windows Internet Explorer 7 (KB972260)
    Security Update for Windows Internet Explorer 7 (KB974455)
    Security Update for Windows XP (KB969947)
    Shockwave
    Skype™ 3.6
    Sonic DLA
    Sonic MyDVD
    Sonic RecordNow!
    Sonic Update Manager
    Sound Blaster Audigy 2
    Spybot - Search & Destroy
    Spybot - Search & Destroy 1.5.2.20
    SpywareBlaster 4.2
    TurboTax 2008
    TurboTax 2008 wdeiper
    TurboTax 2008 WinPerFedFormset
    TurboTax 2008 WinPerProgramHelp
    TurboTax 2008 WinPerReleaseEngine
    TurboTax 2008 WinPerTaxSupport
    TurboTax 2008 WinPerUserEducation
    TurboTax 2008 wpaiper
    TurboTax 2008 wrapper
    TurboTax Deluxe 2004
    TurboTax Deluxe 2005
    TurboTax Deluxe 2007
    TurboTax Deluxe Deduction Maximizer 2006
    TurboTax ItsDeductible 2005
    TurboTax ItsDeductible 2006
    Tweak UI
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 7 (KB976749)
    VC 9.0 Runtime
    Viewpoint Media Player
    Virtual Desktop Manager Powertoy for Windows XP
    Virtual Earth 3D (Beta)
    Weather Pulse 2.10 build 5
    WebFldrs XP
    WexTech AnswerWorks
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage v1.3.0254.0
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Imaging Component
    Windows Internet Explorer 7
    Windows Media Connect
    Windows Media Format Runtime
    Windows Media Player 10
    Windows XP Service Pack 3
    WinPatrol 2009
    WinZip 11.1
    WordPerfect Office 12
    ZoneAlarm Extreme Security
    Zune Desktop Theme
    ==== Event Viewer Messages From Past Week ========
    11/16/2009 8:58:14 AM, error: Dhcp [1002] - The IP address lease 192.168.1.100 for the Network Card with network address 00111145C785 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
    11/12/2009 2:19:24 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AvgTdiX
    11/11/2009 1:59:32 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service MDM with arguments "" in order to run the server: {0C0A3666-30C9-11D0-8F20-00805F2CD064}
    ==== End Of File ===========================
    "Return to old watering holes for more than water; friends and dreams are there to meet you."
    ~ African proverb

  4. #4
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi again

    There's newer version of Spybot available. Upgrade your version to the latest one here.


    Do you use Adobe Acrobat 6.0 Professional for other tasks than just converting documents to pdfs?


    Uninstall your current Macromedia shockwave player and get the fresh one here if needed.


    Check here to see if your Flash is up-to-date (do it separately with each of your browsers). If not, uninstall vulnerable versions by following instructions here. Fresh version can be obtained here.


    Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

    Updating Java:
    • Download the latest version of Java Runtime Environment (JRE) 6 Update 17.
    • Click the
      Download
      button to the right.
    • Select Windows on platform combobox and check the box that says:
      Accept License Agreement. Click continue.
    • The page will refresh.
    • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u17-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.




    Please download Malwarebytes' Anti-Malware to your desktop.

    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform quick scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    • Please post contents of that file in your next reply.


    Any issues left?
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  5. #5
    Junior Member
    Join Date
    Jul 2007
    Location
    MidAtlantic, U.S.A. & Tanzania, E.A.
    Posts
    22

    Default Completed all tasks. Log and comments posted.

    Malwarebytes' Anti-Malware 1.41
    Database version: 3189
    Windows 5.1.2600 Service Pack 3
    11/17/2009 3:57:38 PM
    mbam-log-2009-11-17 (15-57-38).txt
    Scan type: Quick Scan
    Objects scanned: 158348
    Time elapsed: 33 minute(s), 37 second(s)
    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 1
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0
    Memory Processes Infected:
    (No malicious items detected)
    Memory Modules Infected:
    (No malicious items detected)
    Registry Keys Infected:
    HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined and deleted successfully.
    Registry Values Infected:
    (No malicious items detected)
    Registry Data Items Infected:
    (No malicious items detected)
    Folders Infected:
    (No malicious items detected)
    Files Infected:
    (No malicious items detected)

    :: ::

    Comments:

    During the Malwarebytes Scan the DDS.scr program ran, flashed a log, and then disappeared. Problem?

    Do you recommend setting Java to run automatic updates?
    Carbonite was not offered nor anything else extra during setup – yay!
    Hopefully, I downloaded the correct Java as I could not reach it per your instructions [I’m sure it was me somehow and not your instructions though] and had to search the site for Windows Offline Installation to be able to download.

    Do I keep the Malwarebytes and the DDS.scr programs?

    :: ::

    Before I originally posted I could not find any information on fvhrsysguard.exe, jenksysguard.exe and their buddies that suddenly downloaded with Virtumonde.

    I have never had files download that way that I am aware of; is there a logical reason for this process and these particular files that are still there?

    :: ::

    “Do you use Adobe Acrobat 6.0 Professional for other tasks than just converting documents to pdfs?”
    No


    “Any issues left?”

    I have no clue Blade81! I never had any systems and have no idea if anything was compromised. Once I could not find any info stated in my post I came here to the forum because I did not want any issues.

    I actually do not use this computer very often, until recently that is, as I had one laptop die and my new one with Vista will not connect to the internet via wireless or broadband and cannot not even upgrade to Windows 7.

    So, I came back to this computer for when my eyes tire of reading the internet on the Blackberry or iphone. MyMy, I was reminded in this process I still have AOL [disabled though] on this computer that I used for a public email address that was preferred by a non-profit I provided some service for years ago. tsk tsk

    If you see any issues or have any recommendations I welcome your advice.

    Thank you for your time and service Blade81.
    "Return to old watering holes for more than water; friends and dreams are there to meet you."
    ~ African proverb

  6. #6
    Junior Member
    Join Date
    Jul 2007
    Location
    MidAtlantic, U.S.A. & Tanzania, E.A.
    Posts
    22

    Default Correction: I never had any systems... should read symptons.

    Ole hyvä antaa anteeksi.
    "Return to old watering holes for more than water; friends and dreams are there to meet you."
    ~ African proverb

  7. #7
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi,

    During the Malwarebytes Scan the DDS.scr program ran, flashed a log, and then disappeared. Problem?
    No, I don't think so


    Do I keep the Malwarebytes and the DDS.scr programs?
    I'd keep Malwarebytes' Anti-Malware. DDS can be deleted.

    Before I originally posted I could not find any information on fvhrsysguard.exe, jenksysguard.exe and their buddies that suddenly downloaded with Virtumonde.

    I have never had files download that way that I am aware of; is there a logical reason for this process and these particular files that are still there?
    Those may have been downloaded by exploiting unpatched vulnerabilities of the system. Pretty common nowadays.

    “Do you use Adobe Acrobat 6.0 Professional for other tasks than just converting documents to pdfs?”
    No
    Ok. Then I recommend to uninstall it and get one of these alternatives here.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  8. #8
    Junior Member
    Join Date
    Jul 2007
    Location
    MidAtlantic, U.S.A. & Tanzania, E.A.
    Posts
    22

    Default Thank you

    Blade81 for your time and expertise.
    "Return to old watering holes for more than water; friends and dreams are there to meet you."
    ~ African proverb

  9. #9
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    You're welcome
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  10. #10
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

    Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

    If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •