Results 1 to 2 of 2

Thread: virtumonde removal

  1. 2011-08-25, 18:33 #1
    theare
    theare is offline
    Junior Member theare's Avatar
    Join Date
    Aug 2011
    Posts
    6

    Default virtumonde removal

    .
    DDS (Ver_2011-06-23.01) - NTFSx86
    Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_26
    Run by isis at 11:32:23 on 2011-08-25
    Microsoft Windows 7 Enterprise 6.1.7601.1.1252.1.1033.18.1216.661 [GMT -4:00]
    .
    AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\Dwm.exe
    C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\AVAST Software\Avast\AvastUI.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Windows\SOUNDMAN.EXE
    C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\IObit\Advanced SystemCare 4\ASCTray.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe
    C:\Program Files\IObit\Advanced SystemCare 4\ASCService.exe
    C:\Program Files\Application Updater\ApplicationUpdater.exe
    C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe
    C:\Windows\system32\slserv.exe
    C:\Program Files\StartNow Toolbar\ToolbarUpdaterService.exe
    C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe
    C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\IObit\Advanced SystemCare 4\PMonitor.exe
    C:\Program Files\IObit\Smart Defrag 2\SmartDefrag.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\system32\rundll32.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe
    C:\Program Files\IObit\Advanced SystemCare 4\ASC.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uURLSearchHooks: IObit Toolbar: {0bda0769-fd72-49f4-9266-e1fb004f4d8f} - c:\program files\iobit toolbar\ie\4.5\iobitToolbarIE.dll
    uURLSearchHooks: H - No File
    BHO: IObit Toolbar: {0bda0769-fd72-49f4-9266-e1fb004f4d8f} - c:\program files\iobit toolbar\ie\4.5\iobitToolbarIE.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
    BHO: StartNow Toolbar Helper: {6e13d095-45c3-4271-9475-f3b48227dd9f} - c:\program files\startnow toolbar\Toolbar32.dll
    BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
    TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
    TB: IObit Toolbar: {0bda0769-fd72-49f4-9266-e1fb004f4d8f} - c:\program files\iobit toolbar\ie\4.5\iobitToolbarIE.dll
    TB: StartNow Toolbar: {5911488e-9d1e-40ec-8cbb-06b231cc153f} - c:\program files\startnow toolbar\Toolbar32.dll
    uRun: [Advanced SystemCare 4] c:\program files\iobit\advanced systemcare 4\ASCTray.exe
    uRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
    mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
    mRun: [SoundMan] SOUNDMAN.EXE
    mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
    mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
    mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
    mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [AdobeCS5.5ServiceManager] "c:\program files\common files\adobe\cs5.5servicemanager\CS5.5ServiceManager.exe" -launchedbylogin
    StartupFolder: c:\users\isis\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
    mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    TCP: DhcpNameServer = 192.168.1.254 192.168.0.1
    TCP: Interfaces\{26E8A79F-0978-43D9-B816-75A3C529E62D} : DhcpNameServer = 192.168.1.1 209.18.47.61 209.18.47.62
    TCP: Interfaces\{7DFD0662-4948-40A9-869F-D187FE37FAB3} : DhcpNameServer = 192.168.1.254 192.168.0.1
    Hosts: 127.0.0.1 www.spywareinfo.com
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\isis\appdata\roaming\mozilla\firefox\profiles\q9905z3n.default\
    FF - prefs.js: browser.search.selectedEngine - Bing
    FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/?pc=Z128&install_date=20110818
    FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z128&form=ZGAADF&install_date=20110818&q=
    FF - plugin: c:\progra~1\micros~3\office14\NPSPWRAP.DLL
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\users\isis\appdata\local\google\update\1.3.21.65\npGoogleUpdate3.dll
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
    ============= SERVICES / DRIVERS ===============
    .
    R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [2011-8-17 16184]
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-6-11 441176]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-6-11 307928]
    R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
    R2 AdvancedSystemCareService;Advanced SystemCare Service;c:\program files\iobit\advanced systemcare 4\ASCService.exe [2011-6-11 328536]
    R2 Application Updater;Application Updater;c:\program files\application updater\ApplicationUpdater.exe [2011-6-24 393112]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-6-11 19544]
    R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-6-11 53592]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-6-11 42184]
    R2 cvhsvc;Client Virtualization Handler;c:\program files\common files\microsoft shared\virtualization handler\CVHSVC.EXE [2010-2-28 821664]
    R2 IMFservice;IMF Service;c:\program files\iobit\iobit malware fighter\IMFsrv.exe [2011-8-17 820568]
    R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-8-4 366640]
    R2 sftlist;Application Virtualization Client;c:\program files\microsoft application virtualization client\sftlist.exe [2009-12-2 483688]
    R2 Updater Service for StartNow Toolbar;Updater Service for StartNow Toolbar;c:\program files\startnow toolbar\ToolbarUpdaterService.exe [2011-7-27 267488]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-8-4 22712]
    R3 Sftfs;Sftfs;c:\windows\system32\drivers\Sftfslh.sys [2009-12-2 550760]
    R3 Sftplay;Sftplay;c:\windows\system32\drivers\Sftplaylh.sys [2009-12-2 195944]
    R3 Sftredir;Sftredir;c:\windows\system32\drivers\Sftredirlh.sys [2009-12-2 21864]
    R3 Sftvol;Sftvol;c:\windows\system32\drivers\Sftvollh.sys [2009-12-2 19304]
    R3 sftvsa;Application Virtualization Service Agent;c:\program files\microsoft application virtualization client\sftvsa.exe [2009-12-2 209768]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2011-8-8 1153368]
    S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
    S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
    S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2011-6-13 15872]
    S3 RegFilter;RegFilter;c:\program files\iobit\iobit malware fighter\drivers\win7_x86\RegFilter.sys [2011-8-17 30600]
    S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]
    S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
    S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]
    S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
    S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
    S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-6-13 52224]
    S3 UrlFilter;UrlFilter;c:\program files\iobit\iobit malware fighter\drivers\win7_x86\UrlFilter.sys [2011-8-17 19280]
    S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-6-11 1343400]
    S4 FileMonitor;FileMonitor;c:\program files\iobit\iobit malware fighter\drivers\win7_x86\FileMonitor.sys [2011-8-17 18768]
    .
    =============== Created Last 30 ================
    .
    2011-08-23 18:41:53 2048 ----a-w- c:\windows\system32\tzres.dll
    2011-08-22 20:12:19 -------- d-----w- c:\windows\system32\SPReview
    2011-08-22 20:11:19 -------- d-----w- c:\windows\system32\EventProviders
    2011-08-18 16:20:22 -------- d-----w- c:\program files\StartNow Toolbar
    2011-08-17 17:42:06 29008 ----a-w- c:\windows\system32\SmartDefragBootTime.exe
    2011-08-17 17:42:06 16184 ----a-w- c:\windows\system32\drivers\SmartDefragDriver.sys
    2011-08-17 17:40:41 -------- d-----w- c:\program files\Application Updater
    2011-08-17 17:40:40 -------- d-----w- c:\program files\IObit Toolbar
    2011-08-17 17:40:40 -------- d-----w- c:\program files\common files\Spigot
    2011-08-14 15:12:41 -------- d-----w- c:\users\isis\appdata\roaming\OpenOffice.org
    2011-08-12 13:16:09 -------- d-----w- c:\users\isis\appdata\roaming\ParetoLogic
    2011-08-12 13:16:09 -------- d-----w- c:\users\isis\appdata\roaming\DriverCure
    2011-08-12 13:15:29 -------- d-----w- c:\programdata\ParetoLogic
    2011-08-12 13:15:29 -------- d-----w- c:\program files\ParetoLogic
    2011-08-12 13:13:32 -------- d-----w- c:\program files\OpenOffice.org 3
    2011-08-12 13:13:15 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-08-12 00:39:42 -------- d-----w- c:\users\isis\appdata\local\SoftGrid Client
    2011-08-12 00:39:05 -------- d-----w- c:\users\isis\appdata\roaming\SoftGrid Client
    2011-08-12 00:33:48 -------- d-----w- c:\program files\Microsoft Application Virtualization Client
    2011-08-12 00:32:13 -------- d-----w- c:\users\isis\appdata\roaming\TP
    2011-08-11 14:52:01 -------- d-----w- c:\users\isis\appdata\local\Google
    2011-08-10 21:18:18 3967872 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2011-08-10 21:18:18 3912576 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-08-10 21:18:03 1290624 ----a-w- c:\windows\system32\drivers\tcpip.sys
    2011-08-10 21:00:46 981504 ----a-w- c:\windows\system32\wininet.dll
    2011-08-10 21:00:46 1638912 ----a-w- c:\windows\system32\mshtml.tlb
    2011-08-10 21:00:46 163328 ----a-w- c:\program files\internet explorer\ieproxy.dll
    2011-08-08 23:26:13 -------- d-----w- c:\programdata\Spybot - Search & Destroy
    2011-08-08 23:26:13 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2011-08-04 21:50:25 -------- d-----w- c:\users\isis\appdata\roaming\Malwarebytes
    2011-08-04 21:50:16 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-08-04 21:50:15 -------- d-----w- c:\programdata\Malwarebytes
    2011-08-04 21:50:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-08-04 21:50:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-08-04 21:31:51 -------- d-----w- c:\users\isis\appdata\roaming\AVG10
    2011-08-04 21:30:19 -------- d--h--w- c:\programdata\Common Files
    2011-08-04 21:25:13 -------- d-----w- c:\windows\system32\drivers\AVG
    2011-08-04 21:25:13 -------- d-----w- c:\programdata\AVG10
    2011-08-04 21:24:39 -------- d-----w- c:\program files\AVG
    2011-08-04 17:41:09 -------- d-----w- c:\programdata\MFAData
    2011-08-02 17:42:10 65536 --sha-r- c:\windows\system32\odbcad32Q.dll
    2011-08-02 17:40:22 6881616 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{e5ca2abb-aea3-456a-8e64-bbedea9f3e43}\mpengine.dll
    .
    ==================== Find3M ====================
    .
    2011-08-22 20:25:12 152576 ----a-w- c:\windows\system32\msclmd.dll
    2011-06-12 02:55:53 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-06-11 16:22:17 562176 ----a-w- c:\windows\apppatch\AcLayers.dll
    2011-06-11 16:21:44 805376 ----a-w- c:\windows\system32\FntCache.dll
    2011-06-11 16:21:44 739840 ----a-w- c:\windows\system32\d2d1.dll
    2011-06-11 16:21:44 1076736 ----a-w- c:\windows\system32\DWrite.dll
    2011-06-11 16:21:26 219136 ----a-w- c:\windows\system32\d3d10_1core.dll
    2011-06-11 16:21:26 161792 ----a-w- c:\windows\system32\d3d10_1.dll
    2011-06-11 02:29:25 2334208 ----a-w- c:\windows\system32\win32k.sys
    .
    ============= FINISH: 11:44:26.40 ===============

    Edit
    http://forums.spybot.info/showthread...539#post411539
    Last edited by tashi; 2011-08-25 at 18:52. Reason: Added link
  2. 2011-08-29, 06:38 #2
    theare
    theare is offline
    Junior Member theare's Avatar
    Join Date
    Aug 2011
    Posts
    6

    Default

    Where do I go from here?

    Edit
    Waiting for help in the Malware Forum FOUR days or longer?

    PS) Some helpers are in areas hit by Hurricane Irene and have no power.
    Last edited by tashi; 2011-08-29 at 07:04. Reason: Added link
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules