Please Help Remove Virtumonde

Status
Not open for further replies.
Your fine :bigthumb:

ComboFix.exe[nircmd.exe] <-- this is part of Combofix

The rest of those entries are backed up in your System Restore program so you need to flush it all out and create a new Restore point.

System Restore makes regular backups of all your settings, if you ever had to use this program to restore your system to a previous date, you will be infected all over again so we need to clean out the previous Restore Points

Turn off System Restore.

  • Right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Check Turn off System Restore on all Drives.
  • Click Apply, and then click OK.


Reboot your computer


Turn ON System Restore.

  • Right-click My Computer.
  • ClickProperties.
  • Click the System Restore tab.
  • UN-Check Turn off System Restore on all Drives.
  • Click Apply, and then click OK.


Create a new Restore Point <-- Very Important

  • Go to Start/ Control Panel/ Performance and Maintenance/ System Restore/ Create a New Restore Point
    You need to go into the Control Panel and switch to Catagory View to be able to Create a New Restore Point
System Restore Tutorial <-- If you need it

If it makes you feel better post a new HJT log and lets make sure nothing has returned.
 
Restore

Ok i did all that. Im posting a HJT log here. Also, should im going to do one more panda scan to make sure those things are gone. It will take about an hour (maybe more.. i didnt time it), so ill post the results when its done!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:59:08 PM, on 10/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\pavsrv51.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\APVXDWIN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\LAVASOFT\AD-AWA~1\Ad-Watch.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\PsCtrls.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\PsImSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\WebProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\Scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [ehTray] "C:\WINDOWS\ehome\ehtray.exe"
O4 - HKLM\..\Run: [ntiMUI] "C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe"
O4 - HKLM\..\Run: [Acer ePresentation HPD] "C:\Acer\Empowering Technology\ePresentation\ePresentation.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe " /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC"
O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName"
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Boot] "C:\Acer\Empowering Technology\ePower\Boot.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [LManager] "C:\PROGRA~1\LAUNCH~1\LManager.exe"
O4 - HKLM\..\Run: [eRecoveryService] "C:\Acer\Empowering Technology\eRecovery\eRAgent.exe"
O4 - HKLM\..\Run: [RTHDCPL] "RTHDCPL.EXE"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\WordPerfect Office X3\Programs\QFSCHD130.EXE"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Antivirus 2008\APVXDWIN.EXE" /s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AWMON] "C:\PROGRA~1\LAVASOFT\AD-AWA~1\Ad-Watch.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/plugin/IEGetPlugin.ocx
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {8F4213B4-A970-4B3C-820D-343C693D5BF0} (SelfProvisioning.Wizard) - http://dsp02.eastlink.ca/SelfProvisioning.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus 2008\PsCtrls.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus 2008\pavsrv51.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus 2008\PsImSvc.exe

--
End of file - 7871 bytes
 
Final

I did a final scan with panda, and the only things that turned up were the combofix files, so everything i ok!!

My computer will run more smoothly than it has in months!
Thankyou !

:bigthumb:
 
Confusion

Im not sure what it is thats doing this. Maybe its just a result of a bad internet connection. I dont know. I thought that removing these viruses would stop this from happening, but apparently it hasnt. Sometimes when im using the internet to play a game, it will lag every few minutes for only a few seconds. The cpu usage for the internet program i am using, whether it be IE or firefox (ive tried both) will go up to about 50% and the entire cpu usage will go up to 100%.
This is still doing this occasionally. Any ideas why?
 
Repost

Well i guess stressful operations arent the only thing causing this problem. It seems that as long as im running the internet, it jumps the cpu every few minutes. This web site leaves the cpu at 0% IE consumption most of the time. But every few minutes it will jump up to about 40, then about 5 seconds later, back down to normal again. Any idea what this is? It used to happen less frequently than it happens now.
 
Your HJT log is clean, all the infections have been removed. When something like your describing happens it could be a software conflict of some sort. From your log I gather that you have some sort of copy protection software installed, sometimes these cause problems, but if you uninstall it your CDs may not play.

Since this forum is for the removal of malware only, I am going to link you to some windows support sites that deal with these sort of issues day in and day out, they will be better equipped to help you .


Windows Tech Support Forums


It's Not Always Malware
Speedup Windows
Windows Tips

Malware Complaints
Are you mad ? I mean really mad, seething mad, so mad your ready to spit, mad that you have taken your hard earned dollars to buy a computer only to have some Miscredents, Dirt Bags and Cyber Criminals install a malicious program on your computer without your knowledge or consent. You can post your complaint at the above site. If you live in the U.S.A. you can also report your grievance to your State Attorney Generals Office and the Federal Trade Commission's Bureau of Consumer Protection.
Click to expand...




Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community
  • Spybot Search and Destroy 1.5
    Check for Updates/ Immunize and run a Full System Scan on a regular basis.
  • Spyware Blaster It will prevent most spyware from ever being installed.
  • Spyware Guard It offers realtime protection from spyware installation attempts.
  • IE-Spyad
    IE-Spyad places over 4000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads
    (cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • Firefox 2.0 It has more features and is a lot more secure than IE. It is a very easy and
    painless download and install, it will no way interfere with IE, you can use them both.
  • Zone Alarm Here is a free Firewall from Zone Labs, I
    wouldn't access the internet without it.


Safe Surfn
Ken
 
Problem!

I used the bleepingcomputer forum to address my problem. They suggested that i remove AdAware and replace it with this other freeware called SUPERAntiSpyware. So i do that, and i thought that had solved the problem of the lag, but it didnt. I still lagged. They then suggested that i go into safe mode and i scan with both the freeware program and panda. I was scanning using the freeware program. It was going very slow due to safe mode. So i decide to leave the room for a minute. When i come back, the computer is turned off. And it took me several presses of the power button for me to turn it back on. Why did this happen?
 
Thats hard to say, we ran so many scans and they all come up with nothing, if you like, run SAS in normal windows and post the report for me to see.
 
Then I would say its a windows issue . A couple of things you can try.

Depending on how your manufacturer set up your system, you may or may not need the Windows XP CD. If you have a I386 folder on your C:\ drive you may not need the disk.
  • Click Start>Run
  • Type in sfc /scannow, hit Enter.
  • Note: there is a space between sfc and /scannow
  • This should replace any corrupted/missing system files and will hopefully fix things.


Trying to find whats causing this can be a daunting task, what I would do, is the next time your system really lags, press Ctrl. Alt. Delete and bring up Task Manager and under the Process tab, see whats running at 100% and let me know what it is.
 
Its most likely a problem with the registry, i agree. I used a reg cleaner a while back without really considering the consequences. That probably killed a few necessary files. The process that causes the cpu jump is always the internet program im using. I use both IE and firefox interchangably depending on what i want to do. IE is fast, so i use it for simple tasks such as getting pictures or checking email. But ill use firefox for more complicated things because its safer. Im sure you know the process names for firefox and IE.

Usually when it happens, ill open up the task manager to see what is doing the lagging. Every time its been the internet program.
 
The cpu usage only seems to jump when im using something that would be a little more demanding of the internet process. Example, viewing this page does not trigger it because the usage of IE right now is very very low. But if im using something a little more demanding, that would normally have a usage of around 20%, then the jumps start.
 
Its most likely a problem with the registry,
Click to expand...
You may have messed up your registry, removing items in the registry can sometime lead to disasters, not sure what you removed or did to your system. I have been into computing since windows 3.1 and never had any use for any of those type programs, they can be fatal in the wrong hands.

We need to make sure all hidden files are showing :
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Once your system is clean, we suggest that you reverse this to keep critical windows files from accidently being deleted.

Go to this site Jotti Upload and under the browse feature, browse to these files

C:\WINDOWS\system32\ccefdec3_d.dll
C:\WINDOWS\Inst9753.exe

Then click on Submit and it will give you a report, post the report in your next reply.

The program I asked you to run will not fix the registry, it just checks for missing or corrupt windos files and replaces them if needed.
 
Your system appears free of malware so what your experiencing is most likely a windows problem , since this forum is for the removal of malware only , this is as far as I can go. Your need to post in one of the forums I am listing, be sure you tell them that you posted here and we removed a Vundo infection along with some other malware, be sure to tell them also that you ran a registry cleaner and it may have messed up your system a bit.


Windows Tech Support Forums


It's Not Always Malware
Speedup Windows
Windows Tips
Ken:)
 
I just want to check with you about this one. On the bleepingcomputer forum, somebody gave me this information. They were not staff, just some guy, so i just wanted to make sure that he knows what hes talking about before i go doing anything.

This is what he said:

"you can try running cleanup

burn it to cd and install then run it

http://www.stevengould.org/index.php?optio...29&Itemid=1

or try chkdsk /r
start/run click ok

type the letter Y press enter

disregard the chkdsk message/warning.....restart your computer
this takes about 1 to 2 hours
do not disturb this"
 
The Cleanup Program is similar to running CCleaner, it just cleans temp files , cookies and things of that nature, has nothing to do with your registry.

chkdsk <-- is a safe program to run, its built into windows, what it does is checks your drive for errors mainly in the file system, it to has nothing to do with the registry.

http://downloads.zdnet.com/download.aspx?docid=272002
You can try this program and see if it helps, just remember that this is your call and proceed at your own risk.

Good Luck,
Ken
 
When i got my computer, it came with two burned disks. One is labeled Aspire 5102 WLmi Recovery Disk 1 of 2. The other is 2 of 2. Would these help fix the problem? Ive never used recovery disks so i dont even know what these do :D:
 
Status
Not open for further replies.
Back
Top