Virtuemonde is so mean!

E

eytke#576

New member
So I have followed your dirrections in the sticky "Before You Post" word for word. I am going to post my HJT log and can post my KASPERSKY log if needed but it will take more than one post. This is my second time using your site. This time for my personal system. Thank you so much for the help you have given me in the past and for any assistance on this issue.

When dirrected in the sticky to run Spybot in safe mode untill it turned up no red text I had a problem. Virtuemonde would never completely heal. I ran the test 4 times with no successful removeal.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:59:33 PM, on 1/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\svchost.exe
D:\Applications\AVast\aswUpdSv.exe
D:\Applications\AVast\ashServ.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
D:\APPLIC~1\AVast\ashDisp.exe
E:\WINDOWS\system32\ctfmon.exe
D:\Applications\SpywareGuard\sgmain.exe
E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\WINDOWS\system32\CTsvcCDA.exe
E:\Program Files\Common Files\LightScribe\LSSrvc.exe
E:\WINDOWS\system32\nvsvc32.exe
D:\Applications\SpywareGuard\sgbhp.exe
D:\Applications\AVast\ashMaiSv.exe
D:\Applications\AVast\ashWebSv.exe
E:\WINDOWS\system32\wscntfy.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\Internet Explorer\iexplore.exe
D:\Applications\Mozilla Firefox\firefox.exe
D:\Applications\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///E:/Documents%20and%20Settings/Kaji%20Master/Desktop/Blake's%20Page.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\Applications\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\APPLIC~1\SPYBOT~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [avast!] D:\APPLIC~1\AVast\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = D:\Applications\SpywareGuard\sgmain.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\APPLIC~1\SPYBOT~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\APPLIC~1\SPYBOT~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Applications\AVast\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Applications\AVast\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Applications\AVast\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Applications\AVast\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - E:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - E:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe

--
End of file - 3706 bytes
 
Hi

Could you post a fresh hjt log & Kaspersky scanner reports, please? :)

Was it Spybot that still detects Virtumundo? Could you post those results too?
 
KASPERSKY ONLINE SCANNER REPORT
Sunday, January 20, 2008 10:07:51 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 20/01/2008
Kaspersky Anti-Virus database records: 525024


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics
Total number of scanned objects 166579
Number of viruses found 5
Number of infected objects 8
Number of suspicious objects 2
Duration of the scan process 02:09:13

Infected Object Name Virus Name Last Action
C:\Documents and Settings\Administrator\Desktop\Nero-7.7.5.1_eng_trial.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped

C:\Documents and Settings\Administrator\Desktop\Nero-7.7.5.1_eng_trial.exe RAR: infected - 1 skipped

C:\Documents and Settings\Administrator\Local Settings\Temp\hsperfdata_Administrator\1144 Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Temp\NeroDemo12065\Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped

D:\Applications\AVast\DATA\aswResp.dat Object is locked skipped

D:\Applications\AVast\DATA\Avast4.db Object is locked skipped

D:\Applications\AVast\DATA\integ\avast.int Object is locked skipped

D:\Applications\AVast\DATA\log\AshWebSv.ws Object is locked skipped

D:\Applications\AVast\DATA\log\aswMaiSv.log Object is locked skipped

D:\Applications\AVast\DATA\log\nshield.log Object is locked skipped

D:\Applications\AVast\DATA\report\Resident protection.txt Object is locked skipped

D:\Applications\mIRC\2448Script\Mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.62 skipped

D:\Applications\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.62 skipped

D:\Applications\mIRC\pro\extras\script16.mrc Infected: Backdoor.IRC.Kelebek.ad skipped

D:\Applications\mIRC\pro\extras\script26.mrc Infected: Backdoor.IRC.Kelebek.ac skipped

D:\Applications\mIRC\pro\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.62 skipped

D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

D:\System Volume Information\_restore{BE44D458-1C1C-4013-B33C-7A189FF7B2C1}\RP292\change.log Object is locked skipped

D:\Temp\Windows\Perflib_Perfdata_54c.dat Object is locked skipped

D:\Temp\Windows\_avast4_\Webshlock.txt Object is locked skipped

D:\Temp\~DF9AAB.tmp Object is locked skipped

D:\Temp\~DFE5E1.tmp Object is locked skipped

E:\Documents and Settings\All Users\Application Data\comodo\Firewall Pro\cfplogdb.sdb Object is locked skipped

E:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\YazzleSudoku.zip/Yazzle1281OinUninstaller.exe Suspicious: Password-protected-EXE skipped

E:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\YazzleSudoku.zip ZIP: suspicious - 1 skipped

E:\Documents and Settings\Kaji Master\Cookies\index.dat Object is locked skipped

E:\Documents and Settings\Kaji Master\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

E:\Documents and Settings\Kaji Master\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

E:\Documents and Settings\Kaji Master\Local Settings\History\History.IE5\index.dat Object is locked skipped

E:\Documents and Settings\Kaji Master\Local Settings\History\History.IE5\MSHist012008012020080121\index.dat Object is locked skipped

E:\Documents and Settings\Kaji Master\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

E:\Documents and Settings\Kaji Master\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

E:\Documents and Settings\Kaji Master\ntuser.dat Object is locked skipped

E:\Documents and Settings\Kaji Master\NTUSER.DAT.LOG Object is locked skipped

E:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

E:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

E:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

E:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

E:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

E:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

E:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

E:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

E:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

E:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

E:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

E:\System Volume Information\_restore{BE44D458-1C1C-4013-B33C-7A189FF7B2C1}\RP292\change.log Object is locked skipped

E:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

E:\WINDOWS\SchedLgU.Txt Object is locked skipped

E:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

E:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped

E:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

E:\WINDOWS\system32\config\default Object is locked skipped

E:\WINDOWS\system32\config\default.LOG Object is locked skipped

E:\WINDOWS\system32\config\Internet.evt Object is locked skipped

E:\WINDOWS\system32\config\ODiag.evt Object is locked skipped

E:\WINDOWS\system32\config\OSession.evt Object is locked skipped

E:\WINDOWS\system32\config\SAM Object is locked skipped

E:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

E:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

E:\WINDOWS\system32\config\SECURITY Object is locked skipped

E:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

E:\WINDOWS\system32\config\software Object is locked skipped

E:\WINDOWS\system32\config\software.LOG Object is locked skipped

E:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

E:\WINDOWS\system32\config\system Object is locked skipped

E:\WINDOWS\system32\config\system.LOG Object is locked skipped

E:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped

E:\WINDOWS\system32\h323log.txt Object is locked skipped

E:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped

E:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

E:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

E:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

E:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

E:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

E:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

E:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

E:\WINDOWS\WindowsUpdate.log Object is locked skipped

F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:10:16 PM, on 1/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\svchost.exe
D:\Applications\AVast\aswUpdSv.exe
D:\Applications\AVast\ashServ.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
D:\APPLIC~1\AVast\ashDisp.exe
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\Comodo\cfp.exe
E:\WINDOWS\system32\ctfmon.exe
D:\Applications\SpywareGuard\sgmain.exe
E:\Program Files\Comodo\cmdagent.exe
E:\WINDOWS\system32\CTsvcCDA.exe
E:\Program Files\Common Files\LightScribe\LSSrvc.exe
D:\Applications\SpywareGuard\sgbhp.exe
E:\WINDOWS\system32\nvsvc32.exe
D:\Applications\AVast\ashMaiSv.exe
D:\Applications\AVast\ashWebSv.exe
D:\Applications\Spybot - Search & Destroy\Spybot - Search & Destroy\SpybotSD.exe
E:\Program Files\Internet Explorer\iexplore.exe
D:\Applications\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///E:/Documents%20and%20Settings/Kaji%20Master/Desktop/Blake's%20Page.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\Applications\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\APPLIC~1\SPYBOT~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [avast!] D:\APPLIC~1\AVast\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [COMODO Firewall Pro] "E:\Program Files\Comodo\cfp.exe" -s
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = D:\Applications\SpywareGuard\sgmain.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\APPLIC~1\SPYBOT~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\APPLIC~1\SPYBOT~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O20 - AppInit_DLLs: E:\WINDOWS\system32\guard32.dll
O23 - Service: Apple Mobile Device - Unknown owner - E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Applications\AVast\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Applications\AVast\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Applications\AVast\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Applications\AVast\ashWebSv.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - E:\Program Files\Comodo\cmdagent.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - E:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - E:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe

--
End of file - 3916 bytes
 
Hi

Clean Spybot recovery (first aid kit icon in Spybot program).

That's all I could find. Is there still something wrong with the system?
 
Due to inactivity, this thread will now be closed.

Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.
 
You must log in or register to reply here.
Back
Top