Virtumonde and many problems. (solved)
- Thread starter chayes001
- Start date
- Status
Thanks for looking at these logs Katana. The first is the Comodo log, the second is the Avira log that found 14 virus infections plus Virtumonde.zip although this particular file was located in the Spybot quarantine sector. I purged Spybot and the Avira quarantines. I read on another post that my wireless router could be one of the sources so I am going to reset my router then have higher security username and password. Before we had finished the purge on my laptop I formatted my USB flashdrive just to be sure that I was not carrying a virus there.
Comodo Log:
TrojWare.Win32.Trojan.Agent.~(ID = 0x188701) D:\i386\Apps\App01635\wtmod.exe
TrojWare.Win32.Trojan.Agent.~(ID = 0x1922fa) D:\i386\Apps\App04153\zprocess.exe
TrojWare.Win32.Trojan.Agent.~(ID = 0x188701) D:\i386\Apps\App31066\mcafeeboot.exe
TrojWare.Win32.Trojan.Agent.~(ID = 0x1921c7) D:\i386\Apps\App20190\popup.exe
ApplicUnsaf.Win32.Hide.~AB(ID = 0xcb6f4) C:\32788R22FWJFW\hidec.exe
Application.Win32.NirCmd.~A(ID = 0x18202c) C:\32788R22FWJFW\NirCmd.cfexe
Application.Win32.NirCmd.~A(ID = 0x18202c) C:\32788R22FWJFW\nircmd.com
ApplicUnsaf.Win32.Adware.PsExec.A(ID = 0x19082a) C:\32788R22FWJFW\psexec.cfexe
Avira AntiVir Personal
Report file date: Sunday, December 07, 2008 17:46
Scanning for 1076607 virus strains and unwanted programs.
Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 3) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: CHRISNOTEBOOK
Version information:
BUILD.DAT : 8.2.0.337 16934 Bytes 11/18/2008 13:05:00
AVSCAN.EXE : 8.1.4.10 315649 Bytes 11/18/2008 15:21:26
AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 14:56:40
LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 19:44:19
LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 14:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 18:30:36
ANTIVIR1.VDF : 7.1.0.197 1170432 Bytes 12/7/2008 23:45:19
ANTIVIR2.VDF : 7.1.0.198 2048 Bytes 12/7/2008 23:45:20
ANTIVIR3.VDF : 7.1.0.199 2048 Bytes 12/7/2008 23:45:20
Engineversion : 8.2.0.42
AEVDF.DLL : 8.1.0.6 102772 Bytes 10/14/2008 17:05:56
AESCRIPT.DLL : 8.1.1.17 336251 Bytes 12/7/2008 23:45:36
AESCN.DLL : 8.1.1.5 123251 Bytes 11/7/2008 22:06:41
AERDL.DLL : 8.1.1.3 438645 Bytes 11/4/2008 20:58:38
AEPACK.DLL : 8.1.3.4 393591 Bytes 11/11/2008 16:41:39
AEOFFICE.DLL : 8.1.0.32 196987 Bytes 12/7/2008 23:45:34
AEHEUR.DLL : 8.1.0.74 1519990 Bytes 12/7/2008 23:45:33
AEHELP.DLL : 8.1.2.0 119159 Bytes 12/7/2008 23:45:25
AEGEN.DLL : 8.1.1.6 323955 Bytes 12/7/2008 23:45:24
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/14/2008 17:05:56
AECORE.DLL : 8.1.5.2 172405 Bytes 12/7/2008 23:45:22
AEBB.DLL : 8.1.0.3 53618 Bytes 10/14/2008 17:05:56
AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 15:40:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 16:28:01
AVREP.DLL : 8.0.0.2 98344 Bytes 7/31/2008 19:02:15
AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 18:26:40
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 15:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 19:27:49
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/23/2008 00:28:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 19:49:40
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 19:05:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 20:48:07
RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 20:34:37
Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:, D:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium
Start of the scan: Sunday, December 07, 2008 17:46
The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'Dot1XCfg.exe' - '1' Module(s) have been scanned
Scan process 'hpqste08.exe' - '1' Module(s) have been scanned
Scan process 'hpqtra08.exe' - '1' Module(s) have been scanned
Scan process 'Hotsync.exe' - '1' Module(s) have been scanned
Scan process 'bigfix.exe' - '1' Module(s) have been scanned
Scan process 'TeaTimer.exe' - '1' Module(s) have been scanned
Scan process 'mssysmgr.exe' - '1' Module(s) have been scanned
Scan process 'LinksysAgent.exe' - '1' Module(s) have been scanned
Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'msmsgs.exe' - '1' Module(s) have been scanned
Scan process 'cfp.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'stsystra.exe' - '1' Module(s) have been scanned
Scan process 'igfxpers.exe' - '1' Module(s) have been scanned
Scan process 'igfxsrvc.exe' - '1' Module(s) have been scanned
Scan process 'hkcmd.exe' - '1' Module(s) have been scanned
Scan process 'iFrmewrk.exe' - '1' Module(s) have been scanned
Scan process 'ZCfgSvc.exe' - '1' Module(s) have been scanned
Scan process 'ehmsas.exe' - '1' Module(s) have been scanned
Scan process 'qttask.exe' - '1' Module(s) have been scanned
Scan process 'hpwuSchd2.exe' - '1' Module(s) have been scanned
Scan process 'point32.exe' - '1' Module(s) have been scanned
Scan process 'sm56hlpr.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'IAAnotif.exe' - '1' Module(s) have been scanned
Scan process 'SynTPEnh.exe' - '1' Module(s) have been scanned
Scan process 'SynTPLpr.exe' - '1' Module(s) have been scanned
Scan process 'ehtray.exe' - '1' Module(s) have been scanned
Scan process 'dllhost.exe' - '1' Module(s) have been scanned
Scan process 'CALMAIN.exe' - '1' Module(s) have been scanned
Scan process 'mcrdsvc.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'RegSrvc.exe' - '1' Module(s) have been scanned
Scan process 'PRISMXL.SYS' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'IAANTMon.exe' - '1' Module(s) have been scanned
Scan process 'EvtEng.exe' - '1' Module(s) have been scanned
Scan process 'ehSched.exe' - '1' Module(s) have been scanned
Scan process 'ehrecvr.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'cmdagent.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'S24EvMon.exe' - '1' Module(s) have been scanned
Scan process 'InCDsrv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'MsMpEng.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
63 processes with 63 modules were scanned
Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!
Starting to scan the registry.
The registry was scanned ( '76' files ).
Starting the file scan:
Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
[NOTE] The detection was classified as suspicious.
[NOTE] The file was moved to '49ae6334.qua'!
C:\Documents and Settings\Owner.ChrisNotebook\Local Settings\Application Data\Microsoft\MBSA\2.1\Cache\mbs2F.tmp
[0] Archive type: CAB (Microsoft)
--> package.cab
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP407\A0091934.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '496c6795.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP408\A0092022.dll
[DETECTION] Is the TR/Vundo.NH Trojan
[NOTE] The file was moved to '496c679f.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP408\A0092037.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '496c67a5.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP408\A0092038.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '496c67a9.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP408\A0092058.dll
[DETECTION] Is the TR/Vundo.NF Trojan
[NOTE] The file was moved to '496c67ac.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP408\A0092059.dll
[DETECTION] Is the TR/Vundo.NF Trojan
[NOTE] The file was moved to '496c67b0.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP410\A0092073.dll
[DETECTION] Is the TR/Vundo.NH Trojan
[NOTE] The file was moved to '496c67b6.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP410\A0092074.dll
[DETECTION] Is the TR/Crypt.FKM.Gen Trojan
[NOTE] The file was moved to '496c67bb.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP410\A0092075.dll
[DETECTION] Is the TR/Crypt.FKM.Gen Trojan
[NOTE] The file was moved to '496c67be.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP417\A0092626.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '496c67d9.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP418\A0092712.exe
[WARNING] The file could not be opened!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP418\A0092720.com
[WARNING] The file could not be opened!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP418\A0092749.exe
[WARNING] The file could not be opened!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP418\A0092757.com
[WARNING] The file could not be opened!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP418\A0092769.exe
[WARNING] The file could not be opened!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP419\A0092798.exe
[WARNING] The file could not be opened!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP419\A0092805.com
[WARNING] The file could not be opened!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP419\A0092843.exe
[WARNING] The file could not be opened!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP421\A0093338.exe
[WARNING] The file could not be opened!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP421\A0093339.com
[WARNING] The file could not be opened!
C:\WINDOWS\system32\denunime.dll.tmp
[DETECTION] Is the TR/Vundo.NF Trojan
[NOTE] The file was moved to '49aa6b50.qua'!
C:\WINDOWS\system32\dobohero.dll.tmp
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '499e6b72.qua'!
C:\WINDOWS\system32\fezijepa.dll.tmp
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '49b66b86.qua'!
C:\WINDOWS\system32\numitopi.dll.tmp
[DETECTION] Is the TR/Vundo.NF Trojan
[NOTE] The file was moved to '49a96bc1.qua'!
Begin scan in 'D:\' <RECOVERY>
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP421\A0093334.exe
[WARNING] The file could not be opened!
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP421\A0093335.exe
[WARNING] The file could not be opened!
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP421\A0093336.exe
[WARNING] The file could not be opened!
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP421\A0093337.exe
[WARNING] The file could not be opened!
End of the scan: Sunday, December 07, 2008 18:39
Used time: 52:46 Minute(s)
The scan has been done completely.
7489 Scanning directories
455734 Files were scanned
14 viruses and/or unwanted programs were found
1 Files were classified as suspicious:
0 files were deleted
0 files were repaired
15 files were moved to quarantine
0 files were renamed
16 Files cannot be scanned
455703 Files not concerned
8279 Archives were scanned
17 Warnings
15 Notes
Comodo Log:
TrojWare.Win32.Trojan.Agent.~(ID = 0x188701) D:\i386\Apps\App01635\wtmod.exe
TrojWare.Win32.Trojan.Agent.~(ID = 0x1922fa) D:\i386\Apps\App04153\zprocess.exe
TrojWare.Win32.Trojan.Agent.~(ID = 0x188701) D:\i386\Apps\App31066\mcafeeboot.exe
TrojWare.Win32.Trojan.Agent.~(ID = 0x1921c7) D:\i386\Apps\App20190\popup.exe
ApplicUnsaf.Win32.Hide.~AB(ID = 0xcb6f4) C:\32788R22FWJFW\hidec.exe
Application.Win32.NirCmd.~A(ID = 0x18202c) C:\32788R22FWJFW\NirCmd.cfexe
Application.Win32.NirCmd.~A(ID = 0x18202c) C:\32788R22FWJFW\nircmd.com
ApplicUnsaf.Win32.Adware.PsExec.A(ID = 0x19082a) C:\32788R22FWJFW\psexec.cfexe
Avira AntiVir Personal
Report file date: Sunday, December 07, 2008 17:46
Scanning for 1076607 virus strains and unwanted programs.
Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 3) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: CHRISNOTEBOOK
Version information:
BUILD.DAT : 8.2.0.337 16934 Bytes 11/18/2008 13:05:00
AVSCAN.EXE : 8.1.4.10 315649 Bytes 11/18/2008 15:21:26
AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 14:56:40
LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 19:44:19
LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 14:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 18:30:36
ANTIVIR1.VDF : 7.1.0.197 1170432 Bytes 12/7/2008 23:45:19
ANTIVIR2.VDF : 7.1.0.198 2048 Bytes 12/7/2008 23:45:20
ANTIVIR3.VDF : 7.1.0.199 2048 Bytes 12/7/2008 23:45:20
Engineversion : 8.2.0.42
AEVDF.DLL : 8.1.0.6 102772 Bytes 10/14/2008 17:05:56
AESCRIPT.DLL : 8.1.1.17 336251 Bytes 12/7/2008 23:45:36
AESCN.DLL : 8.1.1.5 123251 Bytes 11/7/2008 22:06:41
AERDL.DLL : 8.1.1.3 438645 Bytes 11/4/2008 20:58:38
AEPACK.DLL : 8.1.3.4 393591 Bytes 11/11/2008 16:41:39
AEOFFICE.DLL : 8.1.0.32 196987 Bytes 12/7/2008 23:45:34
AEHEUR.DLL : 8.1.0.74 1519990 Bytes 12/7/2008 23:45:33
AEHELP.DLL : 8.1.2.0 119159 Bytes 12/7/2008 23:45:25
AEGEN.DLL : 8.1.1.6 323955 Bytes 12/7/2008 23:45:24
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/14/2008 17:05:56
AECORE.DLL : 8.1.5.2 172405 Bytes 12/7/2008 23:45:22
AEBB.DLL : 8.1.0.3 53618 Bytes 10/14/2008 17:05:56
AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 15:40:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 16:28:01
AVREP.DLL : 8.0.0.2 98344 Bytes 7/31/2008 19:02:15
AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 18:26:40
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 15:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 19:27:49
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/23/2008 00:28:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 19:49:40
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 19:05:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 20:48:07
RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 20:34:37
Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:, D:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium
Start of the scan: Sunday, December 07, 2008 17:46
The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'Dot1XCfg.exe' - '1' Module(s) have been scanned
Scan process 'hpqste08.exe' - '1' Module(s) have been scanned
Scan process 'hpqtra08.exe' - '1' Module(s) have been scanned
Scan process 'Hotsync.exe' - '1' Module(s) have been scanned
Scan process 'bigfix.exe' - '1' Module(s) have been scanned
Scan process 'TeaTimer.exe' - '1' Module(s) have been scanned
Scan process 'mssysmgr.exe' - '1' Module(s) have been scanned
Scan process 'LinksysAgent.exe' - '1' Module(s) have been scanned
Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'msmsgs.exe' - '1' Module(s) have been scanned
Scan process 'cfp.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'stsystra.exe' - '1' Module(s) have been scanned
Scan process 'igfxpers.exe' - '1' Module(s) have been scanned
Scan process 'igfxsrvc.exe' - '1' Module(s) have been scanned
Scan process 'hkcmd.exe' - '1' Module(s) have been scanned
Scan process 'iFrmewrk.exe' - '1' Module(s) have been scanned
Scan process 'ZCfgSvc.exe' - '1' Module(s) have been scanned
Scan process 'ehmsas.exe' - '1' Module(s) have been scanned
Scan process 'qttask.exe' - '1' Module(s) have been scanned
Scan process 'hpwuSchd2.exe' - '1' Module(s) have been scanned
Scan process 'point32.exe' - '1' Module(s) have been scanned
Scan process 'sm56hlpr.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'IAAnotif.exe' - '1' Module(s) have been scanned
Scan process 'SynTPEnh.exe' - '1' Module(s) have been scanned
Scan process 'SynTPLpr.exe' - '1' Module(s) have been scanned
Scan process 'ehtray.exe' - '1' Module(s) have been scanned
Scan process 'dllhost.exe' - '1' Module(s) have been scanned
Scan process 'CALMAIN.exe' - '1' Module(s) have been scanned
Scan process 'mcrdsvc.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'RegSrvc.exe' - '1' Module(s) have been scanned
Scan process 'PRISMXL.SYS' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'IAANTMon.exe' - '1' Module(s) have been scanned
Scan process 'EvtEng.exe' - '1' Module(s) have been scanned
Scan process 'ehSched.exe' - '1' Module(s) have been scanned
Scan process 'ehrecvr.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'cmdagent.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'S24EvMon.exe' - '1' Module(s) have been scanned
Scan process 'InCDsrv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'MsMpEng.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
63 processes with 63 modules were scanned
Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!
Starting to scan the registry.
The registry was scanned ( '76' files ).
Starting the file scan:
Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
[NOTE] The detection was classified as suspicious.
[NOTE] The file was moved to '49ae6334.qua'!
C:\Documents and Settings\Owner.ChrisNotebook\Local Settings\Application Data\Microsoft\MBSA\2.1\Cache\mbs2F.tmp
[0] Archive type: CAB (Microsoft)
--> package.cab
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP407\A0091934.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '496c6795.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP408\A0092022.dll
[DETECTION] Is the TR/Vundo.NH Trojan
[NOTE] The file was moved to '496c679f.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP408\A0092037.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '496c67a5.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP408\A0092038.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '496c67a9.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP408\A0092058.dll
[DETECTION] Is the TR/Vundo.NF Trojan
[NOTE] The file was moved to '496c67ac.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP408\A0092059.dll
[DETECTION] Is the TR/Vundo.NF Trojan
[NOTE] The file was moved to '496c67b0.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP410\A0092073.dll
[DETECTION] Is the TR/Vundo.NH Trojan
[NOTE] The file was moved to '496c67b6.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP410\A0092074.dll
[DETECTION] Is the TR/Crypt.FKM.Gen Trojan
[NOTE] The file was moved to '496c67bb.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP410\A0092075.dll
[DETECTION] Is the TR/Crypt.FKM.Gen Trojan
[NOTE] The file was moved to '496c67be.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP417\A0092626.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '496c67d9.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP418\A0092712.exe
[WARNING] The file could not be opened!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP418\A0092720.com
[WARNING] The file could not be opened!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP418\A0092749.exe
[WARNING] The file could not be opened!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP418\A0092757.com
[WARNING] The file could not be opened!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP418\A0092769.exe
[WARNING] The file could not be opened!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP419\A0092798.exe
[WARNING] The file could not be opened!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP419\A0092805.com
[WARNING] The file could not be opened!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP419\A0092843.exe
[WARNING] The file could not be opened!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP421\A0093338.exe
[WARNING] The file could not be opened!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP421\A0093339.com
[WARNING] The file could not be opened!
C:\WINDOWS\system32\denunime.dll.tmp
[DETECTION] Is the TR/Vundo.NF Trojan
[NOTE] The file was moved to '49aa6b50.qua'!
C:\WINDOWS\system32\dobohero.dll.tmp
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '499e6b72.qua'!
C:\WINDOWS\system32\fezijepa.dll.tmp
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '49b66b86.qua'!
C:\WINDOWS\system32\numitopi.dll.tmp
[DETECTION] Is the TR/Vundo.NF Trojan
[NOTE] The file was moved to '49a96bc1.qua'!
Begin scan in 'D:\' <RECOVERY>
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP421\A0093334.exe
[WARNING] The file could not be opened!
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP421\A0093335.exe
[WARNING] The file could not be opened!
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP421\A0093336.exe
[WARNING] The file could not be opened!
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP421\A0093337.exe
[WARNING] The file could not be opened!
End of the scan: Sunday, December 07, 2008 18:39
Used time: 52:46 Minute(s)
The scan has been done completely.
7489 Scanning directories
455734 Files were scanned
14 viruses and/or unwanted programs were found
1 Files were classified as suspicious:
0 files were deleted
0 files were repaired
15 files were moved to quarantine
0 files were renamed
16 Files cannot be scanned
455703 Files not concerned
8279 Archives were scanned
17 Warnings
15 Notes
There is nothing to worry about there 
D:\i386 << All the ones in this folder are False Positives
C:\32788R22FWJFW << When you uninstall Combofix with the instructions I provided in the "Clean Up" these will be removed
C:\System Volume Information\_restore << When you uninstall Combofix with the instructions I provided in the "Clean Up" these will be removed
C:\WINDOWS\system32\denunime.dll.tmp << Leftovers from your original infection
C:\WINDOWS\system32\dobohero.dll.tmp << Leftovers from your original infection
C:\WINDOWS\system32\fezijepa.dll.tmp << Leftovers from your original infection
C:\WINDOWS\system32\numitopi.dll.tmp << Leftovers from your original infection
D:\System Volume Information\_restore << When you uninstall Combofix with the instructions I provided in the "Clean Up" these will be removed
D:\i386 << All the ones in this folder are False Positives
C:\32788R22FWJFW << When you uninstall Combofix with the instructions I provided in the "Clean Up" these will be removed
C:\System Volume Information\_restore << When you uninstall Combofix with the instructions I provided in the "Clean Up" these will be removed
C:\WINDOWS\system32\denunime.dll.tmp << Leftovers from your original infection
C:\WINDOWS\system32\dobohero.dll.tmp << Leftovers from your original infection
C:\WINDOWS\system32\fezijepa.dll.tmp << Leftovers from your original infection
C:\WINDOWS\system32\numitopi.dll.tmp << Leftovers from your original infection
D:\System Volume Information\_restore << When you uninstall Combofix with the instructions I provided in the "Clean Up" these will be removed
Hay Katana,
I followed the instructions for cleaning everything up. I will be posting to you from my wifes computer as I can no longer connect either wirelessly or direct cable connection to the same router that I'm posting from now. The router security settings and authentication code keep changing. I've misplaced my router installation CD so I'm unable to do a hard reset and change the settings to a higher level. If there are any steps we need to perform I will be downloading those programs onto a flashdrive to move to my computer and uploading logs from the flash to this computer. Any suggestions?
I followed the instructions for cleaning everything up. I will be posting to you from my wifes computer as I can no longer connect either wirelessly or direct cable connection to the same router that I'm posting from now. The router security settings and authentication code keep changing. I've misplaced my router installation CD so I'm unable to do a hard reset and change the settings to a higher level. If there are any steps we need to perform I will be downloading those programs onto a flashdrive to move to my computer and uploading logs from the flash to this computer. Any suggestions?
I was able to access my router through my wifes computer and do a hard reset and change the settings to a higher level. I'm able to access the internet now after uninstalling Comodo, I believe that I had the Firewall settings set too high. I'll reinstall Comodo and pay more attention to the settings. I was being too cautious and not wanting another infection. Spybot and Avira now show NO infections so I think that we can close out this thread. Thanks again Katana, if I have other problems I'll get back on the forum, start a new thread and wait my turn.
Chris
Chris
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.
Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.
Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.
- Status