Virtumonde Problem once again

Status
Not open for further replies.
J

JoeMalik

New member
Alright.
I have Vitumonde + Virtumonde.dll. At least thats what Spybot S&D said. Sometimes it could "fix" it but its still on. I already ran ComboFix and SmitfraudFix (but on a Smitfraud.C Problem that was also there and got fixed) but it still shows up.

I need your help guys.

HiJackThis Log:
Edited out coded HJT log.


I don't know what else you need. Just tell me!
TIA
 
Last edited by a moderator:
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
The junk can be tough to remove, so do not expect fast or easy.

I know of no program that can remove this junk, Spybot S&D tries, especially if it up to date:
Spybot-S&D 1.6 has arrived! 8. July 2008
http://www.safer-networking.org/en/
http://www.safer-networking.org/en/news/2008-07-08.html
I don't know what else you need. Just tell me!
Click to expand...
For starters read the directions, they are pinned (sticky) to the top of this forum and I also posted them above.
All logs should be copy/pasted into topic and not attached unless requested by helper in that format.
Click to expand...
Do not code or quote the logs, once you post a new HJT that is copied/pasted I will edit out the first one you posted and respond with the first instructions as soon as possible after that.

Thanks
 
Alright, here is the NEW HJT Log, and sorry for the wrong posting:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:55:10, on 05.10.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Programme\ATI Technologies\ATI.ACE\cli.exe
C:\Programme\Java\jre1.6.0_05\bin\jusched.exe
C:\Programme\HP\HP Software Update\HPWuSchd.exe
C:\Programme\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Veoh Networks\Veoh\VeohClient.exe
C:\Programme\DAEMON Tools Lite\daemon.exe
C:\Programme\Eraser\Eraser.exe
C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\devldr32.exe
C:\Programme\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Programme\ATI Technologies\ATI.ACE\cli.exe
C:\Programme\ATI Technologies\ATI.ACE\cli.exe
C:\Programme\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Programme\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Programme\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "C:\Programme\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programme\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingA798] command /c del "C:\WINDOWS\system32\keourfvx.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4573] cmd /c del "C:\WINDOWS\system32\keourfvx.dll_old"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Veoh] "C:\Programme\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Programme\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Programme\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [Eraser] C:\Programme\Eraser\Eraser.exe -hide
O4 - HKCU\..\RunOnce: [SpybotDeletingB3945] command /c del "C:\WINDOWS\system32\keourfvx.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6400] cmd /c del "C:\WINDOWS\system32\keourfvx.dll_old"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{FCEE401E-DAEF-48D8-8E28-4DCCA789A581}: NameServer = 192.168.178.1
O20 - AppInit_DLLs: vwdflw.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Programme\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 4941 bytes
 
Thanks for the new HJT log, Spybot S&D TeaTimer is disabled, please leave it that way until after we are finished.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.

Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Remove any old copies of combofix before you proceed.

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop.

Download ComboFix from Here to your Desktop
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and a new HJT log.

Thanks
 
ComboFix Log and new HJT Log

Alright, so this is the combofix log:

ComboFix 08-10-05.06 - Windoof 2008-10-06 14:20:44.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1031.18.247 [GMT 2:00]
ausgef¸hrt von:: H:\ComboFix.exe
Benutzte Befehlsschalter :: C:\Dokumente und Einstellungen\Windoof\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Neuer Wiederherstellungspunkt wurde erstellt
.

(((((((((((((((((((((((((((((((((((( Weitere Lˆschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\agjrosry.dll
C:\WINDOWS\system32\htkourly.dll
C:\WINDOWS\system32\maoilafw.dll
C:\WINDOWS\system32\nnnkLdDt.dll

.
((((((((((((((((((((((( Dateien erstellt von 2008-09-06 bis 2008-10-06 ))))))))))))))))))))))))))))))
.

2008-10-04 18:48 . 2008-10-04 18:48 <DIR> d-------- C:\Programme\Verimount
2008-10-04 18:48 . 2008-10-04 18:48 <DIR> d-------- C:\Dokumente und Einstellungen\Windoof\Anwendungsdaten\Verimount
2008-10-04 18:47 . 2008-10-04 18:47 <DIR> d-------- C:\Programme\VideoLAN
2008-09-27 15:14 . 2008-09-27 15:14 121 ---hs---- C:\WINDOWS\system32\wfalioam.ini
2008-09-20 12:37 . 2008-09-20 12:37 <DIR> d-------- C:\VundoFix Backups
2008-09-20 12:26 . 2008-09-20 12:26 <DIR> d-------- C:\Programme\CCleaner
2008-09-18 13:49 . 2008-09-18 13:49 <DIR> d-------- C:\Programme\ASUS
2008-09-18 12:12 . 2008-09-18 12:12 2,160 --a------ C:\WINDOWS\system32\tmp.reg
2008-09-17 22:28 . 2008-09-19 22:13 733 --a------ C:\WINDOWS\Edofma.INI
2008-09-17 19:30 . 2008-10-05 21:54 1,403 --a------ C:\WINDOWS\wininit.ini
2008-09-17 18:43 . 2008-09-17 18:43 <DIR> d-------- C:\Programme\TeaTimer (Spybot - Search & Destroy)
2008-09-17 18:39 . 2008-10-04 18:33 <DIR> d-------- C:\Programme\Spybot - Search & Destroy
2008-09-17 18:39 . 2008-10-06 14:14 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy
2008-09-17 18:33 . 2008-09-17 18:45 <DIR> d-------- C:\Programme\a-squared
2008-09-16 22:28 . 2008-09-16 22:34 793,519,824 --------- C:\IOUSA(2008)DvDrip-aXXo.avi
2008-09-16 22:28 . 2008-09-16 22:29 25,296,896 --------- C:\.goutputstream-57O0HU
2008-09-14 22:29 . 2008-09-14 22:29 <DIR> d-------- C:\Programme\Gemeinsame Dateien\Hewlett-Packard
2008-09-14 22:29 . 2003-06-23 11:44 626,960 -ra------ C:\WINDOWS\system32\hpvaut32.dll
2008-09-14 22:29 . 2003-06-23 11:44 487,424 -ra------ C:\WINDOWS\system32\hpvcp70.dll
2008-09-14 22:29 . 2003-06-23 11:44 344,064 -ra------ C:\WINDOWS\system32\hpvcr70.dll
2008-09-14 22:29 . 2003-06-23 11:44 44,544 -ra------ C:\WINDOWS\system32\MSXML4a.dll
2008-09-14 22:22 . 2008-09-14 22:22 <DIR> d-------- C:\Programme\Gemeinsame Dateien\HP
2008-09-14 22:21 . 2008-09-14 22:21 43,488 --a------ C:\WINDOWS\system32\drivers\AFS2K.SYS
2008-09-14 22:16 . 2008-09-14 22:16 <DIR> d-------- C:\WINDOWS\system32\URTTEMP
2008-09-14 22:12 . 2003-08-11 08:44 51,056 -ra------ C:\WINDOWS\system32\drivers\hpzid412.sys
2008-09-14 22:12 . 2003-08-11 08:44 16,496 -ra------ C:\WINDOWS\system32\drivers\HPZipr12.sys
2008-09-14 22:11 . 2003-08-11 08:44 21,488 -ra------ C:\WINDOWS\system32\drivers\HPZius12.sys
2008-09-14 22:11 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-09-14 22:11 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-09-14 22:09 . 2008-09-14 22:29 <DIR> d-------- C:\Programme\HP
2008-09-14 22:09 . 2003-08-11 08:44 34,480 --------- C:\WINDOWS\hpomdl03.dat
2008-09-14 22:09 . 2008-09-14 22:35 28,955 --a------ C:\WINDOWS\hpoins03.dat

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-27 22:26 --------- d--h--w C:\Programme\InstallShield Installation Information
2008-09-15 19:28 --------- d-----w C:\Dokumente und Einstellungen\Windoof\Anwendungsdaten\uTorrent
2008-09-14 20:41 --------- d-----w C:\Programme\Only Astrology
2008-09-11 17:56 --------- d-----w C:\Dokumente und Einstellungen\Windoof\Anwendungsdaten\.purple
2008-09-04 22:29 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\InstallShield
2008-09-04 22:27 --------- d-----w C:\Programme\Gemeinsame Dateien\InstallShield
2008-09-04 12:23 --------- d-----w C:\Dokumente und Einstellungen\Windoof\Anwendungsdaten\Atari
2008-09-04 12:15 --------- d-----w C:\Dokumente und Einstellungen\Windoof\Anwendungsdaten\Leadertech
2008-09-02 20:04 --------- d-----w C:\Programme\Common Files
2008-08-29 22:19 --------- d-----w C:\Programme\Handbrake
2008-07-06 15:35 495,104 ------w C:\RapidUploader.exe
2008-03-25 15:38 92,064 ----a-w C:\Dokumente und Einstellungen\Windoof\mqdmmdm.sys
2008-03-25 15:38 9,232 ----a-w C:\Dokumente und Einstellungen\Windoof\mqdmmdfl.sys
2008-03-25 15:38 79,328 ----a-w C:\Dokumente und Einstellungen\Windoof\mqdmserd.sys
2008-03-25 15:38 66,656 ----a-w C:\Dokumente und Einstellungen\Windoof\mqdmbus.sys
2008-03-25 15:38 6,208 ----a-w C:\Dokumente und Einstellungen\Windoof\mqdmcmnt.sys
2008-03-25 15:38 5,936 ----a-w C:\Dokumente und Einstellungen\Windoof\mqdmwhnt.sys
2008-03-25 15:38 4,048 ----a-w C:\Dokumente und Einstellungen\Windoof\mqdmcr.sys
2008-03-25 15:38 25,600 ----a-w C:\Dokumente und Einstellungen\Windoof\usbsermptxp.sys
2008-03-25 15:38 22,768 ----a-w C:\Dokumente und Einstellungen\Windoof\usbsermpt.sys
.

(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Eintr‰ge & legitime Standardeintr‰ge werden nicht angezeigt.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"Veoh"="C:\Programme\Veoh Networks\Veoh\VeohClient.exe" [2008-08-28 3660848]
"AlcoholAutomount"="C:\Programme\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-02-22 217544]
"DAEMON Tools Lite"="C:\Programme\DAEMON Tools Lite\daemon.exe" [2008-04-01 486856]
"Eraser"="C:\Programme\Eraser\Eraser.exe" [2007-12-23 916240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="C:\Programme\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"Adobe Reader Speed Launcher"="C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SunJavaUpdateSched"="C:\Programme\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"QuickTime Task"="C:\Programme\QuickTime\QTTask.exe" [2008-05-27 413696]
"HP Software Update"="C:\Programme\HP\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]
"HP Component Manager"="C:\Programme\HP\hpcoretech\hpcmpmgr.exe" [2003-06-26 212992]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 15360]

C:\Dokumente und Einstellungen\All Users\StartmenÅ\Programme\Autostart\
HP Digital Imaging Monitor.lnk - C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe [2003-07-07 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=vwdflw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv31"= C:\WINDOWS\system32\ir32_32.dll
"vidc.iv32"= C:\WINDOWS\system32\ir32_32.dll
"aux"= ctwdm32.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Programme\\Veoh Networks\\Veoh\\VeohClient.exe"=
"C:\\Programme\\uTorrent\\uTorrent.exe"=
"C:\\CryptLoad_1.0.9\\RouterClient.exe"=
"C:\\Programme\\Pidgin\\pidgin.exe"=
"C:\\Games\\Empires Dawn of the Modern World\\Empires_DMW.exe"=

.
Inhalt des "geplante Tasks" Ordners

2008-09-30 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Programme\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

2008-09-14 C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#hp psc 2400 series#1221424434.job
- C:\Programme\HP\hpcoretech\comp\hpdarc.exe [2003-06-26 18:50]
.
- - - - Entfernte verwaiste Registrierungseintr‰ge - - - -

BHO-{402A5988-6FA1-4D52-85D3-BD6BA2F58947} - C:\WINDOWS\system32\nnnkLdDt.dll
BHO-{67aa5532-a8e5-4f6e-97c4-06a8a5a24925} - C:\WINDOWS\system32\vwdflw.dll


.
------- Zus‰tzlicher Suchlauf -------
.
FireFox -: Profile - C:\Dokumente und Einstellungen\Windoof\Anwendungsdaten\Mozilla\Firefox\Profiles\w2w9sr9g.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://indymedia.us/en/index.shtml
FF -: plugin - C:\Programme\Mozilla Firefox\plugins\npclntax_ZangoSA.dll
FF -: plugin - C:\Programme\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-06 14:26:40
Windows 5.1.2600 Service Pack 2 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostarteintr‰ge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
------------------------ Weitere laufende Prozesse ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Programme\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\devldr32.exe
C:\Programme\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\system32\hpzipm12.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2008-10-06 14:31:08 - PC wurde neu gestartet
ComboFix-quarantined-files.txt 2008-10-06 12:31:03
ComboFix2.txt 2008-09-20 11:44:02

Vor Suchlauf: 15 Verzeichnis(se), 14.408.687.616 Bytes frei
Nach Suchlauf: 18 Verzeichnis(se), 14,359,031,808 Bytes frei

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

160 --- E O F --- 2008-04-14 15:08:29

New HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:33:47, on 06.10.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programme\ATI Technologies\ATI.ACE\cli.exe
C:\Programme\Java\jre1.6.0_05\bin\jusched.exe
C:\Programme\HP\HP Software Update\HPWuSchd.exe
C:\Programme\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Veoh Networks\Veoh\VeohClient.exe
C:\Programme\DAEMON Tools Lite\daemon.exe
C:\Programme\Eraser\Eraser.exe
C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programme\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Programme\ATI Technologies\ATI.ACE\cli.exe
C:\Programme\ATI Technologies\ATI.ACE\cli.exe
C:\Programme\HP\hpcoretech\comp\hpdarc.exe
C:\WINDOWS\explorer.exe
C:\Programme\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Programme\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Programme\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "C:\Programme\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programme\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Veoh] "C:\Programme\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Programme\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Programme\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [Eraser] C:\Programme\Eraser\Eraser.exe -hide
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{FCEE401E-DAEF-48D8-8E28-4DCCA789A581}: NameServer = 192.168.178.1
O20 - AppInit_DLLs: vwdflw.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Programme\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 4789 bytes
 
Thanks for returning your information, read and follow the directions carefully and in the numbered order. This may come in handy in the future:
GERMAN/DUTCH FORUM
http://forums.spybot.info/forumdisplay.php?f=15

http://forums.spybot.info/showthread.php?t=282 <<< see this
If your helper detects the presence of such programs on your computer he/she will ask you to remove them. Help will be withdrawn should you not agree to their removal.
Click to expand...
uTorrent <<< uninstall all p2p programs!


1) C:\Programme\Java\jre1.6.0_05\ <<< out of date, see this information:
http://forums.spybot.info/showpost.php?p=12880&postcount=2

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

3) Open notepad and copy/paste the text in the codebox below into it:

Code: 
File::
C:\WINDOWS\system32\wfalioam.ini

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-

Folder::
C:\VundoFix Backups

Save this as CFScript

CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)

4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O20 - AppInit_DLLs: vwdflw.dll <<< may be gone, removed by CFScript

Close all programs but HJT and all browser windows, then click on "Fix Checked"

5) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

*Cleaning Prefetch may results in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

6) Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post the log from CFScript, the log from MBAM and a new HJT log.

How is the computer running?

Thanks
 
hi!
mbam is stull runin on the infected machine.
i ran already CFScript, but i forgot to deinstall uTorrent and and install new java runtime. so after i did that i ran combofix in the hope the script is still in there again and saved this log.

The file that you said to delete in HJT wasnt there anymore.

Gonna post all logs as soon mbam is done.
 
alright, so here are the logs in chrinological order:

CFScript:

ComboFix 08-10-05.06 - Windoof 2008-10-06 16:29:10.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1031.18.219 [GMT 2:00]
ausgef¸hrt von:: C:\Dokumente und Einstellungen\Windoof\Desktop\ComboFix.exe
.

((((((((((((((((((((((( Dateien erstellt von 2008-09-06 bis 2008-10-06 ))))))))))))))))))))))))))))))
.

2008-10-06 16:28 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-10-06 16:27 . 2008-10-06 16:27 <DIR> d-------- C:\Programme\Gemeinsame Dateien\Java
2008-10-04 18:48 . 2008-10-04 18:48 <DIR> d-------- C:\Programme\Verimount
2008-10-04 18:48 . 2008-10-04 18:48 <DIR> d-------- C:\Dokumente und Einstellungen\Windoof\Anwendungsdaten\Verimount
2008-10-04 18:47 . 2008-10-04 18:47 <DIR> d-------- C:\Programme\VideoLAN
2008-09-20 12:26 . 2008-09-20 12:26 <DIR> d-------- C:\Programme\CCleaner
2008-09-18 13:49 . 2008-09-18 13:49 <DIR> d-------- C:\Programme\ASUS
2008-09-18 12:12 . 2008-09-18 12:12 2,160 --a------ C:\WINDOWS\system32\tmp.reg
2008-09-17 22:28 . 2008-09-19 22:13 733 --a------ C:\WINDOWS\Edofma.INI
2008-09-17 19:30 . 2008-10-05 21:54 1,403 --a------ C:\WINDOWS\wininit.ini
2008-09-17 18:43 . 2008-09-17 18:43 <DIR> d-------- C:\Programme\TeaTimer (Spybot - Search & Destroy)
2008-09-17 18:39 . 2008-10-04 18:33 <DIR> d-------- C:\Programme\Spybot - Search & Destroy
2008-09-17 18:39 . 2008-10-06 14:14 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy
2008-09-17 18:33 . 2008-09-17 18:45 <DIR> d-------- C:\Programme\a-squared
2008-09-16 22:28 . 2008-09-16 22:34 793,519,824 --------- C:\IOUSA(2008)DvDrip-aXXo.avi
2008-09-16 22:28 . 2008-09-16 22:29 25,296,896 --------- C:\.goutputstream-57O0HU
2008-09-14 22:29 . 2008-09-14 22:29 <DIR> d-------- C:\Programme\Gemeinsame Dateien\Hewlett-Packard
2008-09-14 22:29 . 2003-06-23 11:44 626,960 -ra------ C:\WINDOWS\system32\hpvaut32.dll
2008-09-14 22:29 . 2003-06-23 11:44 487,424 -ra------ C:\WINDOWS\system32\hpvcp70.dll
2008-09-14 22:29 . 2003-06-23 11:44 344,064 -ra------ C:\WINDOWS\system32\hpvcr70.dll
2008-09-14 22:29 . 2003-06-23 11:44 44,544 -ra------ C:\WINDOWS\system32\MSXML4a.dll
2008-09-14 22:22 . 2008-09-14 22:22 <DIR> d-------- C:\Programme\Gemeinsame Dateien\HP
2008-09-14 22:21 . 2008-09-14 22:21 43,488 --a------ C:\WINDOWS\system32\drivers\AFS2K.SYS
2008-09-14 22:16 . 2008-09-14 22:16 <DIR> d-------- C:\WINDOWS\system32\URTTEMP
2008-09-14 22:12 . 2003-08-11 08:44 51,056 -ra------ C:\WINDOWS\system32\drivers\hpzid412.sys
2008-09-14 22:12 . 2003-08-11 08:44 16,496 -ra------ C:\WINDOWS\system32\drivers\HPZipr12.sys
2008-09-14 22:11 . 2003-08-11 08:44 21,488 -ra------ C:\WINDOWS\system32\drivers\HPZius12.sys
2008-09-14 22:11 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-09-14 22:11 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-09-14 22:09 . 2008-09-14 22:29 <DIR> d-------- C:\Programme\HP
2008-09-14 22:09 . 2003-08-11 08:44 34,480 --------- C:\WINDOWS\hpomdl03.dat
2008-09-14 22:09 . 2008-09-14 22:35 28,955 --a------ C:\WINDOWS\hpoins03.dat

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-06 14:28 --------- d-----w C:\Programme\Java
2008-09-27 22:26 --------- d--h--w C:\Programme\InstallShield Installation Information
2008-09-17 18:11 770,048 ----a-w C:\WINDOWS\PCHealth\HelpCtr\Binaries\helpctr.exe
2008-09-15 19:28 --------- d-----w C:\Dokumente und Einstellungen\Windoof\Anwendungsdaten\uTorrent
2008-09-14 20:41 --------- d-----w C:\Programme\Only Astrology
2008-09-11 17:56 --------- d-----w C:\Dokumente und Einstellungen\Windoof\Anwendungsdaten\.purple
2008-09-04 22:29 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\InstallShield
2008-09-04 22:27 --------- d-----w C:\Programme\Gemeinsame Dateien\InstallShield
2008-09-04 12:23 --------- d-----w C:\Dokumente und Einstellungen\Windoof\Anwendungsdaten\Atari
2008-09-04 12:15 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2008-09-04 12:15 --------- d-----w C:\Dokumente und Einstellungen\Windoof\Anwendungsdaten\Leadertech
2008-09-02 20:04 --------- d-----w C:\Programme\Common Files
2008-08-29 22:19 --------- d-----w C:\Programme\Handbrake
2008-07-06 15:35 495,104 ------w C:\RapidUploader.exe
2008-03-25 15:38 92,064 ----a-w C:\Dokumente und Einstellungen\Windoof\mqdmmdm.sys
2008-03-25 15:38 9,232 ----a-w C:\Dokumente und Einstellungen\Windoof\mqdmmdfl.sys
2008-03-25 15:38 79,328 ----a-w C:\Dokumente und Einstellungen\Windoof\mqdmserd.sys
2008-03-25 15:38 66,656 ----a-w C:\Dokumente und Einstellungen\Windoof\mqdmbus.sys
2008-03-25 15:38 6,208 ----a-w C:\Dokumente und Einstellungen\Windoof\mqdmcmnt.sys
2008-03-25 15:38 5,936 ----a-w C:\Dokumente und Einstellungen\Windoof\mqdmwhnt.sys
2008-03-25 15:38 4,048 ----a-w C:\Dokumente und Einstellungen\Windoof\mqdmcr.sys
2008-03-25 15:38 25,600 ----a-w C:\Dokumente und Einstellungen\Windoof\usbsermptxp.sys
2008-03-25 15:38 22,768 ----a-w C:\Dokumente und Einstellungen\Windoof\usbsermpt.sys
.

((((((((((((((((((((((((((((( snapshot@2008-09-20_13.43.17.85 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-02-21 23:23:35 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-06-09 23:21:01 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2008-02-21 23:23:39 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-06-09 23:21:04 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2008-02-22 00:33:32 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-06-10 00:32:34 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Eintr‰ge & legitime Standardeintr‰ge werden nicht angezeigt.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"Veoh"="C:\Programme\Veoh Networks\Veoh\VeohClient.exe" [2008-08-28 3660848]
"AlcoholAutomount"="C:\Programme\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-02-22 217544]
"DAEMON Tools Lite"="C:\Programme\DAEMON Tools Lite\daemon.exe" [2008-04-01 486856]
"Eraser"="C:\Programme\Eraser\Eraser.exe" [2007-12-23 916240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="C:\Programme\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"Adobe Reader Speed Launcher"="C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="C:\Programme\QuickTime\QTTask.exe" [2008-05-27 413696]
"HP Software Update"="C:\Programme\HP\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]
"HP Component Manager"="C:\Programme\HP\hpcoretech\hpcmpmgr.exe" [2003-06-26 212992]
"SunJavaUpdateSched"="C:\Programme\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 15360]

C:\Dokumente und Einstellungen\All Users\StartmenÅ\Programme\Autostart\
HP Digital Imaging Monitor.lnk - C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe [2003-07-07 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv31"= C:\WINDOWS\system32\ir32_32.dll
"vidc.iv32"= C:\WINDOWS\system32\ir32_32.dll
"aux"= ctwdm32.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Programme\\Veoh Networks\\Veoh\\VeohClient.exe"=
"C:\\CryptLoad_1.0.9\\RouterClient.exe"=
"C:\\Programme\\Pidgin\\pidgin.exe"=
"C:\\Games\\Empires Dawn of the Modern World\\Empires_DMW.exe"=


*Newly Created Service* - APPMGMT
.
Inhalt des "geplante Tasks" Ordners

2008-09-30 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Programme\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

2008-09-14 C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#hp psc 2400 series#1221424434.job
- C:\Programme\HP\hpcoretech\comp\hpdarc.exe [2003-06-26 18:50]
.
.
------- Zus‰tzlicher Suchlauf -------
.
FireFox -: Profile - C:\Dokumente und Einstellungen\Windoof\Anwendungsdaten\Mozilla\Firefox\Profiles\w2w9sr9g.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://indymedia.us/en/index.shtml
FF -: plugin - C:\Programme\Mozilla Firefox\plugins\npclntax_ZangoSA.dll
FF -: plugin - C:\Programme\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-06 16:30:59
Windows 5.1.2600 Service Pack 2 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostarteintr‰ge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
Zeit der Fertigstellung: 2008-10-06 16:32:38
ComboFix-quarantined-files.txt 2008-10-06 14:32:23
ComboFix2.txt 2008-10-06 14:19:41
ComboFix3.txt 2008-10-06 12:31:09
ComboFix4.txt 2008-09-20 11:44:02

Vor Suchlauf: 15 Verzeichnis(se), 14.233.923.584 Bytes frei
Nach Suchlauf: 16 Verzeichnis(se), 14,224,625,664 Bytes frei

141 --- E O F --- 2008-04-14 15:08:29


mbam:

Malwarebytes' Anti-Malware 1.28
Datenbank Version: 1233
Windows 5.1.2600 Service Pack 2

06.10.2008 17:24:01
mbam-log-2008-10-06 (17-24-01).txt

Scan-Methode: Vollst‰ndiger Scan (C:\|)
Durchsuchte Objekte: 110236
Laufzeit: 38 minute(s), 25 second(s)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschl¸ssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 15

Infizierte Speicherprozesse:
(Keine bˆsartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bˆsartigen Objekte gefunden)

Infizierte Registrierungsschl¸ssel:
(Keine bˆsartigen Objekte gefunden)

Infizierte Registrierungswerte:
(Keine bˆsartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
(Keine bˆsartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine bˆsartigen Objekte gefunden)

Infizierte Dateien:
C:\Downloads\Diverses\Casino_the_playboy_mansion.exe (Rogue.AdorableCasino) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\edvk.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{38EFE82B-4617-4AB2-B54D-C02D858DFD2E}\RP77\A0014451.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{38EFE82B-4617-4AB2-B54D-C02D858DFD2E}\RP77\A0014452.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{38EFE82B-4617-4AB2-B54D-C02D858DFD2E}\RP77\A0014493.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{38EFE82B-4617-4AB2-B54D-C02D858DFD2E}\RP79\A0014553.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{38EFE82B-4617-4AB2-B54D-C02D858DFD2E}\RP79\A0014554.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{38EFE82B-4617-4AB2-B54D-C02D858DFD2E}\RP79\A0014555.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{38EFE82B-4617-4AB2-B54D-C02D858DFD2E}\RP79\A0014556.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{38EFE82B-4617-4AB2-B54D-C02D858DFD2E}\RP79\A0014561.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{38EFE82B-4617-4AB2-B54D-C02D858DFD2E}\RP79\A0014562.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{38EFE82B-4617-4AB2-B54D-C02D858DFD2E}\RP79\A0014563.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{38EFE82B-4617-4AB2-B54D-C02D858DFD2E}\RP79\A0014565.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{38EFE82B-4617-4AB2-B54D-C02D858DFD2E}\RP79\A0014566.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{38EFE82B-4617-4AB2-B54D-C02D858DFD2E}\RP79\A0014564.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

NEW HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:24:58, on 06.10.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programme\ATI Technologies\ATI.ACE\cli.exe
C:\Programme\HP\HP Software Update\HPWuSchd.exe
C:\Programme\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Veoh Networks\Veoh\VeohClient.exe
C:\Programme\DAEMON Tools Lite\daemon.exe
C:\Programme\Eraser\Eraser.exe
C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programme\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Programme\ATI Technologies\ATI.ACE\cli.exe
C:\Programme\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\explorer.exe
C:\Programme\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Programme\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Programme\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "C:\Programme\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programme\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Veoh] "C:\Programme\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Programme\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Programme\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [Eraser] C:\Programme\Eraser\Eraser.exe -hide
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{FCEE401E-DAEF-48D8-8E28-4DCCA789A581}: NameServer = 192.168.178.1
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Programme\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 4666 bytes
 
How is the computer running?
Click to expand...

Everything looks normal on this end, how about there? If that is a yes, then proceed like this.

Remove combofix from the computer like this:

Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

CF_Cleanup.png


Clean infected System Restore files like this:

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Update MBAM and scan to be sure we missed none of the junk, no need to post a clean scan result.

Unless I am missing something, I see no antivirus program running on the computer:sad: Going online without one anymore is cyber-suicide. If I am right and you need a good free program, here are three to choose from, install ONLY ONE.

http://free.grisoft.com/ww.download-avg-anti-virus-free-edition
If you use AVG this tutorial may help
How to Install Free version AVG 8.0 without LinkScanner feature
http://russelltexas.com/tutorials/avg8install.htm

http://www.avast.com/eng/avast_4_home.html

http://www.free-av.com/

Once you have one installed, update the program and scan the system. If all is well at that point, let me know and I will close this topic.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

http://users.telenet.be/bluepatchy/miekiemoes/Links.html
 
Alright, thank you for your time and everything.
Im running mbam right now, but i guess there wont be anything.
Yeah, you're right, i dont have a antivirus program, because i normally surf on Ubuntu/Linux. I just use WinXP for gaming and stuff i cant run on Linux. And so i got this malware, i downloaded a video, read in the readme that its compressed and i need a prog from 'this' site, got it, ran it, screen turned into a biohazard pic saying my machine is infected and i need antivirus programs for $20.

I had Avast home, but it slowed down my starting process. but ill try some of the progs you suggested. Thx for everything man!:crowned:
 
Status
Not open for further replies.
Back
Top