Virtumonde Yikes!

Please go to Kaspersky website and perform an online antivirus scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply along with a fresh HijackThis log.

If you need a tutorial, see here
 
Good Morning, Shaba...I think there's a light at the end of the tunnel! The Kaspersky Online Scan did not result in any kind of report. The top of the window said "No Malware Detected." I went back and looked at the Avira report and it explained why the Kaspersky scan didn't show anything. Avira did find some other files and deleted them. I've posted the log below.



Avira AntiVir Personal
Report file date: 2008-09-24 11:39

Scanning for 1641354 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: GEMINI

Version information:
BUILD.DAT : 8.1.0.331 16934 Bytes 2008-08-12 11:46:00
AVSCAN.EXE : 8.1.4.7 315649 Bytes 2008-06-26 15:57:53
AVSCAN.DLL : 8.1.4.0 40705 Bytes 2008-05-26 14:56:40
LUKE.DLL : 8.1.4.5 164097 Bytes 2008-06-12 19:44:19
LUKERES.DLL : 8.1.4.0 12033 Bytes 2008-05-26 14:58:52
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 2007-07-18 17:33:34
ANTIVIR1.VDF : 7.0.5.1 8182784 Bytes 2008-06-24 20:54:15
ANTIVIR2.VDF : 7.0.6.153 3341312 Bytes 2008-09-12 16:16:09
ANTIVIR3.VDF : 7.0.6.207 415744 Bytes 2008-09-24 16:16:11
Engineversion : 8.1.1.35
AEVDF.DLL : 8.1.0.5 102772 Bytes 2008-02-25 16:58:21
AESCRIPT.DLL : 8.1.0.76 319867 Bytes 2008-09-24 16:16:26
AESCN.DLL : 8.1.0.23 119156 Bytes 2008-07-10 19:44:49
AERDL.DLL : 8.1.1.2 438644 Bytes 2008-09-24 16:16:24
AEPACK.DLL : 8.1.2.3 364918 Bytes 2008-09-24 16:16:23
AEOFFICE.DLL : 8.1.0.25 196986 Bytes 2008-09-24 16:16:21
AEHEUR.DLL : 8.1.0.59 1438071 Bytes 2008-09-24 16:16:19
AEHELP.DLL : 8.1.0.15 115063 Bytes 2008-07-10 19:44:48
AEGEN.DLL : 8.1.0.36 315764 Bytes 2008-09-24 16:16:16
AEEMU.DLL : 8.1.0.7 430452 Bytes 2008-07-31 15:33:21
AECORE.DLL : 8.1.1.11 172406 Bytes 2008-09-24 16:16:13
AEBB.DLL : 8.1.0.1 53617 Bytes 2008-07-10 19:44:48
AVWINLL.DLL : 1.0.0.12 15105 Bytes 2008-07-09 15:40:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 2008-05-16 16:28:01
AVREP.DLL : 8.0.0.2 98344 Bytes 2008-09-24 16:16:12
AVREG.DLL : 8.0.0.1 33537 Bytes 2008-05-09 18:26:40
AVARKT.DLL : 1.0.0.23 307457 Bytes 2008-02-12 15:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 2008-06-12 19:27:49
SQLITE3.DLL : 3.3.17.1 339968 Bytes 2008-01-23 00:28:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 2008-06-12 19:49:40
NETNT.DLL : 8.0.0.1 7937 Bytes 2008-01-25 19:05:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 2008-06-12 20:48:07
RCTEXT.DLL : 8.0.52.0 86273 Bytes 2008-06-27 20:34:37

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: 2008-09-24 11:39

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'BttnServ.exe' - '1' Module(s) have been scanned
Scan process 'EAUSBKBD.EXE' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'CPQEADM.exe' - '1' Module(s) have been scanned
Scan process 'msmsgs.exe' - '1' Module(s) have been scanned
Scan process 'CpqEAKSystemTray.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'cfp.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'realsched.exe' - '1' Module(s) have been scanned
Scan process 'carpserv.exe' - '1' Module(s) have been scanned
Scan process 'STARTEAK.exe' - '1' Module(s) have been scanned
Scan process 'LwbWheel.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'sprtcmd.exe' - '1' Module(s) have been scanned
Scan process 'ipoint.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'CALMAIN.exe' - '1' Module(s) have been scanned
Scan process 'BrmfRsmg.exe' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'sprtsvc.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'NMSSVC.EXE' - '1' Module(s) have been scanned
Scan process 'cmdagent.exe' - '1' Module(s) have been scanned
Scan process 'Brmfrmps.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'brss01a.exe' - '1' Module(s) have been scanned
Scan process 'brsvc01a.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
48 processes with 48 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
[WARNING] System error [21]: The device is not ready.

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '62' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\Pieces\Local Settings\Temp\.ttA3B.tmp.exe
[DETECTION] Contains recognition pattern of the PHISH/FraudTool.XPAntivirus.SX phishing file/email
[NOTE] The file was moved to '494e7131.qua'!
C:\Documents and Settings\Pieces\Local Settings\Temp\TDSSd2c.tmp
[DETECTION] Is the TR/Patched.CL Trojan
[NOTE] The file was deleted!
C:\Documents and Settings\Pieces\Local Settings\Temp\nsb3.tmp\euladlg.dll
[DETECTION] Is the TR/FakeAV.AM Trojan
[NOTE] The file was deleted!
C:\Documents and Settings\Pieces\Local Settings\Temp\nsc9.tmp\euladlg.dll
[DETECTION] Is the TR/FakeAV.AM Trojan
[NOTE] The file was deleted!
C:\Documents and Settings\Pieces\Local Settings\Temp\nse7.tmp\euladlg.dll
[DETECTION] Is the TR/FakeAV.AM Trojan
[NOTE] The file was deleted!
C:\Documents and Settings\Pieces\Local Settings\Temp\nsi7.tmp\euladlg.dll
[DETECTION] Is the TR/FakeAV.AM Trojan
[NOTE] The file was deleted!
C:\Documents and Settings\Pieces\Local Settings\Temp\nsv7.tmp\euladlg.dll
[DETECTION] Is the TR/FakeAV.AM Trojan
[NOTE] The file was deleted!
C:\Documents and Settings\Pieces\Local Settings\Temp\nsy3.tmp\euladlg.dll
[DETECTION] Is the TR/FakeAV.AM Trojan
[NOTE] The file was deleted!
C:\Program Files\360 Degrees of Freedom\VRbrochure FX Professional Trial\VRbrochure.hta
[DETECTION] Contains recognition pattern of the HTML/ADODB.Exploit.Gen HTML script virus
[NOTE] The file was deleted!
C:\Program Files\Intuit\QuickBooks 2005\Components\DownloadQB15\NewFeatures\.update\.target\.intuit\43792
[0] Archive type: CAB (Microsoft)
--> accmax.down.gif
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\System Volume Information\_restore{B22743D3-F062-426E-B1F6-9338BC116202}\RP3\A0001013.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{B22743D3-F062-426E-B1F6-9338BC116202}\RP3\A0001014.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{B22743D3-F062-426E-B1F6-9338BC116202}\RP3\A0001015.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{B22743D3-F062-426E-B1F6-9338BC116202}\RP3\A0001016.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{B22743D3-F062-426E-B1F6-9338BC116202}\RP3\A0001018.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{B22743D3-F062-426E-B1F6-9338BC116202}\RP3\A0001020.exe
[DETECTION] Is the TR/Killav.28714 Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{B22743D3-F062-426E-B1F6-9338BC116202}\RP7\A0001926.hta
[DETECTION] Contains recognition pattern of the HTML/ADODB.Exploit.Gen HTML script virus
[NOTE] The file was deleted!


End of the scan: 2008-09-24 12:49
Used time: 1:09:53 Hour(s)

The scan has been done completely.

8257 Scanning directories
368927 Files were scanned
16 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
15 files were deleted
0 files were repaired
1 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
368909 Files not concerned
9332 Archives were scanned
4 Warnings
16 Notes
 
hjt log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 03:25, on 2008-09-25
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\brsvc01a.exe
C:\Windows\System32\brss01a.exe
C:\Windows\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Windows\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Windows\System32\NMSSvc.exe
C:\Windows\system32\nvsvc32.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\BRMFRSMG.EXE
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\Windows\System32\svchost.exe
C:\Program Files\iWare\iWare Mouse\3.2\lwbwheel.exe
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Windows\system32\carpserv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Windows\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Windows\system32\RUNDLL32.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\notepad.exe
C:\Documents and Settings\Pieces\Local Settings\Temp\jkos-Pieces\binaries\ScanningProcess.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avcenter.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Documents and Settings\Pieces\My Documents\HiJackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/yessentials_cq/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [AutoLogon] regedit.exe /s \appl.zip\WXPPUPTW\logon.reg
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\BRMFLPRO\BrDefPrt.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\iWare\iWare Mouse\3.2\lwbwheel.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\Windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKUS\S-1-5-21-1417818515-2237029002-1904607352-1005\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Brkl')
O4 - HKUS\S-1-5-21-1417818515-2237029002-1904607352-1005\..\Run: [ctfmon.exe] C:\Windows\system32\ctfmon.exe (User 'Brkl')
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O8 - Extra context menu item: TypePad QuickPost - http://www.typepad.com/t/app?__mode=reg_qp_js&qp_show=tb,ca,ac,ap,cb,ex,tm,kw,ew&qp_height=540
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Advisor - {9A819D40-E38C-4552-88F1-13F4C60FE938} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
O15 - Trusted Zone: http://www.theseniorhousingsearch.com
O15 - Trusted Zone: http://www.typepad.com
O16 - DPF: PUFLITE - http://lisadunn.point2agent.com/ColpaControls/Photo/Control/PUFLITE.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {45A0A292-ECC6-4D8F-9EA9-A4BD411D24C1} (king.com) - http://games.king.com/ctl/kingcomie.cab
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://northstar.mlxchange.com/Control/MultiSelectComboBox.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://northstar.mlxchange.com/Control/MLXClientUtils.cab
O16 - DPF: {72C9EA8F-8965-40C2-ABAD-D460A5815F86} (hostCntrlIE Class) - https://vhost.oddcast.com/admin//hostClientIE.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.gamehouse.com/games/mjolauncher.cab
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://northstar.mlxchange.com/Control/IRCSharc.cab
O16 - DPF: {87056D28-9730-4A47-B9F9-7E890B62C58A} (WildfireActiveXHost Class) - http://www.gamehouse.com/games/tumblebugs/axhost.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u2-windows-i586-jc.cab
O16 - DPF: {8F53B1FC-93A1-4B95-8EA4-37ECF2F02CCE} (OmniViewer Control) - http://www.imatronics.com/activex/omniviewer/OmniViewer.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {BFCE9841-F6D1-4AFE-9AC4-5E7AD4975990} (Mixpo Publisher) - http://www.mixpo.com/studio/plugins/MixpoPublisher.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\Windows\System32\brsvc01a.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\Windows\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\Windows\system32\nvsvc32.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe

--
End of file - 11677 bytes
 
OK, let's run this:

Please download ATF Cleaner by Atribune and save
it to desktop.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit to close ATF-Cleaner.

Still some issues left?
 
I don't see any...but you're asking the person who got herself infected in the first place! :laugh:

thank you again. I can't tell you what a relief it is to have my computer back!
 
Great :)

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer before continuing!***

  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location.

Then download and install Java Runtime Environment (JRE) 6 Update 7.

Next we remove all used tools.

You can delete RSIT and C:\RSIT folder

Please download OTCleanIt and save it to desktop.
  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.

Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

  • Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

    You can find instructions on how to enable and re-enable system restore here:

    Windows XP System Restore Guide

Re-enable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety


Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place

Happy surfing and stay clean! :bigthumb:
 
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note: If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.
 
You must log in or register to reply here.
Back
Top