rainhamron
New member
Hi,
I run win xppro and CA security anti virus, I also use adaware and spybot S&D. my spybot runs every night and just about every morning I have a message telling me that 3 reg entrys have been deleted, all virtumondo related. I am also getting loads of popups ( which I use a popup killer to close immediatly ) as well as advert pannels appearing within ie pages. I have run spybot again thismorning ( in safe mode ) and it reports my system as clean, although it did delete stuff last night. I have appended my hijackthis and kaspersky reports and hope you can help me. I have produced a kaspersky report, but it wont fit on this page as it exceeds the size, neither can I attach it as it is 53kb , could you let me know how to proceed please?
many thanks in antisipation
Ron
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:58:32, on 22/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
F:\Program Files\Kontiki\KService.exe
F:\WINDOWS\system32\HPZipm12.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
F:\Program Files\RealVNC\WinVNC\WinVNC.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\CA\eTrust Internet Security Suite\cctray\cctray.exe
F:\Program Files\PopUp Killer\PopUpKiller.EXE
F:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
F:\WINDOWS\SOUNDMAN.EXE
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Kontiki\KHost.exe
F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
F:\Program Files\Microsoft ActiveSync\wcescomm.exe
F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
F:\Program Files\Microsoft Office\Office10\msoffice.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\WINDOWS\system32\NOTEPAD.EXE
F:\Documents and Settings\Ron\Desktop\adware removal tools\HiJackThis.exe
F:\Program Files\CA\eTrust Internet Security Suite\ccupdate\CCUpdate.exe
F:\Program Files\CA\eTrust Internet Security Suite\ccprovsp.exe
O4 - HKLM\..\Run: [cctray] "F:\Program Files\CA\eTrust Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [PopUpKiller] F:\Program Files\PopUp Killer\PopUpKiller.EXE
O4 - HKLM\..\Run: [CAVRID] "F:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [000000af] rundll32.exe "F:\WINDOWS\system32\jegftheu.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [kdx] F:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "F:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = ?
O8 - Extra context menu item: &Download All with FlashGet - F:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - F:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - F:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - F:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {DD3641E5-A9CF-11D1-9AA1-444553540000} (Surround Video V3.0 Control Object) - http://secure.sunterra.com/europe/downloads/svideo3.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - F:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: CaCCProvSP - CA, Inc. - F:\Program Files\CA\eTrust Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - F:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - F:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - F:\Program Files\Kontiki\KService.exe
O23 - Service: Machine Debug Manager (MDM) - Unknown owner - F:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - F:\WINDOWS\system32\HPZipm12.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - F:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: VNC Server (winvnc) - RealVNC Ltd. - F:\Program Files\RealVNC\WinVNC\WinVNC.exe
--
End of file - 6408 bytes
-------------------------------------------------------------------------------
I run win xppro and CA security anti virus, I also use adaware and spybot S&D. my spybot runs every night and just about every morning I have a message telling me that 3 reg entrys have been deleted, all virtumondo related. I am also getting loads of popups ( which I use a popup killer to close immediatly ) as well as advert pannels appearing within ie pages. I have run spybot again thismorning ( in safe mode ) and it reports my system as clean, although it did delete stuff last night. I have appended my hijackthis and kaspersky reports and hope you can help me. I have produced a kaspersky report, but it wont fit on this page as it exceeds the size, neither can I attach it as it is 53kb , could you let me know how to proceed please?
many thanks in antisipation
Ron
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:58:32, on 22/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
F:\Program Files\Kontiki\KService.exe
F:\WINDOWS\system32\HPZipm12.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
F:\Program Files\RealVNC\WinVNC\WinVNC.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\CA\eTrust Internet Security Suite\cctray\cctray.exe
F:\Program Files\PopUp Killer\PopUpKiller.EXE
F:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
F:\WINDOWS\SOUNDMAN.EXE
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Kontiki\KHost.exe
F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
F:\Program Files\Microsoft ActiveSync\wcescomm.exe
F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
F:\Program Files\Microsoft Office\Office10\msoffice.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\WINDOWS\system32\NOTEPAD.EXE
F:\Documents and Settings\Ron\Desktop\adware removal tools\HiJackThis.exe
F:\Program Files\CA\eTrust Internet Security Suite\ccupdate\CCUpdate.exe
F:\Program Files\CA\eTrust Internet Security Suite\ccprovsp.exe
O4 - HKLM\..\Run: [cctray] "F:\Program Files\CA\eTrust Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [PopUpKiller] F:\Program Files\PopUp Killer\PopUpKiller.EXE
O4 - HKLM\..\Run: [CAVRID] "F:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [000000af] rundll32.exe "F:\WINDOWS\system32\jegftheu.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [kdx] F:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "F:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = ?
O8 - Extra context menu item: &Download All with FlashGet - F:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - F:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - F:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - F:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {DD3641E5-A9CF-11D1-9AA1-444553540000} (Surround Video V3.0 Control Object) - http://secure.sunterra.com/europe/downloads/svideo3.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - F:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: CaCCProvSP - CA, Inc. - F:\Program Files\CA\eTrust Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - F:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - F:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - F:\Program Files\Kontiki\KService.exe
O23 - Service: Machine Debug Manager (MDM) - Unknown owner - F:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - F:\WINDOWS\system32\HPZipm12.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - F:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: VNC Server (winvnc) - RealVNC Ltd. - F:\Program Files\RealVNC\WinVNC\WinVNC.exe
--
End of file - 6408 bytes
-------------------------------------------------------------------------------
ialer.Win32.gen skipped