Virtumone and other Virus's

S

spyderman2008

New member
hello hope you can help at this point i have my computer offline and using 1 from work i did run the online virus scan and have a copy of it to post when you give me instructions to do so.............thank you
 
thank you very much for the reply i now have it all fixed it tok me a while but with reading your post replies to others i was able to come up with a clean system thanks alot and could this post please be closed i know you all are very busy again THANK YOU
 
Kav Report

KASPERSKY ONLINE SCANNER REPORT
2008-03-19 11:42
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 20/03/2008
Kaspersky Anti-Virus database records: 643114


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\

Scan Statistics
Total number of scanned objects 28716
Number of viruses found 8
Number of infected objects 42
Number of suspicious objects 0
Duration of the scan process 01:49:07

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\ph Object is locked skipped

C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\variable Object is locked skipped

C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\idb\APP10708.LST Object is locked skipped

C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\idb\Apps.Lst Object is locked skipped

C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\idb\Diction.lst Object is locked skipped

C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\idb\main.idx Object is locked skipped

C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\idb\sap.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\idb\spool.lst Object is locked skipped

C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\idb\STYLE.LST Object is locked skipped

C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\idb\sysnews.lst Object is locked skipped

C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\idb\Toolbar.lst Object is locked skipped

C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\organize\wlk98.abi Object is locked skipped

C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\organize\wlk98.aby Object is locked skipped

C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\ShopAssist\DataStore\global\clientcache.adb Object is locked skipped

C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\ShopAssist\DataStore\users\WLK98.adb Object is locked skipped

C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\storage\cache.db Object is locked skipped

C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\storage\server.lock Object is locked skipped

C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\storage\stderr.txt Object is locked skipped

C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\storage\stdout.txt Object is locked skipped

C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\BFTS\BFTSDatabase.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\BFTS\update.zip Object is locked skipped

C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012008031920080320\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Common Files\AOL\ACS\US\static Object is locked skipped

C:\Program Files\DAP\History\Dad\20080113.dat Object is locked skipped

C:\Program Files\DAP\Temp\ADS7FA.tmp.dap Object is locked skipped

C:\Program Files\DAP\Updates\Condition.dll Object is locked skipped

C:\Program Files\DAP\Updates\UpdateList.xml Object is locked skipped

C:\QooBox\Quarantine\C\WINDOWS\gebaax.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped

C:\QooBox\Quarantine\C\WINDOWS\hgdddd.dll.vir Infected: Trojan.Win32.Agent.agv skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\abmyascp.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ir skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\bkdepfof.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ir skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\cualeqxi.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ir skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\foafbdpb.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\frjxphko.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.v skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\gmoixfoj.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\hootirpp.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\hosver.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\iqppbfim.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ir skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\jfogbaju.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\kpfqdxvf.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.v skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\kwvvpmoj.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ir skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\ldakxquq.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\mbimrnoi.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\melftkyx.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\nemotnxb.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\nqabinne.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.v skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\osparyah.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\oxrepokb.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\qaxmmkrb.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ir skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\qkwcxlhi.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\repl.dll.vir Infected: Trojan.Win32.Agent.dfh skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\ruffqape.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\secvvace.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\thhjbtug.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\tyhnwkpo.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\ufbnlhhb.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.v skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\uosxyroc.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\woqstvhj.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\yliavwtu.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ir skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\ypmvrvkq.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped

C:\QooBox\Quarantine\C\WINDOWS\xxywtq.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped

C:\QooBox\Quarantine\catchme2008-03-17_192719.78.zip/hosver.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped

C:\QooBox\Quarantine\catchme2008-03-17_192719.78.zip ZIP: infected - 1 skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{9591FE82-EE13-483A-9FAA-DE178DB97D04}\RP2\A0000199.dll Infected: not-a-virus:AdWare.Win32.BHO.v skipped

C:\System Volume Information\_restore{9591FE82-EE13-483A-9FAA-DE178DB97D04}\RP2\A0000200.dll Infected: not-a-virus:AdWare.Win32.BHO.v skipped

C:\System Volume Information\_restore{9591FE82-EE13-483A-9FAA-DE178DB97D04}\RP2\A0000202.dll Infected: not-a-virus:AdWare.Win32.BHO.v skipped

C:\System Volume Information\_restore{9591FE82-EE13-483A-9FAA-DE178DB97D04}\RP2\A0000203.dll Infected: not-a-virus:AdWare.Win32.BHO.v skipped

C:\System Volume Information\_restore{9591FE82-EE13-483A-9FAA-DE178DB97D04}\RP2\A0000205.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped

C:\System Volume Information\_restore{9591FE82-EE13-483A-9FAA-DE178DB97D04}\RP2\A0000207.dll Infected: not-a-virus:AdWare.Win32.BHO.v skipped

C:\System Volume Information\_restore{9591FE82-EE13-483A-9FAA-DE178DB97D04}\RP3\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
 
Hijack Report

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:44, on 3/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\Program Files\Common Files\AOL\1187756083\ee\aolsoftware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F874B33F-D853-4E59-B5C8-921790153C5E}: NameServer = 205.188.146.145
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 2751 bytes
 
Hi

I see that you have ran combofix.

Please post next combofix log, it's here:

C:\ComboFix.txt
 
ComboFix Log

ComboFix 08-03-14.4 - Owner 2008-03-20 6:51:00.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.67 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-02-20 to 2008-03-20 )))))))))))))))))))))))))))))))
.

2008-03-15 19:30 . 2008-03-15 19:30 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-15 19:30 . 2008-03-15 19:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-14 05:52 . 2008-03-15 11:24 161 --a------ C:\WINDOWS\wininit.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-20 01:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-19 21:11 --------- d-----w C:\Documents and Settings\Owner\Application Data\NesterSoft
2008-03-18 00:24 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-17 22:30 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-17 22:28 --------- d-----w C:\Program Files\Trend Micro
2008-03-17 22:27 --------- d-----w C:\Documents and Settings\Owner\Application Data\PC Tools
2008-03-15 20:12 --------- d-----w C:\Documents and Settings\Owner\Application Data\AVG7
2007-06-17 21:58 1,809,667 --sha-w C:\WINDOWS\system32\wvyxx.bak1
2007-06-18 00:54 1,808,586 --sha-w C:\WINDOWS\system32\wvyxx.bak2
2007-06-20 22:36 1,367,154 --sh--w C:\WINDOWS\system32\wvyxx.ini2
.

((((((((((((((((((((((((((((( snapshot@2008-03-17_19.29.31.08 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-03-14 23:12:01 52,764 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-03-19 21:26:55 52,764 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-03-14 23:12:01 380,350 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-03-19 21:26:55 380,350 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"LDM"=C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
"SysRestore"="C:\DOCUME~1\Owner\LOCALS~1\Temp\tmp192.tmp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"gzspmdqA"=C:\WINDOWS\gzspmdqA.exe
"hwfutczk.exe"=C:\Documents and Settings\All Users\Application Data\hwfutczk.exe
"iut75"=c:\windows\system32\drivers\uzcx.exe
"Lexmark_X79-55"=C:\WINDOWS\system32\lsasss.exe
"mstsc"=C:\WINDOWS\khstxnum.exe
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"RoxioAudioCentral"="C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
"smgr"=smgr.exe
"Trend Micro AntiVirus 2007"=C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe -1 --delay 15
"winehq.org"=rundll32.exe "C:\WINDOWS\ssqpqq.dll",realset
"LogitechGalleryRepair"=C:\Program Files\Logitech\Video\ISStart.exe
"LogitechVideoRepair"=C:\Program Files\Logitech\Video\ISStart.exe
"LogitechVideoTray"=C:\Program Files\Logitech\Video\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=

S1 ensqio;ensqio;C:\WINDOWS\system32\DRIVERS\ensqio.sys []
S3 ctlsb16;Creative SB16/AWE32/AWE64 Driver (WDM);C:\WINDOWS\system32\drivers\ctlsb16.sys [2001-08-17 13:19]
S3 NtApm;NT Apm/Legacy Interface Driver;C:\WINDOWS\system32\DRIVERS\NtApm.sys [2004-08-04 08:00]
S3 SNDP610;Dual Mode Camera;C:\WINDOWS\system32\DRIVERS\sndp610.sys [2005-09-27 23:48]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-20 10:43:43 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-03-20 07:00:00 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-20 06:55:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-20 6:58:22
ComboFix-quarantined-files.txt 2008-03-20 10:58:15
ComboFix2.txt 2008-03-20 10:35:16
ComboFix3.txt 2008-03-17 23:30:21
 
Hi

Something is left.

Open notepad and copy/paste the text in the quotebox below into it:

Code: 
File::
C:\WINDOWS\system32\wvyxx.bak1
C:\WINDOWS\system32\wvyxx.bak2
C:\WINDOWS\system32\wvyxx.ini2

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SysRestore"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"gzspmdqA"=-
"hwfutczk.exe"=-
"iut75"=-
"Lexmark_X79-55"=-
"winehq.org"=-

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScript.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
 
NEW Combo Log

ComboFix 08-03-14.4 - Owner 2008-03-21 5:28:23.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.45 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\wvyxx.bak1
C:\WINDOWS\system32\wvyxx.bak2
C:\WINDOWS\system32\wvyxx.ini2
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\wvyxx.bak1
C:\WINDOWS\system32\wvyxx.bak2
C:\WINDOWS\system32\wvyxx.ini2

.
((((((((((((((((((((((((( Files Created from 2008-02-21 to 2008-03-21 )))))))))))))))))))))))))))))))
.

2008-03-15 19:30 . 2008-03-15 19:30 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-15 19:30 . 2008-03-15 19:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-14 05:52 . 2008-03-15 11:24 161 --a------ C:\WINDOWS\wininit.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-20 01:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-19 21:11 --------- d-----w C:\Documents and Settings\Owner\Application Data\NesterSoft
2008-03-18 00:24 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-17 22:30 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-17 22:28 --------- d-----w C:\Program Files\Trend Micro
2008-03-17 22:27 --------- d-----w C:\Documents and Settings\Owner\Application Data\PC Tools
2008-03-15 20:12 --------- d-----w C:\Documents and Settings\Owner\Application Data\AVG7
.

((((((((((((((((((((((((((((( snapshot@2008-03-17_19.29.31.08 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-03-14 23:12:01 52,764 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-03-20 11:00:27 52,764 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-03-14 23:12:01 380,350 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-03-20 11:00:27 380,350 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"LDM"=C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"mstsc"=C:\WINDOWS\khstxnum.exe
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"RoxioAudioCentral"="C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
"smgr"=smgr.exe
"Trend Micro AntiVirus 2007"=C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe -1 --delay 15
"LogitechGalleryRepair"=C:\Program Files\Logitech\Video\ISStart.exe
"LogitechVideoRepair"=C:\Program Files\Logitech\Video\ISStart.exe
"LogitechVideoTray"=C:\Program Files\Logitech\Video\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=

S1 ensqio;ensqio;C:\WINDOWS\system32\DRIVERS\ensqio.sys []
S3 ctlsb16;Creative SB16/AWE32/AWE64 Driver (WDM);C:\WINDOWS\system32\drivers\ctlsb16.sys [2001-08-17 13:19]
S3 NtApm;NT Apm/Legacy Interface Driver;C:\WINDOWS\system32\DRIVERS\NtApm.sys [2004-08-04 08:00]
S3 SNDP610;Dual Mode Camera;C:\WINDOWS\system32\DRIVERS\sndp610.sys [2005-09-27 23:48]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-20 21:00:00 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-03-20 07:00:00 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-21 05:32:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-21 5:35:04
ComboFix-quarantined-files.txt 2008-03-21 09:34:44
ComboFix2.txt 2008-03-20 10:58:23
ComboFix3.txt 2008-03-20 10:35:16
ComboFix4.txt 2008-03-17 23:30:21
 
New Hijackthis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 05:50, on 3/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 2546 bytes
 
Hi

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Please post contents of that file in your next reply along with a fresh HijackThis log.
 
Malwarebytes Scan

Good Day and thanks for your help

I ran the program scan and all boxes were checked when i went to run the fix the computer just shut down with a blue screen saying to prevent damage windows was shuting down I ran it again and saved the log file and tried again same thing system just shut down i am posting the scan results for you to look over and let me know what i should do next
Thanks again
 
Malwarebytes Log File

Malwarebytes' Anti-Malware 1.09
Database version: 521

Scan type: Full Scan (A:\|C:\|)
Objects scanned: 53122
Time elapsed: 28 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\ofb11 (Trojan.Clicker) -> No action taken.
HKEY_CLASSES_ROOT\ofb11.1 (Trojan.Clicker) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{9504ae8f-1019-4258-a047-c04ccc5301e6} (Trojan.Clicker) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{c1bc108b-b3ef-4e18-8ee6-cf3c381e3783} (Trojan.Clicker) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{2eff3cf7-99c1-4c29-bc2b-68e057e22340} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{a6573479-9075-4a65-98a6-19fd29cf7374} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\msdn_lib.msdn_hlp (Trojan.BHO) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\T5QaSQ (Unknown.Malware) -> No action taken.

Files Infected:
C:\QooBox\Quarantine\C\WINDOWS\rau001978.exe.vir (Trojan.Downloader) -> No action taken.
C:\QooBox\Quarantine\C\WINDOWS\system32\repl.dll.vir (Spyware.Infostealer) -> No action taken.
C:\WINDOWS\system32\fuamfu32.ini (Malware.Trace) -> No action taken.
C:\WINDOWS\tcb.pmw (Malware.Trace) -> No action taken.
 
malwarebytes Info

while waiting for a reply i decided to try and scan again this time i only had the program remove the reg keys so the results were that they went away but there are 2 files that i believe are a problem. below is the scan results....

Malwarebytes' Anti-Malware 1.09
Database version: 521

Scan type: Quick Scan
Objects scanned: 17427
Time elapsed: 2 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\ofb11 (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ofb11.1 (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{9504ae8f-1019-4258-a047-c04ccc5301e6} (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c1bc108b-b3ef-4e18-8ee6-cf3c381e3783} (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{2eff3cf7-99c1-4c29-bc2b-68e057e22340} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{a6573479-9075-4a65-98a6-19fd29cf7374} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\msdn_lib.msdn_hlp (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\fuamfu32.ini (Malware.Trace) -> Not selected for removal.
C:\WINDOWS\tcb.pmw (Malware.Trace) -> Not selected for removal.
 
Hi

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code: 
    C:\WINDOWS\system32\fuamfu32.ini 
C:\WINDOWS\tcb.pmw
  • Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Re-run mbam

Post:

- mbam report
- otmoveit log
 
Otmoveit Log

C:\WINDOWS\system32\fuamfu32.ini moved successfully.
C:\WINDOWS\tcb.pmw moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.21 log created on 03232008_020224
 
Mbam Log

Malwarebytes' Anti-Malware 1.09
Database version: 521

Scan type: Full Scan (A:\|C:\|)
Objects scanned: 53318
Time elapsed: 25 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\QooBox\Quarantine\C\WINDOWS\rau001978.exe.vir (Trojan.Downloader) -> No action taken.
C:\QooBox\Quarantine\C\WINDOWS\system32\repl.dll.vir (Spyware.Infostealer) -> No action taken.
 
You must log in or register to reply here.
Back
Top