Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page i got virtumundo
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 04-24-2007, 01:03 PM   #1 (permalink)
Registered User
 
Join Date: Oct 2006
Posts: 360
OS: Win XP


i got virtumundo
My AVG AS detects this "Adware.virtumonde" and restarts after the scan to delete it but it never gets rid of it. What should I do?

Logfile of HijackThis v1.99.1
Scan saved at 3:00:58 PM, on 4/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\LClock\LClock.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Robert Wilmoth\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll (file missing)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [VisualTooltip] C:\Program Files\VisualTooltip\VisualToolTip.exe
O4 - HKLM\..\Run: [Vista Sidebar] C:\Program Files\Vista Sidebar\sidebar.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [Styler] C:\Program Files\Styler\Styler.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [LClock] C:\Program Files\LClock\LClock.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Blaero Start Orb] C:\Program Files\Blaero Start Orb\Blaero Start Orb.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://www.msi.com.tw
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn...taller_gmn.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase9602.cab
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://tw.msi.com.tw/autobios/LOnline/install.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\svcntaux.exe (file missing)
O23 - Service: Spyware Doctor Service (sdCoreService) - Unknown owner - C:\Program Files\Spyware Doctor\swdsvc.exe (file missing)
Last edited by nikeman; 04-24-2007 at 01:05 PM.
nikeman is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 04-25-2007, 11:26 PM   #2 (permalink)
Registered User
 
Join Date: Oct 2006
Posts: 360
OS: Win XP


i need help asap. keep getting viruses
My computer is constantly getting infected with viruses and i think it may be causing my computer to crash very often. Any help with this would be VERY VERY much apprciated. I posted one of these the other day but I have since been infected with 3 other viruses...


Thanks!!

Logfile of HijackThis v1.99.1
Scan saved at 1:26:06 AM, on 4/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\LClock\LClock.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Documents and Settings\Robert Wilmoth\Desktop\aswclnr.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Robert Wilmoth\Desktop\asw6.tmp
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\System32\svchost.exe
c:\progra~1\mozill~1\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Robert Wilmoth\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: (no name) - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - (no file)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [LClock] C:\Program Files\LClock\LClock.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\system32\udlnkdbe.dll",realset
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://www.msi.com.tw
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} - http://h20270.www2.hp.com/ediags/gmn...taller_gmn.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase8300.cab
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://tw.msi.com.tw/autobios/LOnline/install.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\svcntaux.exe (file missing)
O23 - Service: Spyware Doctor Service (sdCoreService) - Unknown owner - C:\Program Files\Spyware Doctor\swdsvc.exe (file missing)
nikeman is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-27-2007, 04:39 PM   #3 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,247
OS: 2000 Pro; XP Pro; XP Home


Re: i got virtumundo
  1. Download combofix.exe to your desktop.
  2. Double click on combofix.exe & follow the prompts.
  3. When finished, it shall produce a log for you. Post that log in your next reply with a new HJT log
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-27-2007, 08:01 PM   #4 (permalink)
Registered User
 
Join Date: Oct 2006
Posts: 360
OS: Win XP


Re: i got virtumundo
"Robert Wilmoth" - 07-04-27 21:55:58 Service Pack 2
ComboFix 07-04-28.V - Running from: "C:\Documents and Settings\Robert Wilmoth\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\awvts.dll
C:\WINDOWS\system32\doyqkkaj.dll
C:\WINDOWS\system32\koflxace.dll
C:\WINDOWS\system32\mpdwphmr.dll
C:\WINDOWS\system32\mxjlkomt.dll
C:\WINDOWS\system32\udlnkdbe.dll
C:\WINDOWS\system32\stvwa.bak1
C:\WINDOWS\system32\stvwa.bak2
C:\WINDOWS\system32\stvwa.ini
C:\WINDOWS\system32\stvwa.ini2
C:\WINDOWS\system32\stvwa.tmp
C:\WINDOWS\system32\jmllm.bak1
C:\WINDOWS\system32\jmllm.bak2
C:\WINDOWS\system32\jmllm.ini
C:\WINDOWS\system32\tmokljxm.ini
C:\WINDOWS\system32\ebdknldu.ini
C:\WINDOWS\system32\iifecdb.dll
C:\WINDOWS\system32\mllmj.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((( Files Created from 2007-03-27 to 2007-04-27 ))))))))))))))))))))))))))))))))))


2007-04-26 01:57 94,552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-04-26 01:57 90,112 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-04-26 01:57 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-04-26 01:57 733,824 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-04-26 01:57 43,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-04-26 01:57 26,888 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-04-26 01:57 23,416 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-04-26 01:49 75,512 --a------ C:\WINDOWS\zllsputility.exe
2007-04-26 01:49 1,087,216 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-04-26 01:48 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-04-26 01:42 <DIR> d-------- C:\Program Files\Alwil Software
2007-04-26 01:01 <DIR> d-------- C:\{00002394-0000-0000-ADE5-5878E49419C8}
2007-04-24 12:01 <DIR> d-------- C:\Program Files\CCleaner
2007-04-24 02:27 <DIR> d-------- C:\WINDOWS\system32\VIRepair
2007-04-21 03:26 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-04-20 09:20 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Webroot
2007-04-19 14:07 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Geek Squad
2007-04-19 13:54 503,808 --a------ C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-04-19 13:54 <DIR> d-------- C:\WINDOWS\pss
2007-04-13 14:45 <DIR> d-------- C:\Deckard
2007-04-13 14:20 <DIR> d-------- C:\VundoFix Backups
2007-04-11 14:49 620,544 --a------ C:\WINDOWS\system32\stlpmt45.dll
2007-04-11 14:49 487,424 --a------ C:\WINDOWS\system32\msvcp70.dll
2007-04-11 14:49 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2007-04-11 14:49 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-04-11 14:49 1,700,352 --a------ C:\WINDOWS\system32\GdiPlus.dll
2007-04-11 14:49 1,497,088 --a------ C:\WINDOWS\system32\cc3260mt.dll
2007-04-11 14:49 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2007-04-11 14:48 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2007-04-11 11:43 <DIR> d-------- C:\hijackthis
2007-04-11 02:26 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-04-11 02:26 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\PC Tools
2007-04-11 02:07 83,536 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-04-11 02:07 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-04-11 02:07 59,984 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-04-11 02:07 52,304 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-04-11 02:07 39,248 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys
2007-04-11 02:07 26,064 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-04-11 02:07 <DIR> d-------- C:\DOCUME~1\ROBERT~1\APPLIC~1\PC Tools
2007-04-11 01:09 <DIR> d-------- C:\DOCUME~1\ROBERT~1\APPLIC~1\Comodo
2007-04-10 14:08 <DIR> d-------- C:\Program Files\Belkin(2)
2007-04-10 01:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Comodo
2007-04-10 01:42 <DIR> d-------- C:\Program Files\Comodo
2007-04-09 01:32 <DIR> d-------- C:\Program Files\VisiWave Site Survey
2007-04-05 14:12 <DIR> d-------- C:\DOCUME~1\ROBERT~1\APPLIC~1\Image Zone Express
2007-04-05 14:08 <DIR> d-------- C:\Program Files\Common Files\HP
2007-04-04 14:31 <DIR> d-------- C:\DOCUME~1\ROBERT~1\APPLIC~1\Talkback
2007-04-01 18:07 <DIR> d-------- C:\Program Files\Pure Networks
2007-04-01 18:07 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Pure Networks
2007-04-01 02:48 3,919,872 --a------ C:\DOCUME~1\ROBERT~1\ntuser.dat
2007-04-01 02:48 229,376 --a------ C:\DOCUME~1\LOCALS~1\ntuser.dat
2007-03-31 11:30 <DIR> d-------- C:\DOCUME~1\ROBERT~1\APPLIC~1\Apple Computer
2007-03-29 23:46 21,124 --------- C:\WINDOWS\hpomdl07.dat
2007-03-29 23:46 112,886 --a------ C:\WINDOWS\hpoins07.dat
2007-03-29 20:08 <DIR> d-------- C:\Program Files\NETGEAR Print Server
2007-03-29 18:56 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-03-29 11:22 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2007-03-28 14:50 32,768 --a------ C:\WINDOWS\system32\drivers\nvcoi.dll
2007-03-28 14:50 300,032 --a------ C:\WINDOWS\system32\drivers\idecoi.dll
2007-03-28 14:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PC Drivers Headquarters
2007-03-28 10:30 <DIR> d-------- C:\Program Files\Common Files\Hypnotizer
2007-03-28 10:29 <DIR> d-------- C:\Program Files\QuickTime
2007-03-28 10:29 <DIR> d-------- C:\Program Files\Apple Software Update
2007-03-28 10:29 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-03-28 10:24 706,048 --a------ C:\WINDOWS\system32\libmcl-3.1.1.dll
2007-03-28 10:24 3,423,744 --a------ C:\WINDOWS\system32\libfilefmt-1.1.0.dll
2007-03-28 10:24 20,480 --a------ C:\WINDOWS\system32\libavi-dd-1.2.0.dll
2007-03-28 10:19 178,408 --a------ C:\WINDOWS\system32\muweb.dll
2007-03-28 10:19 127,208 --a------ C:\WINDOWS\system32\mucltui.dll
2007-03-28 01:07 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-03-28 01:00 <DIR> d-------- C:\DOCUME~1\ROBERT~1\SecurityScans
2007-03-27 14:48 <DIR> d-------- C:\Program Files\Windows Live Safety Center


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-26 01:50 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-04-24 02:27 -------- d-------- C:\Program Files\limewire
2007-04-24 02:27 -------- d-------- C:\Program Files\azureus
2007-04-24 02:27 -------- d-------- C:\DOCUME~1\ROBERT~1\APPLIC~1\azureus
2007-04-24 02:26 -------- d-------- C:\Program Files\gamenow
2007-04-24 01:32 -------- d--h----- C:\Program Files\installshield installation information
2007-04-21 11:50 -------- d-------- C:\Program Files\windows defender
2007-04-20 22:32 -------- d-------- C:\DOCUME~1\ROBERT~1\APPLIC~1\dmcache
2007-04-11 01:31 -------- d-------- C:\Program Files\dvdxsoft sound recorder xp
2007-04-11 01:09 -------- d-------- C:\Program Files\Common Files\installshield
2007-04-07 01:02 -------- d-------- C:\DOCUME~1\ROBERT~1\APPLIC~1\limewire
2007-04-05 14:08 -------- d-------- C:\Program Files\hp
2007-04-05 14:07 71725 --a------ C:\DOCUME~1\ROBERT~1\APPLIC~1\patchupdate_hp_counterreport_update_hpsu.log
2007-04-05 14:07 2167 --a------ C:\DOCUME~1\ROBERT~1\APPLIC~1\hpsu_48bitscanupdate.log
2007-04-05 14:04 69339 --a------ C:\DOCUME~1\ROBERT~1\APPLIC~1\update_hp_redboxhprblog_hpsu.log
2007-04-05 14:04 139264 --a------ C:\WINDOWS\system32\hpzjrd01.dll
2007-03-29 18:55 -------- d-------- C:\DOCUME~1\ROBERT~1\APPLIC~1\hp
2007-03-28 14:21 -------- d-------- C:\Program Files\setup files
2007-03-25 19:00 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-03-25 18:11 -------- d-------- C:\Program Files\lavasoft
2007-03-25 18:11 -------- d-------- C:\DOCUME~1\ROBERT~1\APPLIC~1\lavasoft
2007-03-25 18:06 -------- d-------- C:\Program Files\Common Files\wise installation wizard
2007-03-24 19:14 18432 --a------ C:\WINDOWS\ss3unstl.exe
2007-03-24 18:41 -------- d-------- C:\Program Files\pmg
2007-03-21 02:01 -------- d-------- C:\DOCUME~1\ROBERT~1\APPLIC~1\styler
2007-03-21 01:58 -------- d-------- C:\Program Files\lclock
2007-03-21 01:58 -------- d-------- C:\DOCUME~1\ROBERT~1\APPLIC~1\stardock
2007-03-21 01:22 -------- d-------- C:\Program Files\nero
2007-03-20 13:34 60416 --a------ C:\WINDOWS\alcfdrtm.exe
2007-03-20 13:23 -------- d-------- C:\Program Files\microsoft activesync
2007-03-17 09:43 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-14 13:16 -------- d-------- C:\DOCUME~1\ROBERT~1\APPLIC~1\real
2007-03-14 13:11 -------- d-------- C:\Program Files\real
2007-03-14 13:11 -------- d-------- C:\Program Files\Common Files\xing shared
2007-03-14 13:11 -------- d-------- C:\Program Files\Common Files\real
2007-03-12 02:44 -------- d-------- C:\Program Files\msi
2007-03-12 02:33 -------- d-------- C:\Program Files\realtek ac97
2007-03-12 02:04 -------- d-------- C:\Program Files\astra32
2007-03-11 15:18 -------- d-------- C:\Program Files\zone.com deluxe games
2007-03-11 14:15 -------- d-------- C:\Program Files\msxml 4.0
2007-03-11 00:00 -------- d-------- C:\Program Files\wildtangent
2007-03-10 18:25 1407 --a------ C:\WINDOWS\mozver.dat
2007-03-10 17:59 -------- d-------- C:\Program Files\siber systems
2007-03-10 17:49 -------- d-------- C:\Program Files\Common Files\hewlett-packard
2007-03-10 17:32 0 --a------ C:\WINDOWS\nsreg.dat
2007-03-10 16:39 499712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-03-10 16:39 348160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-03-10 12:31 -------- d-------- C:\Program Files\messenger
2007-03-10 11:55 -------- d-------- C:\Program Files\movie maker
2007-03-10 11:51 -------- d-------- C:\Program Files\microsoft frontpage
2007-03-10 11:50 0 -rahs---- C:\MSDOS.SYS
2007-03-10 11:50 0 -rahs---- C:\IO.SYS
2007-03-10 11:50 0 --a------ C:\CONFIG.SYS
2007-03-10 11:50 0 --a------ C:\AUTOEXEC.BAT
2007-03-10 11:49 -------- d--h----- C:\Program Files\windowsupdate
2007-03-10 11:49 -------- d-------- C:\Program Files\Common Files\mssoap
2007-03-10 11:48 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-03-10 11:47 -------- d-------- C:\Program Files\windows nt
2007-03-10 11:47 -------- d-------- C:\Program Files\online services
2007-03-10 11:47 -------- d-------- C:\Program Files\msn gaming zone
2007-03-10 00:44 -------- d-------- C:\Program Files\Common Files\speechengines
2007-03-10 00:44 -------- d-------- C:\Program Files\Common Files\odbc
2007-03-10 00:43 62 --ahs---- C:\DOCUME~1\ROBERT~1\APPLIC~1\desktop.ini
2007-03-08 11:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 11:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 11:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 09:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-02-05 16:17 185344 --a------ C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{53707962-6F74-2D53-2644-206D7942484F}"="C:\Program Files\Spybot - Search & Destroy\SDHelper.dll"
"{724d43a9-0d85-11d4-9908-00400523e39a}"="C:\Program Files\Siber Systems\AI RoboForm\roboform.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
"SoundMan"="SOUNDMAN.EXE"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"NeroFilterCheck"="C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe"
"LClock"="C:\\Program Files\\LClock\\LClock.exe"
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"ZoneAlarm Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\Lib\\NMBgMonitor.exe\""
"RoboForm"="\"C:\\Program Files\\Siber Systems\\AI RoboForm\\RoboTaskBarIcon.exe\""

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source REG_SZ
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll"


HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MRI_DISABLED

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdauxservice
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdcoreservice

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{bdc893dd-ceb7-11db-b71e-806d6172696f}]


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\MP Scheduled Scan.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-04-27 21:59:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 07-04-27 21:59:21 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-04-27 21:59



Logfile of HijackThis v1.99.1
Scan saved at 10:01:23 PM, on 4/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\LClock\LClock.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Robert Wilmoth\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - MRI_DISABLED - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: (no name) - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - (no file)
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [LClock] C:\Program Files\LClock\LClock.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://www.msi.com.tw
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} - http://h20270.www2.hp.com/ediags/gmn...taller_gmn.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase8300.cab
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://tw.msi.com.tw/autobios/LOnline/install.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O20 - Winlogon Notify: MRI_DISABLED - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\svcntaux.exe (file missing)
O23 - Service: Spyware Doctor Service (sdCoreService) - Unknown owner - C:\Program Files\Spyware Doctor\swdsvc.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
nikeman is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-27-2007, 08:39 PM   #5 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,247
OS: 2000 Pro; XP Pro; XP Home


Re: i got virtumundo
Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Please have a look inside this folder, and let me know what's there.

C:\{00002394-0000-0000-ADE5-5878E49419C8}

---------------------------------------------------------------------------------------------

I see you have AVG Anti-Spyware already. Please update it's definitions, and run a scan where I have placed it in this fix.

Run AVG Anti-Spyware
  • From the main screen, click on update, then click the Start
    update     button.
  • After the update finishes (the status bar at the bottom will display "Update
    successful")
  • select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
  • Select "Automatically generate report after every scan"
  • Un-Select "Only if threats were found"
  • Exit AVG Anti-Spyware. DO NOT scan yet.

Restart your computer and boot into Safe Mode by tapping the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.

---------------------------------------------------------------------------------------------


Run AVG Anti-Spyware with it's updated definitions:(...it's important that all windows must be closed)
  • Click Scanner
  • Click on the Scan tab
  • Click Complete System Scan to begin scanning.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important).

Restart in normal mode.

---------------------------------------------------------------------------------------------

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the licence, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

---------------------------------------------------------------------------------------------

Please post results from AVG Anti-Spyware, and Kaspersky online scan.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-27-2007, 10:47 PM   #6 (permalink)
Registered User
 
Join Date: Oct 2006
Posts: 360
OS: Win XP


Re: i got virtumundo
In that file you asked about there are 3 files.
DATA.CAB
Manifest.ini
Manifest.qrm


---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:38:02 PM 4/27/2007

+ Scan result:



C:\QooBox\Quarantine\C\WINDOWS\system32\iifecdb.dll.vir -> Adware.Virtumonde : Cleaned.
C:\System Volume Information\_restore{8BB7FFFD-17E4-4472-BA60-A33CCCE81898}\RP96\A0125632.dll -> Adware.Virtumonde : Cleaned.
C:\Documents and Settings\Robert Wilmoth\Cookies\robert_wilmoth@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Robert Wilmoth\Cookies\robert_wilmoth@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Robert Wilmoth\Cookies\robert_wilmoth@msnservices.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.39:C:\Documents and Settings\Robert Wilmoth\Application Data\Mozilla\Firefox\Profiles\8yxjk026.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.40:C:\Documents and Settings\Robert Wilmoth\Application Data\Mozilla\Firefox\Profiles\8yxjk026.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.41:C:\Documents and Settings\Robert Wilmoth\Application Data\Mozilla\Firefox\Profiles\8yxjk026.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.42:C:\Documents and Settings\Robert Wilmoth\Application Data\Mozilla\Firefox\Profiles\8yxjk026.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.43:C:\Documents and Settings\Robert Wilmoth\Application Data\Mozilla\Firefox\Profiles\8yxjk026.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Robert Wilmoth\Cookies\robert_wilmoth@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.83:C:\Documents and Settings\Robert Wilmoth\Application Data\Mozilla\Firefox\Profiles\8yxjk026.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.84:C:\Documents and Settings\Robert Wilmoth\Application Data\Mozilla\Firefox\Profiles\8yxjk026.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.85:C:\Documents and Settings\Robert Wilmoth\Application Data\Mozilla\Firefox\Profiles\8yxjk026.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\Robert Wilmoth\Cookies\robert_wilmoth@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.51:C:\Documents and Settings\Robert Wilmoth\Application Data\Mozilla\Firefox\Profiles\8yxjk026.default\cookies.txt -> TrackingCookie.Paypal : Cleaned.
C:\Documents and Settings\Robert Wilmoth\Cookies\robert_wilmoth@real[1].txt -> TrackingCookie.Real : Cleaned.
C:\Documents and Settings\Robert Wilmoth\Cookies\robert_wilmoth@realmedia[2].txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.131:C:\Documents and Settings\Robert Wilmoth\Application Data\Mozilla\Firefox\Profiles\8yxjk026.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.133:C:\Documents and Settings\Robert Wilmoth\Application Data\Mozilla\Firefox\Profiles\8yxjk026.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.134:C:\Documents and Settings\Robert Wilmoth\Application Data\Mozilla\Firefox\Profiles\8yxjk026.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.135:C:\Documents and Settings\Robert Wilmoth\Application Data\Mozilla\Firefox\Profiles\8yxjk026.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.136:C:\Documents and Settings\Robert Wilmoth\Application Data\Mozilla\Firefox\Profiles\8yxjk026.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
C:\Documents and Settings\Robert Wilmoth\Cookies\robert_wilmoth@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.23:C:\Documents and Settings\Robert Wilmoth\Application Data\Mozilla\Firefox\Profiles\8yxjk026.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.24:C:\Documents and Settings\Robert Wilmoth\Application Data\Mozilla\Firefox\Profiles\8yxjk026.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
C:\Documents and Settings\Robert Wilmoth\Cookies\robert_wilmoth@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.73:C:\Documents and Settings\Robert Wilmoth\Application Data\Mozilla\Firefox\Profiles\8yxjk026.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.74:C:\Documents and Settings\Robert Wilmoth\Application Data\Mozilla\Firefox\Profiles\8yxjk026.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.75:C:\Documents and Settings\Robert Wilmoth\Application Data\Mozilla\Firefox\Profiles\8yxjk026.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.76:C:\Documents and Settings\Robert Wilmoth\Application Data\Mozilla\Firefox\Profiles\8yxjk026.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.


::Report end
nikeman is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-27-2007, 10:47 PM   #7 (permalink)
Registered User
 
Join Date: Oct 2006
Posts: 360
OS: Win XP


Re: i got virtumundo
KASPERSKY ONLINE SCANNER REPORT
Saturday, April 28, 2007 12:45:07 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 28/04/2007
Kaspersky Anti-Virus database records: 304795
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
Scan Statistics
Total number of scanned objects 45079
Number of viruses found 7
Number of infected objects 24 / 0
Number of suspicious objects 0
Duration of the scan process 00:44:54

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-03102007-112429.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Robert Wilmoth\.housecall6.6\Quarantine\avitompeg15.exe.bac_a02052/WISE0014.BIN Infected: not-a-virus:AdTool.Win32.VB.e skipped
C:\Documents and Settings\Robert Wilmoth\.housecall6.6\Quarantine\avitompeg15.exe.bac_a02052 WiseSFX: infected - 1 skipped
C:\Documents and Settings\Robert Wilmoth\.housecall6.6\Quarantine\avitompeg15.exe.bac_a02052 CryptFF.b: infected - 1 skipped
C:\Documents and Settings\Robert Wilmoth\.housecall6.6\Quarantine\cmdow.exe.bac_a03036 Infected: not-a-virus:RiskTool.Win32.HideWindows skipped
C:\Documents and Settings\Robert Wilmoth\Application Data\Mozilla\Firefox\Profiles\8yxjk026.default\cert8.db Object is locked skipped
C:\Documents and Settings\Robert Wilmoth\Application Data\Mozilla\Firefox\Profiles\8yxjk026.default\history.dat Object is locked skipped
C:\Documents and Settings\Robert Wilmoth\Application Data\Mozilla\Firefox\Profiles\8yxjk026.default\key3.db Object is locked skipped
C:\Documents and Settings\Robert Wilmoth\Application Data\Mozilla\Firefox\Profiles\8yxjk026.default\parent.lock Object is locked skipped
C:\Documents and Settings\Robert Wilmoth\Application Data\Mozilla\Firefox\Profiles\8yxjk026.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Robert Wilmoth\Application Data\Mozilla\Firefox\Profiles\8yxjk026.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Robert Wilmoth\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Robert Wilmoth\Local Settings\Application Data\Ahead\Nero Home\bl.db Object is locked skipped
C:\Documents and Settings\Robert Wilmoth\Local Settings\Application Data\Ahead\Nero Home\is2.db Object is locked skipped
C:\Documents and Settings\Robert Wilmoth\Local Settings\Application Data\Identities\{06AFC769-1029-4A53-9A81-D52E93D3D213}\Microsoft\Outlook Express\Folders.dbx Object is locked skipped
C:\Documents and Settings\Robert Wilmoth\Local Settings\Application Data\Identities\{06AFC769-1029-4A53-9A81-D52E93D3D213}\Microsoft\Outlook Express\Offline.dbx Object is locked skipped
C:\Documents and Settings\Robert Wilmoth\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Robert Wilmoth\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Robert Wilmoth\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Robert Wilmoth\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{29786F2D-5B6E-4803-A6AA-143F38A12CBA} Object is locked skipped
C:\Documents and Settings\Robert Wilmoth\Local Settings\Application Data\Mozilla\Firefox\Profiles\8yxjk026.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Robert Wilmoth\Local Settings\Application Data\Mozilla\Firefox\Profiles\8yxjk026.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Robert Wilmoth\Local Settings\Application Data\Mozilla\Firefox\Profiles\8yxjk026.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Robert Wilmoth\Local Settings\Application Data\Mozilla\Firefox\Profiles\8yxjk026.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Robert Wilmoth\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Robert Wilmoth\Local Settings\History\History.IE5\MSHist012007042720070428\index.dat Object is locked skipped
C:\Documents and Settings\Robert Wilmoth\Local Settings\Temp\hpodvd09.log Object is locked skipped
C:\Documents and Settings\Robert Wilmoth\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Robert Wilmoth\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Robert Wilmoth\ntuser.dat Object is locked skipped
C:\Documents and Settings\Robert Wilmoth\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Robert Wilmoth\UserData\index.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\koflxace.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.v skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\mpdwphmr.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.v skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\mxjlkomt.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\udlnkdbe.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{8BB7FFFD-17E4-4472-BA60-A33CCCE81898}\RP26\A0038636.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{8BB7FFFD-17E4-4472-BA60-A33CCCE81898}\RP26\A0038636.exe RAR: infected - 1 skipped
C:\System Volume Information\_restore{8BB7FFFD-17E4-4472-BA60-A33CCCE81898}\RP6\A0000827.exe Infected: not-a-virus:RiskTool.Win32.HideWindows skipped
C:\System Volume Information\_restore{8BB7FFFD-17E4-4472-BA60-A33CCCE81898}\RP80\A0103276.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ir skipped
C:\System Volume Information\_restore{8BB7FFFD-17E4-4472-BA60-A33CCCE81898}\RP87\A0114709.exe Infected: not-a-virus:RiskTool.Win32.CloseApp.a skipped
C:\System Volume Information\_restore{8BB7FFFD-17E4-4472-BA60-A33CCCE81898}\RP87\A0114870.exe/WISE0005.BIN Infected: not-a-virus:RiskTool.Win32.CloseApp.a skipped
C:\System Volume Information\_restore{8BB7FFFD-17E4-4472-BA60-A33CCCE81898}\RP87\A0114870.exe WiseSFX: infected - 1 skipped
C:\System Volume Information\_restore{8BB7FFFD-17E4-4472-BA60-A33CCCE81898}\RP89\A0119102.exe Infected: not-a-virus:RiskTool.Win32.CloseApp.a skipped
C:\System Volume Information\_restore{8BB7FFFD-17E4-4472-BA60-A33CCCE81898}\RP92\A0120397.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\System Volume Information\_restore{8BB7FFFD-17E4-4472-BA60-A33CCCE81898}\RP92\A0120398.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\System Volume Information\_restore{8BB7FFFD-17E4-4472-BA60-A33CCCE81898}\RP92\A0120399.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\System Volume Information\_restore{8BB7FFFD-17E4-4472-BA60-A33CCCE81898}\RP92\A0120400.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\System Volume Information\_restore{8BB7FFFD-17E4-4472-BA60-A33CCCE81898}\RP96\A0125624.dll Infected: not-a-virus:AdWare.Win32.BHO.v skipped
C:\System Volume Information\_restore{8BB7FFFD-17E4-4472-BA60-A33CCCE81898}\RP96\A0125625.dll Infected: not-a-virus:AdWare.Win32.BHO.v skipped
C:\System Volume Information\_restore{8BB7FFFD-17E4-4472-BA60-A33CCCE81898}\RP96\A0125626.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\System Volume Information\_restore{8BB7FFFD-17E4-4472-BA60-A33CCCE81898}\RP96\change.log Object is locked skipped
C:\VundoFix Backups\ydvnqbxf.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.ir skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\SLEEPS.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_720.dat Object is locked skipped
C:\WINDOWS\Temp\ZLT00fd6.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT07ad2.TMP Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
nikeman is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-27-2007, 11:00 PM   #8 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,247
OS: 2000 Pro; XP Pro; XP Home


Re: i got virtumundo
Please delete the following folders:

C:\Qoobox
C:\VundoFix Backups

Delete the contents of this folder:

C:\Documents and Settings\Robert Wilmoth\.housecall6.6\Quarantine

Please upload the following file for review:

C:\{00002394-0000-0000-ADE5-5878E49419C8}\manifest.ini

Please submit it to this site http://www.bleepingcomputer.com/subm....php?channel=4

By copy/pasting the above file path into the box next to the Browse button, and then clicking on the Send File button.

Please include a link to this topic in the message.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-27-2007, 11:10 PM   #9 (permalink)
Registered User
 
Join Date: Oct 2006
Posts: 360
OS: Win XP


Re: i got virtumundo
i have deleted all of those things and I have submitted that file..
nikeman is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-27-2007, 11:12 PM   #10 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,247
OS: 2000 Pro; XP Pro; XP Home


Re: i got virtumundo
Looks innocent.

How's your system behaving?
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-27-2007, 11:16 PM   #11 (permalink)
Registered User
 
Join Date: Oct 2006
Posts: 360
OS: Win XP


Re: i got virtumundo
i have a VERY long thread going actually about my computer locking up all the time. I took my comp to Geek Squad and it seems that when I got it back my computer runs a little better even though they didn't do anything but a diagnostics BUT it also seemed to have a lot more viruses and spyware with it... I am not sure what they did but my computer never had problems with pop ups and explorer.exe errors and other errors I have been getting lately. It also still locks up but not as often as before. It actually locked up when i went to safe mode to run the AVG scan for you

EDIT: Heres that thread i was talking about...

my internet and youtube
Last edited by nikeman; 04-27-2007 at 11:18 PM.
nikeman is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-27-2007, 11:25 PM   #12 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,247
OS: 2000 Pro; XP Pro; XP Home


Re: i got virtumundo
Well, I really meant from a malware/popup perspective. I specialize in malware removal here.

From my end, it looks clean.

You should take up the other issues in your other thread.

You should also let Girderman know about the other thread, and let them know that Vundo/Virtumundo has been vanquished. Posting multiple threads at the same time for what may be the same issue can be counter productive.

Your logs appear clean. We still have a few items to address.

AVG Anti-Spyware would be a good program to keep, update and run a scan with once a week or so. It adds another layer of protection to your system's security tools. You may want to prevent AVG Anti-Spyware from running at Windows startup, and just call it into service when needed. This may help with system boot times. To do so, right click on the AVG A/S system tray icon, and uncheck Start with Windows. Also disable it's real time protection, as this will also use system resources, and will time out at the end of the trial period in 30 days. To do so:

Open AVG Anti-Spyware.
  • On the main screen under Your Computer's security.
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Click on Change state next to Automatic updates. It should now change to inactive.


Reset hidden/system files and folders
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Deselect the Show hidden files and folders option.
  • Select the Hide file extensions for known types option.
  • Select the Hide protected operating system files option.
  • Click Yes to confirm.
  • Click OK.

Clear & Reset System Restore's Cache
  • click Start >> Run - type SYSDM.CPL & press Enter
  • select the System Restore Tab
  • tick on the checkbox - "Turn off System Restore on all drives"
  • click Apply
  • then untick the same checkbox & click OK


Enable Windows Auto Update
  • Go to Start>Run - type wuaucpl.cpl
  • tick on the checkbox - "Automatically download the updates, and install them on the schedule that I specify".
  • Click on "OK".


In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles
If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-27-2007, 11:36 PM   #13 (permalink)
Registered User
 
Join Date: Oct 2006
Posts: 360
OS: Win XP


Re: i got virtumundo
i am running a virus scan real quick to make sure it dosn't find anything... then iwill mark as resolved
nikeman is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 01:40 PM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85