Multiple Virtumonde Infections - Logs Attached

[Harvey1]

Unfortunately Virtumonde got past my McAfee, and I can not remove it with Spybot S&D. I did manage to remove some other malware/adware. However, I still have Virtumonde, Virtumonde.generic, and Virtumonde.sci.

I have had a few pop-ups but not many. The main symptom is overall slow performance. Also, the Windows Security Alert icon has appeared, and I can not enable automatic updates.

My logs are below. Thank you in advance. I appreciate your help.


DDS (Version 1.1.0) - NTFSx86
Run by Jeff at 22:34:02.51 on Sat 01/17/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://my.att.net/
BHO: c:\program files\siteadvisor\6261\SiteAdv.dll
BHO: c:\windows\system32\byXPIaAP.dll
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Yahoo! IE Services Button: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: DriveLetterAccess: {5CA3D70E-1895-11CF-8E15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: c:\windows\system32\rqRJDWml.dll
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: c:\windows\system32\ztqnic.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor: {0BF43445-2F28-4351-9252-17FE6E806AA0} - c:\program files\siteadvisor\6261\SiteAdv.dll
TB: &Google: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
Yahoo! Toolbar
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
uRun: [Uniblue RegistryBooster 2] c:\program files\uniblue\registrybooster 2\RegistryBooster.exe /S
uRun: [RegDefRun] c:\program files\auslogics\auslogics registry defrag\reginfo.exe /r
uRunOnce: [SpybotDeletingB495] command /c del "c:\windows\system32\bgxwadvs.dll_old"
uRunOnce: [SpybotDeletingD5478] cmd /c del "c:\windows\system32\bgxwadvs.dll_old"
uRunOnce: [SpybotDeletingB9676] command /c del "c:\windows\system32\~.exe"
uRunOnce: [SpybotDeletingD1696] cmd /c del "c:\windows\system32\~.exe"
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [IntelMeM] "c:\program files\intel\modem event monitor\IntelMEM.exe"
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SiteAdvisor] c:\program files\siteadvisor\6253\SiteAdv.exe
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AOLDialer] "c:\program files\common files\aol\acs\AOLDial.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRunOnce: [SpybotDeletingA6027] command /c del "c:\windows\system32\bgxwadvs.dll_old"
mRunOnce: [SpybotDeletingC6523] cmd /c del "c:\windows\system32\bgxwadvs.dll_old"
mRunOnce: [SpybotDeletingA2467] command /c del "c:\windows\system32\~.exe"
mRunOnce: [SpybotDeletingC6339] cmd /c del "c:\windows\system32\~.exe"
IE: &AOL Toolbar search
IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Handler: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - c:\program files\siteadvisor\6261\SiteAdv.dll
Notify: rqRJDWml - rqRJDWml.dll
Notify: WRNotifier - WRLogonNTF.dll
AppInit_DLLs: ztqnic.dll
c:\windows\system32\rqRJDWml.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\byXPIaAP

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jeff\applic~1\mozilla\firefox\profiles\qq43nls1.default\
FF - prefs.js: browser.startup.homepage - my.att.net
FF - component: c:\program files\siteadvisor\6261\ff\components\FFHook.dll
FF - plugin: c:\program files\yahoo!\shared\npYState.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-01-17 22:22 1,712,849 a--sh--- c:\windows\system32\PAaIPXyb.ini2
2009-01-17 12:44 46,592 a------- c:\windows\system32\ljJAPJDV.dll
2009-01-17 12:20 120 ---sh--- c:\windows\system32\svdawxgb.ini
2009-01-17 12:20 72,704 -------- c:\windows\system32\bgxwadvs.dll_old
2009-01-17 12:18 129,024 a------- c:\windows\system32\ztqnic.dll
2009-01-17 12:18 129,024 a------- c:\windows\system32\iuidainn.dll
2009-01-17 12:17 1,712,849 a--sh--- c:\windows\system32\PAaIPXyb.ini
2009-01-17 12:16 302,592 a------- c:\windows\system32\byXPIaAP.dll
2009-01-17 12:11 36,352 a------- c:\windows\system32\rqRJDWml.dll
2009-01-17 12:11 191,103 a------- c:\windows\system32\wpv971232083449.cpx
2008-12-26 00:28 388,608 a------- c:\windows\system32\CF21195.exe
2008-12-26 00:28 <DIR> --d----- C:\ComboFix
2008-12-25 00:44 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-25 00:44 73,728 a------- c:\windows\system32\javacpl.cpl
2008-12-24 21:20 8,368 a------- C:\ark.zip
2008-12-22 16:47 250 a------- c:\windows\gmer.ini
2008-12-19 21:13 30,208 a------- c:\windows\system32\drivers\PhotoFrame.sys
2008-12-19 21:13 <DIR> --d----- c:\program files\PhotoFrame_SST_1.5

==================== Find3M ====================

2008-12-13 01:40 3,593,216 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 06:57 333,184 a------- c:\windows\system32\drivers\srv.sys
2008-12-11 06:57 333,184 a------- c:\windows\system32\dllcache\srv.sys
2008-11-07 18:32 2,109,440 -------- c:\windows\system32\dllcache\WMVCore.dll
2008-10-24 06:10 453,632 a------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 08:01 283,648 a------- c:\windows\system32\gdi32.dll
2008-10-23 08:01 283,648 a------- c:\windows\system32\dllcache\gdi32.dll
2008-04-22 19:40 20,019 a------- c:\program files\unfreez.zip
2007-04-15 16:48 891,281 ac------ c:\documents and settings\jeff\CIC.zip

============= FINISH: 22:35:20.14 ===============

[Billy O'Neal]

Hello, Harvey1
Welcome to TSF

My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.)
Please give me some time to look over your computer's log(s).
Please take note of the following:

• In the meantime, please refrain from making any changes to your computer.
• Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. :)
• If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
• Finally, please reply using the button in the lower left hand corner of your screen.
• Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just put a post here so that I know you're still here. We get a lot of people who simply leave, and if there is no contact for that amount of time I will have to assume you have "vanished" .

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

In your next reply, please include the following:

• ComboFix.txt

BillyIII

[Harvey1]

Billy,
Thank you for your help. Here is the log. Thanks!

ComboFix 09-01-18.01 - Alex 2009-01-18 21:33:20.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.153 [GMT -5:00]
Running from: c:\documents and settings\Alex\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\bcwbtrct.dll
c:\windows\system32\bswqktec.dll
c:\windows\system32\byXPIaAP.dll
c:\windows\system32\cbXOFYSi.dll
c:\windows\system32\cmchvepw.dll
c:\windows\SYSTEM32\iSYFOXbc.ini
c:\windows\SYSTEM32\iSYFOXbc.ini2
c:\windows\system32\iuidainn.dll
c:\windows\system32\ljJAPJDV.dll
c:\windows\system32\ncaxsmww.dll
c:\windows\SYSTEM32\PAaIPXyb.ini
c:\windows\SYSTEM32\PAaIPXyb.ini2
c:\windows\system32\rqRJDWml.dll
c:\windows\system32\uqswrr.dll
c:\windows\system32\wpv971232083449.cpx
c:\windows\system32\ztanhm.dll
c:\windows\system32\ztqnic.dll
c:\windows\Tasks\qonozcqg.job
c:\windows\wiaserviv.log

----- BITS: Possible infected sites -----

hxxp://childhe.com
.
((((((((((((((((((((((((( Files Created from 2008-12-19 to 2009-01-19 )))))))))))))))))))))))))))))))
.

2009-01-18 12:23 . 2009-01-18 12:23 120 --ahs---- c:\windows\SYSTEM32\cetkqwsb.ini
2009-01-18 11:31 . 2009-01-18 11:31 120 --ahs---- c:\windows\SYSTEM32\wwmsxacn.ini
2009-01-17 12:20 . 2009-01-17 12:20 120 --ahs---- c:\windows\SYSTEM32\svdawxgb.ini
2008-12-25 00:44 . 2008-12-25 00:43 410,984 --a------ c:\windows\SYSTEM32\deploytk.dll
2008-12-25 00:44 . 2008-12-25 00:43 73,728 --a------ c:\windows\SYSTEM32\javacpl.cpl
2008-12-24 21:20 . 2008-12-24 21:20 8,368 --a------ C:\ark.zip
2008-12-22 16:47 . 2009-01-17 23:21 250 --a------ c:\windows\gmer.ini
2008-12-19 21:13 . 2008-12-19 21:13 <DIR> d-------- c:\program files\PhotoFrame_SST_1.5
2008-12-19 21:13 . 2007-04-02 04:37 30,208 --a------ c:\windows\SYSTEM32\DRIVERS\PhotoFrame.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-31 20:02 --------- d-----w c:\documents and settings\Hannah\Application Data\SiteAdvisor
2008-12-25 05:43 --------- d-----w c:\program files\Java
2008-12-13 21:54 --------- d-----w c:\program files\Windows Media Connect 2
2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-08 02:33 --------- d-----w c:\documents and settings\Jeff\Application Data\Apple Computer
2008-12-01 23:45 --------- d-----w c:\program files\Modem Helper
2008-12-01 23:45 --------- d-----w c:\program files\DivX
2008-11-29 01:30 31 ----a-w c:\documents and settings\Alex\jagex_runescape_preferences.dat
2008-11-26 22:00 --------- d-----w c:\documents and settings\All Users\Application Data\pdf995
2008-11-26 22:00 --------- d-----w c:\documents and settings\Alex\Application Data\pdf995
2008-11-24 22:52 --------- d-----w c:\program files\QuickTime
2008-11-24 02:07 --------- d-----w c:\program files\iTunes
2008-11-24 02:07 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-24 02:06 --------- d-----w c:\program files\iPod
2008-11-24 02:01 --------- d-----w c:\program files\Common Files\Apple
2008-11-21 17:05 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-21 17:03 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-04-23 00:40 20,019 ----a-w c:\program files\unfreez.zip
2007-04-15 21:48 891,281 -c--a-w c:\documents and settings\Jeff\CIC.zip
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 53248]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-11 290816]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-15 122933]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-10-03 185784]
"SiteAdvisor"="c:\program files\SiteAdvisor\6253\SiteAdv.exe" [2007-03-30 36904]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2008-07-11 641208]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-25 136600]

c:\documents and settings\Alex\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-09-12 384000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 258048]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-09-16 12:16 1833296 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\McAfee\\MBK\\McAfeeDataBackup.exe"=
"c:\\Program Files\\Cat Daddy Games\\Renegade Paintball\\PaintballGame.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7ce62342-4c1d-11db-b594-00038a000015}]
\Shell\AutoRun\command - E:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-08-15 c:\windows\Tasks\McDefragTask.job
- c:\windows\system32\defrag.exe [2004-08-04 02:56]

2008-10-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2008-07-09 18:10]

2005-11-12 c:\windows\Tasks\WebReg psc 1500 series.job
- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2004-11-04 20:12]
.
- - - - ORPHANS REMOVED - - - -

BHO-{06248AD4-5A88-45DE-B5AD-AEE02665C67E} - (no file)
BHO-{107386EC-A603-4AAD-A16C-AC1EADD9D232} - (no file)
BHO-{12C3D0E3-F025-4CDB-A722-93ED65D15668} - (no file)
BHO-{1FF4B3C9-7811-4EA6-83E3-E9C27EA3142D} - (no file)
BHO-{31F88D2B-90CD-447D-93DA-D87C71680DE9} - c:\windows\system32\byXPIaAP.dll
BHO-{46707315-233D-48A6-B90E-B72F05A4B87D} - (no file)
BHO-{475ab01a-b7f8-4762-8174-ea3c24a6e3e5} - (no file)
BHO-{679C4E9F-13F0-4CB0-B18A-C063C2AEDBE9} - (no file)
BHO-{6C7D76D5-B6E9-4BAB-B1CE-E61614FAD09F} - (no file)
BHO-{7EF53E8C-4313-4975-B2CB-6BC88DA1252E} - (no file)
BHO-{8632cd0c-947e-4ec6-b6cd-92b90420d0a6} - (no file)
BHO-{86db3221-0e90-4124-b230-722fa4540cb5} - (no file)
BHO-{9C211FC8-D6B8-426B-8CC2-354E35D14225} - (no file)
BHO-{ac8fb490-9d1f-4b29-982d-62b0f981f33f} - c:\windows\system32\ztanhm.dll
BHO-{D810C572-36B2-43CB-9300-3BCEE18CD019} - (no file)
BHO-{E8CE7677-2412-4A50-BE48-8EB7C917ED6A} - (no file)
HKCU-Run-GetPack27 - c:\program files\GetPack\GetPack27.exe
HKLM-Run-AOLDialer - c:\program files\Common Files\AOL\ACS\AOLDial.exe
Notify-dimsntfy - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://home.bellsouth.net/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: {{d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
FF - ProfilePath - c:\documents and settings\Alex\Application Data\Mozilla\Firefox\Profiles\6zn7ouaq.default\
FF - prefs.js: browser.startup.homepage - hxxp://home.bellsouth.net/
FF - component: c:\program files\SiteAdvisor\6261\FF\components\FFHook.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-18 21:51:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\McAfee\MSK\msksrver.exe
c:\windows\SYSTEM32\nvsvc32.exe
c:\windows\SYSTEM32\HPZipm12.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\windows\SYSTEM32\wscntfy.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\iPod\bin\iPodService.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2009-01-18 21:58:43 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-19 02:58:39
ComboFix2.txt 2008-12-25 04:32:21

Pre-Run: 40,606,384,128 bytes free
Post-Run: 40,546,762,752 bytes free

200 --- E O F --- 2009-01-15 14:55:32

[Billy O'Neal]

Hello, Harvey1
We need to re-run ComboFix with some additonal directives.

1. Please disable any running anti-virus programs.

   If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/topic114351.html

2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
4. Open notepad and copy/paste the text in the quotebox below into it:
   
   Code:

   file::
   c:\windows\SYSTEM32\cetkqwsb.ini
   c:\windows\SYSTEM32\wwmsxacn.ini
   c:\windows\SYSTEM32\svdawxgb.ini

5. Save this as CFScript.txt, in the same location as ComboFix.exe
6. 
   Refering to the picture above, drag CFScript into ComboFix.exe
7. When finished, it shall produce a log for you at "C:\ComboFix.txt". Please copy and paste that report here.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

1. Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
2. Scroll down to where it says "Java Runtime Environment (JRE)6 Update 11...allows end-users to run Java applications".
3. Click the "Download" button to the right.
4. Select your Platform: "Windows" (OR if you are on a x64 system, "Windows x64")
5. Select your Language: "Multi-Language".
6. Read the License Agreement, and then check the box that says: "Accept License Agreement".
7. Click Continue and the page will refresh.
8. Click on the link to download Windows Offline Installation and save the file to your desktop.
9. Close any programs you may have running - especially your web browser.
10. Go to Start > Settings > Control Panel, double-click on Add/Remove Programs (Or "Uninstall a Program" on Vista) and remove all older versions of Java.
11. Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
12. Click the Remove or Change/Remove button.
13. Follow the onscreen instructions for the Java uninstaller.
14. Repeat as many times as necessary to remove each Java version.
15. Reboot your computer once all Java components are removed.
16. Then from your desktop double-click on jre-6u10-windows-i586-p.exe (Or jre-6u10-windows-x64.exe for x64 systems)
17. Follow the on screen instructions to install the latest Java version.

I would like us to use ESET (NOD32)'s Online Scanner

1. Please go to ESET OnlineScan (NOD32)
2. You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
3. Now click Start
4. Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
5. Click Start
   • Note: (the Onlinescanner will now prepare itself for running on your pc)
6. To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
7. Press Scan
8. The Onlinescan will now start and scan your pc (this could take a while)
9. When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
10. Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
11. The Scanresults will now open in Notepad
12. Click into the text area, right-click and chose "select all" (or use <Control>+A)
13. Right-click again and chose "Copy" (or <Control>+C)
14. Close/Exit Notepad
15. Navigate to this thread and post your log along with anything else requested from us, by right-clicking and "paste" (or ctrl+v) in the text area of the reply post you just created.

Note: For Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

In your next reply, please include the following:

• ComboFix.txt
• ESET OnlineScan's Log

BillyIII

[Harvey1]

By ComboFix log is below. However, I did not see any old Java in the control panel. Would this vary from account to account on my computer? Also, when I tried to download JRE9 U11 it stalled each time at 6%, started over, and never got past that mark. I'm not sure what the problem is. Once I figure this out, I will complete the second scan. Thanks for your help.

ComboFix 09-01-18.01 - Alex 2009-01-18 23:48:40.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.196 [GMT -5:00]
Running from: c:\documents and settings\Alex\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Alex\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
* Created a new restore point

FILE ::
c:\windows\SYSTEM32\cetkqwsb.ini
c:\windows\SYSTEM32\svdawxgb.ini
c:\windows\SYSTEM32\wwmsxacn.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\SYSTEM32\cetkqwsb.ini
c:\windows\SYSTEM32\svdawxgb.ini
c:\windows\SYSTEM32\wwmsxacn.ini

.
((((((((((((((((((((((((( Files Created from 2008-12-19 to 2009-01-19 )))))))))))))))))))))))))))))))
.

2008-12-25 00:44 . 2008-12-25 00:43 410,984 --a------ c:\windows\SYSTEM32\deploytk.dll
2008-12-25 00:44 . 2008-12-25 00:43 73,728 --a------ c:\windows\SYSTEM32\javacpl.cpl
2008-12-24 21:20 . 2008-12-24 21:20 8,368 --a------ C:\ark.zip
2008-12-22 16:47 . 2009-01-17 23:21 250 --a------ c:\windows\gmer.ini
2008-12-19 21:13 . 2008-12-19 21:13 <DIR> d-------- c:\program files\PhotoFrame_SST_1.5
2008-12-19 21:13 . 2007-04-02 04:37 30,208 --a------ c:\windows\SYSTEM32\DRIVERS\PhotoFrame.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-31 20:02 --------- d-----w c:\documents and settings\Hannah\Application Data\SiteAdvisor
2008-12-25 05:43 --------- d-----w c:\program files\Java
2008-12-13 21:54 --------- d-----w c:\program files\Windows Media Connect 2
2008-12-13 06:40 3,593,216 ----a-w c:\windows\SYSTEM32\DLLCACHE\mshtml.dll
2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 11:57 333,184 ----a-w c:\windows\SYSTEM32\DLLCACHE\srv.sys
2008-12-08 02:33 --------- d-----w c:\documents and settings\Jeff\Application Data\Apple Computer
2008-12-01 23:45 --------- d-----w c:\program files\Modem Helper
2008-12-01 23:45 --------- d-----w c:\program files\DivX
2008-11-29 01:30 31 ----a-w c:\documents and settings\Alex\jagex_runescape_preferences.dat
2008-11-26 22:00 --------- d-----w c:\documents and settings\All Users\Application Data\pdf995
2008-11-26 22:00 --------- d-----w c:\documents and settings\Alex\Application Data\pdf995
2008-11-24 22:52 --------- d-----w c:\program files\QuickTime
2008-11-24 02:07 --------- d-----w c:\program files\iTunes
2008-11-24 02:07 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-24 02:06 --------- d-----w c:\program files\iPod
2008-11-24 02:01 --------- d-----w c:\program files\Common Files\Apple
2008-11-21 17:05 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-21 17:03 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-07 23:32 2,109,440 ------w c:\windows\SYSTEM32\DLLCACHE\WMVCore.dll
2008-10-24 11:10 453,632 ----a-w c:\windows\SYSTEM32\DLLCACHE\mrxsmb.sys
2008-10-23 13:01 283,648 ----a-w c:\windows\SYSTEM32\gdi32.dll
2008-10-23 13:01 283,648 ----a-w c:\windows\SYSTEM32\DLLCACHE\gdi32.dll
2008-04-23 00:40 20,019 ----a-w c:\program files\unfreez.zip
2007-04-15 21:48 891,281 -c--a-w c:\documents and settings\Jeff\CIC.zip
.

((((((((((((((((((((((((((((( snapshot@2009-01-18_21.56.46.96 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-01-18 23:16:13 32,768 -c--a-w c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
+ 2009-01-19 03:40:18 32,768 -c--a-w c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
- 2009-01-18 23:16:13 32,768 -c--a-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
+ 2009-01-19 03:40:18 32,768 -c--a-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
- 2009-01-18 23:16:13 81,920 -c--a-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT
+ 2009-01-19 03:40:18 81,920 -c--a-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 53248]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-11 290816]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-15 122933]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-10-03 185784]
"SiteAdvisor"="c:\program files\SiteAdvisor\6253\SiteAdv.exe" [2007-03-30 36904]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2008-07-11 641208]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-25 136600]

c:\documents and settings\Alex\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-09-12 384000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 258048]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-09-16 12:16 1833296 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\McAfee\\MBK\\McAfeeDataBackup.exe"=
"c:\\Program Files\\Cat Daddy Games\\Renegade Paintball\\PaintballGame.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7ce62342-4c1d-11db-b594-00038a000015}]
\Shell\AutoRun\command - E:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-08-15 c:\windows\Tasks\McDefragTask.job
- c:\windows\system32\defrag.exe [2004-08-04 02:56]

2008-10-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2008-07-09 18:10]

2005-11-12 c:\windows\Tasks\WebReg psc 1500 series.job
- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2004-11-04 20:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://home.bellsouth.net/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: {{d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
FF - ProfilePath - c:\documents and settings\Alex\Application Data\Mozilla\Firefox\Profiles\6zn7ouaq.default\
FF - prefs.js: browser.startup.homepage - hxxp://home.bellsouth.net/
FF - component: c:\program files\SiteAdvisor\6261\FF\components\FFHook.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-18 23:54:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-01-18 23:58:23
ComboFix-quarantined-files.txt 2009-01-19 04:57:48
ComboFix2.txt 2009-01-19 02:58:45
ComboFix3.txt 2008-12-25 04:32:21

Pre-Run: 40,512,176,128 bytes free
Post-Run: 40,494,358,528 bytes free

156 --- E O F --- 2009-01-15 14:55:32

[Billy O'Neal]

Hello, Harvey1
I'm sorry... it appears your java is up to date. Typo on my part.

Go ahead and run the ESET scan :)

BillyIII

[Harvey1]

I am running the ESET scan now and I believe it is almost done (its been running for a while now).

However, my McAfee opened a window alerting me of a potentially unwanted program several times in a row. It said it was Tool-NirCmd. I dont know if this was related to the scan, but I had McAfee remove it. Not sure what it was or where it came from so I thought I'd bring that to your attention. Overall things seem to be running smoother, but it looks like the current scan is picking up some things. Thanks for your help.

[Billy O'Neal]

That's a part of CF. One of the reasons we have A/V programs disabled before we begin.

For more info on NirCmd, see here:
http://www.nirsoft.net/utils/nircmd.html

Billy3

[Harvey1]

Oh, I figured since the ESET scan was online, it would be fine to keep McAfee turned on. Here is my log:

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3778 (20090119)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=d32c809f0e0f3f4ca4ec7570eec47677
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-01-19 10:13:59
# local_time=2009-01-19 05:13:59 (-0500, Eastern Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=438803
# found=9
# scan_time=7389
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\InternetSpeedMonitor.zip Win32/Bagle.gen.zip worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\InternetSpeedMonitor2.zip Win32/Bagle.gen.zip worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde17.zip Win32/Bagle.gen.zip worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde51.zip Win32/Bagle.gen.zip worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde53.zip Win32/Bagle.gen.zip worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\Jeff\Application Data\Sun\Java\Deployment\cache\6.0\26\552dca1a-4623dbd3 Java/TrojanDownloader.OpenStream.NAC trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\Jeff\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-5ad20d46-79661054.class Java/TrojanDownloader.OpenStream.NAC trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\ljJAPJDV.dll.vir a variant of Win32/Adware.Virtumonde.NDP application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1525\A0841381.dll a variant of Win32/Adware.Virtumonde.NDP application (unable to clean - deleted) 00000000000000000000000000000000

[Billy O'Neal]

Hello, Harvey1
Congratulations! You now appear clean!

Are things running okay? Do you have any more questions?

System Still Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware
We Need to Remove ComboFix

1. Please go to Start -> Run
2. Enter "ComboFix /u" (without quotes). Note the space betwen "ComboFix" and "/u", it needs to be there.
   
3. Press OK (Or hit enter).
4. Allow ComboFix to remove itself.

We Need to Clean Up Our Mess

1. Please download OTCleanIt from one of the following mirrors and save it to your desktop:
   • Mirror 1
   • Mirror A
2. Double click the icon.
3. Push the large "Cleanup" button.
4. Allow your system to reboot.

Recommendations
Below are some recommendations to lower your chances of (re)infection.

1. Install Spyware Blaster and update it regularly
   If you wish, the commercial version provides automatic updating.
2. Install the MVPs hosts file, and update it regularly
   You can use the HostMan host file manager to do this automaticly if you wish.
   For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts file
3. Install an Anti-Spyware program, and update it regularly
   Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
   SUPERAntiSpyware is another good scanner with high detection and removal rates.
   Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
4. Keep Windows (and your other Microsoft software) up to date!
   I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.
   
   If you are using Windows XP or earlier
   Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
   
   If you are using Windows Vista
   1. Click the "Start Menu" (or Windows Orb)
   2. Click "All Programs"
   3. Click "Windows Update"
   4. On the left, choose "Change Settings"
   5. Ensure that the checkbox "Use Microsoft Update" at the bottom of the window is checked.
   6. Press OK and accept the UAC prompt.
      Note: You shouldn't need to check this checkbox every single time you update, only the first time.
   7. Click "Check for Updates" in the upper left corner.
   8. Follow the instructions to install the latest updates.
   9. Reboot and repeat the "Check for Updates" until there are no more critical updates to install
5. Keep your other software up to date as well
   Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on your machine.
6. Stay up to date!
   The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :(.

BillyIII

[Harvey1]

Billy

Thanks for your help. I am working on cleaning up that stuff now. Obviously the virtumonde got past my McAfee. Will the recommended programs above catch it? Also, can those be installed along with McAfee?

Thanks again for you help. I appreciate it.

[Billy O'Neal]

MbAM should do a decent job of dealing with Virtumonde.

Glad I was able to help :)

Billy3

[Harvey1]

Alright thanks.
One last question if you dont mind...
I downloaded that and ran a quick scan and it came up with two Malware.Trace Registry Keys. I dont know what these are but should I have the program remove them?

[Billy O'Neal]

Does it list what they are?

They're probably leftovers safe to remove....

Billy3

[Billy O'Neal]

Hello, Harvey1
Are you still here?

BillyIII

[Billy O'Neal]

Hello, Harvey1
Due to lack of response, this topic will now be closed. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:

http://www.techsupportforum.com/secu...oval-help.html

BillyIII