1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Pop-ups after cleaning Virtumonde

Discussion in 'Virus & Other Malware Removal' started by lsuteeth, Oct 6, 2008.

Thread Status:
Not open for further replies.
Advertisement
  1. lsuteeth

    lsuteeth Thread Starter

    Joined:
    Oct 6, 2008
    Messages:
    3
    I recently cleaned off Virtumonde and Trojan Horse Generic11.ANXY. I used Ad-Aware and AVG to do my cleaning.

    Everything seems to be running alright, except for the pop-ups. When I first get onto IE, I get about 7 pop-ups within the first 2 minutes. Then they subside for a while. They start up again in a succesion of about 7 more in 2 minutes. They are not blocked by the popup blocker and often pop up as full pages..yellow pages ads, screen saver stuff, lots of random ads.

    Here is my HJT:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:38:19 PM, on 10/6/2008
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16705)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\Rundll32.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\WINDOWS\system32\devldr32.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\dwwin.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: (no name) - {111654DC-0C4D-457A-8320-B95ED05B0F80} - C:\WINDOWS\system32\hgGvtQHx.dll (file missing)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: (no name) - {B48D8628-E8E2-4FA0-99A6-DFB770F1C149} - C:\WINDOWS\system32\wvUnLBRH.dll (file missing)
    O2 - BHO: {9b88924e-e23a-e21a-ceb4-034db0dd31fe} - {ef13dd0b-d430-4bec-a12e-a32ee42988b9} - C:\WINDOWS\system32\xljihg.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
    O4 - HKLM\..\Run: [f06f6c3d] rundll32.exe "C:\WINDOWS\system32\krhclbej.dll",b
    O4 - HKLM\..\Run: [BMf35c5fa1] Rundll32.exe "C:\WINDOWS\system32\akhlwytf.dll",s
    O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSetup1.0.0.15.cab
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
    O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD42/J...ba/&filename=jinstall-6u6-windows-i586-jc.cab
    O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
    O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab
    O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} - http://www.photodex.com/pxplay.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712....akamai.com/6712/player/install/installer.exe
    O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
    O20 - AppInit_DLLs: xljihg.dll
    O20 - Winlogon Notify: hgGvtQHx - hgGvtQHx.dll (file missing)
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/COMPUT~1/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg
    --
    End of file - 7508 bytes
     
  2. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    adaware & AVG will not clear vundo / Virtumonde

    Please download Malwarebytes' Anti-Malware to your desktop
    from http://thespykiller.co.uk/downloads/mbam-setup.exe or http://www.malwarebytes.org/affiliates/thespykiller/mbam-setup.exe

    Double-click mbam-setup.exe and follow the prompts to install the program. At the end, be sure a checkmark is placed next to the following:

    Update Malwarebytes' Anti-Malware. Launch Malwarebytes' Anti-Malware. Then click Finish.

    If an update is found, it will download and install the latest version. Press Update to make sure the latest database is loaded.
    Once the program has loaded, select Perform quick scan, then click Scan.
    When the scan is complete, click OK, then Show Results to view the results.
    Be sure that everything is checked, and click Remove Selected.
    When completed, a log will open in Notepad.
    Please include this log in your next reply.

    It might ask you to reboot to finish cleaning. Please do so. ( Press YES on the alert)
    If you recieve an (Error Loading xxxxxxxxxx .dll) error on reboot please reboot a second time . It is normal for this error to occur once and does not need to be reported unless it continues on every boot
     
  3. lsuteeth

    lsuteeth Thread Starter

    Joined:
    Oct 6, 2008
    Messages:
    3
    Here is the Notepad log...I am going to reboot now and then see how the computer does. Thank you so much for your response. I thought Vundo was gone beacuse I had gotten my destop back, etc... Now Malware found 47 files! YIKES! Thank you so much!

    Malwarebytes' Anti-Malware 1.28
    Database version: 1250
    Windows 5.1.2600 Service Pack 3
    10/10/2008 11:32:25 AM
    mbam-log-2008-10-10 (11-32-25).txt
    Scan type: Quick Scan
    Objects scanned: 65622
    Time elapsed: 11 minute(s), 54 second(s)
    Memory Processes Infected: 0
    Memory Modules Infected: 2
    Registry Keys Infected: 20
    Registry Values Infected: 3
    Registry Data Items Infected: 1
    Folders Infected: 0
    Files Infected: 21
    Memory Processes Infected:
    (No malicious items detected)
    Memory Modules Infected:
    C:\WINDOWS\system32\krhclbej.dll (Trojan.Vundo) -> Delete on reboot.
    C:\WINDOWS\system32\xljihg.dll (Trojan.Vundo) -> Delete on reboot.
    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{111654dc-0c4d-457a-8320-b95ed05b0f80} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\hggvtqhx (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{111654dc-0c4d-457a-8320-b95ed05b0f80} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ef13dd0b-d430-4bec-a12e-a32ee42988b9} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{ef13dd0b-d430-4bec-a12e-a32ee42988b9} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{def85c80-216a-43ab-af70-1665edbe2780} (Spyware.Sinowal) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{5b4c3b43-49b6-42a7-a602-f7acdca0d409} (Adware.OneStepSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Screensavers.com (Adware.Comet) -> Quarantined and deleted successfully.
    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f06f6c3d (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bmf35c5fa1 (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.
    Registry Data Items Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    Folders Infected:
    (No malicious items detected)
    Files Infected:
    C:\WINDOWS\system32\hgGvtQHx.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\xljihg.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\WINDOWS\system32\krhclbej.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\WINDOWS\system32\jeblchrk.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\wfdxjwsf.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\vjeqcv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\obixadra.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\nnldwl.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\gkgilafs.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\xoymexla.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\tvoomw.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\Temp\ONE443.tmp\upgrade.exe (Adware.OneStepSearch) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
    C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\akhlwytf.dll (Trojan.Agent) -> Delete on reboot.
    C:\WINDOWS\pskt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\BMf35c5fa1.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\BMf35c5fa1.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\phc70nj0ev7p.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Computer User\Local Settings\Temp\.tt1.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Computer User\Local Settings\Temp\.tt1.tmp.vbs (Trojan.FakeAlert) -> Quarantined and deleted successfully.
     
  4. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    after rebooting

    Please visit Combofix Guide & Instructions for instructions for downloading and running ComboFix: especially follow the advice about installing the recovery console

    Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall

    Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
    Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply
     
  5. lsuteeth

    lsuteeth Thread Starter

    Joined:
    Oct 6, 2008
    Messages:
    3
    Thanks for your patience. Sorry it took me a few days to do this. I have been away from this computer.

    Combofix:

    ComboFix 08-10-11.04 - Computer User 2008-10-12 22:50:57.1 - FAT32x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.386 [GMT -5:00]
    Running from: C:\Documents and Settings\Computer User\Desktop\ComboFix.exe
    * Created a new restore point
    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    C:\test.txt
    C:\WINDOWS\NDNuninstall6_38.exe
    C:\WINDOWS\NDNuninstall7_48.exe
    C:\WINDOWS\system32\gduecjcp.ini
    C:\WINDOWS\system32\ggaivcpk.ini
    C:\WINDOWS\system32\HRBLnUvw.ini
    C:\WINDOWS\system32\HRBLnUvw.ini2
    C:\WINDOWS\system32\pnoosodv.ini
    C:\WINDOWS\system32\tufghqfp.ini
    .
    ((((((((((((((((((((((((( Files Created from 2008-09-13 to 2008-10-13 )))))))))))))))))))))))))))))))
    .
    2008-10-10 11:04 . 2008-10-10 11:04 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
    2008-10-10 11:04 . 2008-10-10 11:04 <DIR> d-------- C:\Documents and Settings\Computer User\Application Data\Malwarebytes
    2008-10-10 11:04 . 2008-10-10 11:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-10-10 11:04 . 2008-09-10 00:09 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    2008-10-10 11:04 . 2008-09-10 00:09 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
    2008-10-06 21:37 . 2008-10-06 21:38 <DIR> d-------- C:\Program Files\Trend Micro
    2008-10-05 10:10 . 2008-10-05 10:10 <DIR> d-------- C:\VundoFix Backups
    2008-10-04 14:36 . 2008-10-04 14:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
    2008-09-20 15:29 . 2008-09-21 01:10 54,156 --ah----- C:\WINDOWS\QTFont.qfn
    2008-09-20 15:29 . 2008-09-20 15:29 1,409 --a------ C:\WINDOWS\QTFont.for
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-09-30 00:02 117,168 ----a-w C:\Documents and Settings\Computer User\Application Data\GDIPFONTCACHEV1.DAT
    2008-07-19 03:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
    2008-07-19 03:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
    2008-07-19 03:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
    2008-07-19 03:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
    2008-07-19 03:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
    2008-07-19 03:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
    2008-07-19 03:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
    2008-07-19 03:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
    2008-07-19 03:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
    2008-07-19 03:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
    2008-07-19 03:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
    2008-07-19 03:09 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
    2008-07-19 03:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
    2008-07-19 03:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
    2004-08-12 19:07 94,784 --sh--w C:\WINDOWS\twain.dll
    2008-04-14 00:12 50,688 --sh--w C:\WINDOWS\twain_32.dll
    2008-04-14 00:12 84,992 --sh--w C:\WINDOWS\system32\olepro32.dll
    2008-04-14 00:12 11,776 --sh--w C:\WINDOWS\system32\regsvr32.exe
    2008-04-14 00:12 551,936 --sh--w C:\WINDOWS\system32\oleaut32.dll
    2008-04-14 00:12 343,040 --sha-w C:\WINDOWS\system32\msvcrt.dll
    2008-04-14 00:12 413,696 --sha-w C:\WINDOWS\system32\msvcp60.dll
    2008-04-14 00:12 57,344 --sh--w C:\WINDOWS\system32\msvcirt.dll
    2008-04-14 00:11 1,028,096 --sha-w C:\WINDOWS\system32\mfc42.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
    "updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-07-28 4841472]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-03-21 98304]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 144784]
    "nwiz"="nwiz.exe" [2003-07-28 C:\WINDOWS\system32\nwiz.exe]
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-25 219136]
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 237568]
    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=xljihg.dll
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux"= ctwdm32.dll
    "VIDC.MJPG"= pvmjpg21.dll
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\WINDOWS\\System32\\mshta.exe"=
    "C:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
    "C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
    "C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=
    "C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    .
    Contents of the 'Scheduled Tasks' folder
    2008-09-29 C:\WINDOWS\Tasks\Disk Cleanup.job
    - C:\WINDOWS\system32\cleanmgr.exe [2008-04-13 19:12]
    .
    - - - - ORPHANS REMOVED - - - -
    BHO-{B48D8628-E8E2-4FA0-99A6-DFB770F1C149} - C:\WINDOWS\system32\wvUnLBRH.dll
    HKCU-Run-OM_Monitor - C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe

    .
    ------- Supplementary Scan -------
    .
    R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
    O8 -: Add to Google Photos Screensa&ver - C:\WINDOWS\system32\GPhotos.scr/200
    O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    .
    **************************************************************************
    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-10-12 22:57:34
    Windows 5.1.2600 Service Pack 3 FAT NTAPI
    scanning hidden processes ...
    scanning hidden autostart entries ...
    scanning hidden files ...
    scan completed successfully
    hidden files: 0
    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\PROGRAM FILES\LAVASOFT\AD-AWARE 2007\AAWSERVICE.EXE
    C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
    C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGUPSVC.EXE
    C:\WINDOWS\SYSTEM32\NVSVC32.EXE
    C:\WINDOWS\SYSTEM32\DEVLDR32.EXE
    C:\WINDOWS\SYSTEM32\HPZIPM12.EXE
    C:\WINDOWS\system32\wscntfy.exe
    .
    **************************************************************************
    .
    Completion time: 2008-10-12 23:01:00 - machine was rebooted [Computer User]
    ComboFix-quarantined-files.txt 2008-10-13 04:00:54
    Pre-Run: 3,552,313,344 bytes free
    Post-Run: 10,736,615,424 bytes free
    135 --- E O F --- 2008-09-11 08:02:01


    Hijack This:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:05:50 PM, on 10/12/2008
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16705)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\WINDOWS\system32\devldr32.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
    O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD42/J...ba/&filename=jinstall-6u6-windows-i586-jc.cab
    O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
    O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} - http://www.photodex.com/pxplay.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712....akamai.com/6712/player/install/installer.exe
    O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
    O20 - AppInit_DLLs: xljihg.dll
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/COMPUT~1/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg
    --
    End of file - 6239 bytes
     
  6. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    just alittle bit of clearing up to do

    Run hijackthis, put a tick in the box beside these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

    O20 - AppInit_DLLs: xljihg.dll
    O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/COMPUT~1/LOCALS~...p_image002.jpg
    --

    reboot &

    *Follow these steps to uninstall Combofix and tools used in the removal of malware*
    * Click *START* then *RUN*
    * Now type *Combofix /u* in the runbox and click *OK*. Note the *space* between the *X* and the *U*, it needs to be there.
    [​IMG]


    then
    Turn off system restore by following instructions here
    for XP http://www.thespykiller.co.uk/index.php?page=8
    or for Vista http://www.bleepingcomputer.com/tutorials/tutorial143.html

    That will purge the restore folder and clear any malware that has been put in there. Then reboot & then re-enable system restore & create a new restore point. Now Empty Recycle bin on desktop

    go here http://www.thespykiller.co.uk/index.php?page=3 for info on how to tighten your security settings and how to help prevent future attacks.

    and scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

    Then pay an urgent visit to windows update & make sure you are fully updated, that will help to plug the security holes that let these pests on in the first place


    I urge you to consider purchasing the protection component in Malwarebytes to prevent further infections of this nature
    Open Malwarebytes Antimalware, select the protection tab, press test to see if your system will benefit from it & if it says yes, then you can press the purchase button
     
  7. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - cleaning Virtumonde
  1. jllp
    Replies:
    6
    Views:
    637
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/756815

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice