1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

win32/adware.virtumonde

Discussion in 'Virus & Other Malware Removal' started by kipz100, Sep 8, 2008.

Thread Status:
Not open for further replies.
  1. kipz100

    kipz100 Thread Starter

    Joined:
    Sep 8, 2008
    Messages:
    3
    Please help:

    win32/adware.virtumonde
    win32/Privacyremover.m64

    Have booted in safe mode, turned off system restorer, run a-squared 3.5 free, which returened 2 high risk files - hoax.win32.renos.vaos

    Removed and re-booted only to find the same problem.

    Any help would be most appreciated!!
     
  2. kipz100

    kipz100 Thread Starter

    Joined:
    Sep 8, 2008
    Messages:
    3
    Ok well downloaded Combifix after viewing a similar thread and the problems seems to have cleared...

    Here is the log:

    ComboFix 08-09-05.09 - mac 2008-09-08 12:57:14.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1484 [GMT 1:00]
    Running from: C:\Documents and Settings\mac.LONDONTOOLS\Desktop\ComboFix.exe
    * Created a new restore point
    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
    C:\WINDOWS\system32\blphcegaj0en35.scr
    C:\WINDOWS\system32\lphcegaj0en35.exe
    C:\WINDOWS\system32\phcegaj0en35.bmp
    C:\WINDOWS\system32\tdssinit.dll
    C:\WINDOWS\system32\tdssl.dll
    C:\WINDOWS\system32\tdsslog.dll
    C:\WINDOWS\system32\tdssmain.dll
    C:\WINDOWS\system32\tdssserf.dll
    C:\WINDOWS\system32\tdssservers.dat
    ----- BITS: Possible infected sites -----
    http://sbserver:8530
    .
    ((((((((((((((((((((((((( Files Created from 2008-08-08 to 2008-09-08 )))))))))))))))))))))))))))))))
    .
    2008-09-08 11:00 . 2008-09-08 11:18 <DIR> d-------- C:\Program Files\a-squared Free
    2008-09-06 11:40 . 2008-09-08 13:02 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
    2008-09-06 11:39 . 2008-09-06 11:56 <DIR> d-------- C:\Program Files\Spyware Doctor
    2008-09-06 11:39 . 2008-09-06 11:39 <DIR> d-------- C:\Documents and Settings\MAC\Application Data\PC Tools
    2008-09-06 11:39 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
    2008-09-06 11:39 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
    2008-09-06 11:39 . 2008-02-01 12:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
    2008-09-06 11:39 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
    2008-09-06 11:20 . 2008-09-06 11:25 4,254 --a------ C:\WINDOWS\system32\tmp.reg
    2008-09-06 11:19 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
    2008-09-06 11:19 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
    2008-09-06 11:19 . 2008-09-02 23:58 88,576 --a------ C:\WINDOWS\system32\AntiXPVSTFix.exe
    2008-09-06 11:19 . 2008-09-02 16:51 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
    2008-09-06 11:19 . 2008-08-28 22:36 82,432 --a------ C:\WINDOWS\system32\IEDFix.C.exe
    2008-09-06 11:19 . 2008-08-18 12:19 82,432 --a------ C:\WINDOWS\system32\404Fix.exe
    2008-09-06 11:19 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
    2008-09-06 11:19 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
    2008-09-03 12:51 . 2008-09-03 12:51 754 --a------ C:\WINDOWS\WORDPAD.INI
    2008-09-01 16:23 . 2008-09-01 16:23 <DIR> d-------- C:\Documents and Settings\nilesh\Application Data\Apple Computer
    2008-09-01 15:42 . 2008-09-01 15:42 <DIR> d-------- C:\Documents and Settings\nilesh\Application Data\AdobeUM
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-06-12 15:50 0 ----a-w C:\Documents and Settings\MAC\Application Data\wklnhst.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2006-08-28 395776]
    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-25 68856]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 1694208]
    "updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
    "ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
    "DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
    "DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
    "ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
    "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
    "Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-08-27 29744]
    "OfficeScanNT Monitor"="C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" [2005-11-02 372813]
    "Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 143360]
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-11-23 185896]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 413696]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
    "ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-02-01 1103240]
    "SigmatelSysTrayApp"="stsystra.exe" [2006-08-15 C:\WINDOWS\stsystra.exe]
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360]
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "NoWelcomeScreen"= 1 (0x1)
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "DisablePersonalDirChange"= 1 (0x1)
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
    "DisableMonitoring"=dword:00000001
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2008-08-27 29744]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    - - - - ORPHANS REMOVED - - - -
    HKLM-Run-lphcegaj0en35 - C:\WINDOWS\system32\lphcegaj0en35.exe

    .
    ------- Supplementary Scan -------
    .
    R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    R1 -: HKCU-Internet Settings,ProxyOverride = *.local
    R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
    O17 -: HKLM\CCS\Interface\{91AA2E62-7660-4F1F-8403-9ADE914A08FB}: NameServer = 192.168.0.251
    .
    **************************************************************************
    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-09-08 13:03:06
    Windows 5.1.2600 Service Pack 2 NTFS
    scanning hidden processes ...
    scanning hidden autostart entries ...
    scanning hidden files ...
    scan completed successfully
    hidden files: 0
    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\WINDOWS\system32\ati2evxx.exe
    C:\Program Files\a-squared Free\a2service.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Trend Micro\Client Server Security Agent\NTRtScan.exe
    C:\Program Files\Spyware Doctor\pctsAuxs.exe
    C:\Program Files\Spyware Doctor\pctsSvc.exe
    C:\Program Files\Trend Micro\Client Server Security Agent\TmListen.exe
    C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
    C:\WINDOWS\temp\SZ6EE9.EXE
    C:\Program Files\iPod\bin\iPodService.exe
    .
    **************************************************************************
    .
    Completion time: 2008-09-08 13:05:23 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-09-08 12:05:19
    Pre-Run: 348,211,785,728 bytes free
    Post-Run: 348,376,399,872 bytes free
    134 --- E O F --- 2008-07-09 16:37:59
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/747997

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice