Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde & Other Weird Stuff. Please Help


  • This topic is locked This topic is locked
2 replies to this topic

#1 reeves

reeves

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:28 AM

Posted 19 May 2008 - 01:43 AM

Hi,

I have ran through several different sets of removal guides. I've done the castlecops one as well as followed the info listed here. I've managed to remove most it would seem but am having a problem with virtumonde.

What was happening:
pop ups, browser redirects, spybot search and destroy (sbs&d) going crazy and popping up the resident boxes informing me that it blocked several things from working, sbs&d showing that I had several different viruses, avast showing several viruses.

What is currently happening:
Avast still shows the viruses and being on my comp although I'm not getting the popups. I uninstalled and reinstalled sbs&d and the notifications that it was blocking something has gone away.

I've also scanned this with trojanhunter (c:windows\system32\orxumway.exe infected by win32:privacyset [TRJ])

Here are the reports as instructed:


Deckard's System Scanner v20071014.68
Run by MU on 2008-05-19 00:21:29
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as MU.exe) --------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:21:53 AM, on 5/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\notepad.exe
C:\Documents and Settings\MU\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\MU.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {41E1DD19-C2D5-4B31-915F-29D5193C7D6D} - C:\WINDOWS\system32\yabcc.dll (file missing)
O2 - BHO: (no name) - {70E7DC18-EBB5-480E-8365-6682422C81F8} - C:\WINDOWS\system32\hgdbx.dll (file missing)
O2 - BHO: (no name) - {76BDC912-6F31-4CBF-ADEE-8E71FA7C8EC3} - C:\WINDOWS\system32\pmklk.dll (file missing)
O2 - BHO: (no name) - {78C0F647-6912-49A4-B03B-3EC403F5FE81} - C:\WINDOWS\system32\fcyyv.dll (file missing)
O2 - BHO: (no name) - {85DB3121-24DB-4B8E-A358-9745FE91D24B} - C:\WINDOWS\system32\tusqn.dll (file missing)
O2 - BHO: (no name) - {D68322C3-1BCC-4045-877D-E302B630AB9E} - C:\WINDOWS\system32\ljjii.dll (file missing)
O2 - BHO: (no name) - {E21ED8A6-4EDE-4E34-8CE3-1D8B5B2D9911} - C:\WINDOWS\system32\awtrp.dll (file missing)
O2 - BHO: (no name) - {E9A2B158-8A4A-4ECF-B561-6A2D270D1AB6} - C:\WINDOWS\system32\qopnm.dll (file missing)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [AVSystemCare] C:\Program Files\AVSystemCare\pgs.exe /min
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Filesreeves

--
End of file - 5135 bytes

-- Files created between 2008-04-19 and 2008-05-19 -----------------------------

2008-05-19 00:21:39 0 d-------- C:\Program Files\Trend Micro
2008-05-18 22:31:27 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-18 22:31:25 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-18 22:31:25 0 d-------- C:\WINDOWS\LastGood
2008-05-18 22:04:08 68096 --a------ C:\WINDOWS\zip.exe
2008-05-18 22:04:08 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-18 22:04:08 80412 --a------ C:\WINDOWS\grep.exe
2008-05-18 22:04:07 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-18 22:04:07 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-18 22:04:07 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-18 22:04:07 98816 --a------ C:\WINDOWS\sed.exe
2008-05-18 22:04:07 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-18 21:56:47 0 d-------- C:\VundoFix Backups
2008-05-18 17:30:35 0 d-------- C:\Documents and Settings\MU\Application Data\TrojanHunter
2008-05-18 17:27:39 0 d-------- C:\Program Files\TrojanHunter 5.0
2008-05-18 17:01:56 0 d-------- C:\Program Files\Avast4
2008-05-18 13:13:25 0 d-------- C:\Documents and Settings\MU\.housecall6.6
2008-05-18 12:37:34 0 d-------- C:\Program Files\Lavasoft
2008-05-18 12:37:34 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-18 12:36:33 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-18 12:34:55 0 dr-h----- C:\Documents and Settings\MU\Recent
2008-05-16 19:44:56 2230 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-16 19:43:42 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-05-16 19:43:42 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-05-16 19:43:42 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-05-16 19:43:42 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-05-16 19:43:42 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-05-16 19:43:42 82944 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-05-16 19:43:42 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-05-16 19:43:42 82944 --a------ C:\WINDOWS\system32\404Fix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-05-16 19:37:14 0 d-------- C:\Documents and Settings\MU\Application Data\Malwarebytes
2008-05-16 19:36:44 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-16 17:49:31 0 d-------- C:\WINDOWS\pss
2008-05-06 13:22:15 1560576 --a------ C:\WINDOWS\system32\JDSecure31.exe <Not Verified; Lexar Media, Inc.; Lexar JumpDrive Secure 3.1>
2008-05-05 21:00:38 0 d-------- C:\Documents and Settings\MU\Application Data\Help


-- Find3M Report ---------------------------------------------------------------

2008-05-18 12:36:33 0 d-------- C:\Program Files\Common Files
2008-05-13 19:13:17 0 d-------- C:\Documents and Settings\MU\Application Data\AdobeUM
2008-05-08 19:01:31 0 d-------- C:\Documents and Settings\MU\Application Data\U3
2008-05-04 16:01:39 1744 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-04-16 20:31:50 4212 --a------ C:\Documents and Settings\MU\Application Data\update.log
2008-04-04 00:16:54 0 d-------- C:\Documents and Settings\MU\Application Data\Apple Computer
2008-04-04 00:08:56 0 d-------- C:\Program Files\QuickTime
2008-03-27 19:28:40 0 d-------- C:\Program Files\iTunes
2008-02-23 23:43:59 2547 --a------ C:\WINDOWS\unins000.dat
2008-02-23 23:43:10 691545 --a------ C:\WINDOWS\unins000.exe
2008-02-23 22:56:08 1632 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-02-23 22:53:38 1167 --a------ C:\WINDOWS\mozver.dat
2008-02-23 22:36:58 0 --a------ C:\WINDOWS\nsreg.dat
2008-02-23 22:24:34 24064 --a------ C:\WINDOWS\autoload.exe
2008-02-23 21:57:26 0 -rahs---- C:\MSDOS.SYS
2008-02-23 21:57:26 0 -rahs---- C:\IO.SYS
2008-02-23 21:57:26 0 --a------ C:\CONFIG.SYS
2008-02-23 21:57:26 0 --a------ C:\AUTOEXEC.BAT
2008-02-23 21:52:18 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-02-23 13:43:03 62 --ahs---- C:\Documents and Settings\MU\Application Data\desktop.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{41E1DD19-C2D5-4B31-915F-29D5193C7D6D}]
C:\WINDOWS\system32\yabcc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{70E7DC18-EBB5-480E-8365-6682422C81F8}]
C:\WINDOWS\system32\hgdbx.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{76BDC912-6F31-4CBF-ADEE-8E71FA7C8EC3}]
C:\WINDOWS\system32\pmklk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{78C0F647-6912-49A4-B03B-3EC403F5FE81}]
C:\WINDOWS\system32\fcyyv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{85DB3121-24DB-4B8E-A358-9745FE91D24B}]
C:\WINDOWS\system32\tusqn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D68322C3-1BCC-4045-877D-E302B630AB9E}]
C:\WINDOWS\system32\ljjii.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E21ED8A6-4EDE-4E34-8CE3-1D8B5B2D9911}]
C:\WINDOWS\system32\awtrp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E9A2B158-8A4A-4ECF-B561-6A2D270D1AB6}]
C:\WINDOWS\system32\qopnm.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [02/19/2008 03:10 PM]
"OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [05/08/2003 01:00 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [03/29/2008 12:37 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVSystemCare"="C:\Program Files\AVSystemCare\pgs.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\28751cc8]
rundll32.exe "C:\WINDOWS\system32\xstlcvxq.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MalwareAlarm]
C:\Program Files\MalwareAlarm\MalwareAlarm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows update loader]
C:\Windows\xpupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"BM2b462f54"=Rundll32.exe "C:\WINDOWS\system32\fuhjbbev.dll",s


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command- F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8391e9f3-ebe2-11dc-9978-00085402ef3c}]
AutoRun\command- F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9935c112-02b0-11dd-9989-00085402ef3c}]
AutoRun\command- F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fe056a07-e66b-11dc-9974-00085402ef3c}]
AutoRun\command- F:\JDSecure\Windows\JDSecure31.exe




-- End of Deckard's System Scanner: finished at 2008-05-19 00:22:15 ------------





Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ processor
Percentage of Memory in Use: 27%
Physical Memory (total/avail): 1279.48 MiB / 928 MiB
Pagefile Memory (total/avail): 3054.58 MiB / 2810.58 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1926.64 MiB

A: is Removable (Unformatted)
C: is Fixed (NTFS) - 38.33 GiB total, 20.88 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ExcelStor Technology J240 - 38.34 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 38.33 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
UpdatesDisableNotify is set.

AV: avast! antivirus 4.8.1201 [VPS 080518-1] v4.8.1201 (ALWIL Software)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Disabled:Bonjour"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Disabled:Internet Explorer"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Disabled:iTunes"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\MU\Application Data
CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=MU-28322B774E5F
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\MU
LOGONSERVER=\\MU-28322B774E5F
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\QuickTime\QTSystem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 4 Stepping 4, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0404
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\MU\LOCALS~1\Temp
TMP=C:\DOCUME~1\MU\LOCALS~1\Temp
USERDOMAIN=MU-28322B774E5F
USERNAME=MU
USERPROFILE=C:\Documents and Settings\MU
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

MU (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 6.0.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A00000000001}
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
ArcSoft PhotoStudio 5.5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{85309D89-7BE9-4094-BB17-24999C6118FC}\SETUP.EXE" -l0x9
avast! Antivirus --> C:\Program Files\Avast4\aswRunDll.exe "C:\Program Files\Avast4\Setup\setiface.dll",RunSetup
Bonjour --> MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}
Canon MP Navigator 2.0 --> "C:\Program Files\Canon\MP Navigator 2.0\Maint.exe" /UninstallRemove C:\Program Files\Canon\MP Navigator 2.0\uninst.ini
Canon MP500 --> "C:\WINDOWS\system32\CanonMP Uninstaller Information\{BA4DF4C3-196E-4128-969A-00996B5A46F8}\DelDrv.exe" /U:{BA4DF4C3-196E-4128-969A-00996B5A46F8} /L0x0009
Canon Utilities Easy-PhotoPrint --> C:\Program Files\Canon\Easy-PhotoPrint\uninst.exe uninst.ini
Easy-WebPrint --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\Easy-WebPrint\Uninst.isu"
HijackThis 2.0.2 --> "C:\Documents and Settings\MU\Desktop\HiJackThis\HijackThis.exe" /uninstall
iTunes --> MsiExec.exe /I{80FD852F-5AAC-4129-B931-06AAFFA43138}
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSN --> C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
OmniPage SE 2.0 --> MsiExec.exe /I{79D5997E-BF79-48BB-8B41-9BE59C15C2D7}
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type626 / Error
Event Submitted/Written: 05/18/2008 06:28:16 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application drwtsn32.exe, version 5.1.2600.0, faulting module dbghelp.dll, version 5.1.2600.2180, fault address 0x0001295d.
Processing media-specific event for [drwtsn32.exe!ws!]

Event Record #/Type625 / Error
Event Submitted/Written: 05/18/2008 06:28:02 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application explorer.exe, version 6.0.2900.2180, faulting module shell32.dll, version 6.0.2900.2180, fault address 0x001d4d7a.
Processing media-specific event for [explorer.exe!ws!]

Event Record #/Type607 / Success
Event Submitted/Written: 05/18/2008 00:28:00 PM
Event ID/Source: 3 / JD SECURE 3.0
Event Description:
=>Application was successfully removed

Event Record #/Type571 / Error
Event Submitted/Written: 05/15/2008 05:37:21 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application TeaTimer.exe, version 1.5.2.16, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type562 / Error
Event Submitted/Written: 05/12/2008 06:10:01 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application TeaTimer.exe, version 1.5.2.16, hang module hungapp, version 0.0.0.0, hang address 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type4626 / Error
Event Submitted/Written: 05/18/2008 06:02:10 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type4625 / Error
Event Submitted/Written: 05/18/2008 06:02:02 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service netman with arguments ""
in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}

Event Record #/Type4624 / Error
Event Submitted/Written: 05/18/2008 05:35:14 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Event Record #/Type4623 / Error
Event Submitted/Written: 05/18/2008 05:35:14 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Event Record #/Type4622 / Error
Event Submitted/Written: 05/18/2008 05:33:33 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service netman with arguments ""
in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}



-- End of Deckard's System Scanner: finished at 2008-05-19 00:21:14 ------------


KASPERSKY ONLINE SCANNER REPORT
Sunday, May 18, 2008 11:29:58 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 19/05/2008
Kaspersky Anti-Virus database records: 783897
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target Critical Areas
C:\WINDOWS
C:\DOCUME~1\MU\LOCALS~1\Temp\
Scan Statistics
Total number of scanned objects 9735
Number of viruses found 0
Number of infected objects 0
Number of suspicious objects 0
Duration of the scan process 00:11:57

Infected Object Name Virus Name Last Action
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\pfirewall.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_4e4.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
Scan process completed.

Edited by reeves, 19 May 2008 - 02:01 AM.


BC AdBot (Login to Remove)

 


#2 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:06:28 PM

Posted 21 May 2008 - 05:14 PM

HI

Please explain what you mean by this :- "Virtumonde & Other Weird Stuff."

Your logs are essentially clean, just some orphan (empty) registry keys belonging to vundo ... NO files ...

If you mean this :-

"Avast still shows the viruses and being on my comp although I'm not getting the popups"

Is this one found by Avast ?

c:windows\system32\orxumway.exe

Tell me everything Avast is finding ... filenames & locations ...

I can see you've run VundoFix & Malwarebytes .. what else have you run ?

-

Please follow these directions to run Combofix & post a log.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#3 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:06:28 PM

Posted 26 June 2008 - 01:40 PM

Due to lack of feedback This thread is now treated as resolved and duly closed.

If the original poster would like it re-opened, please send me a PM with a link to this thread.

cheers

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users