Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How Do I Remove Virtumonde &virtumonde.dll


  • Please log in to reply
1 reply to this topic

#1 smurfs

smurfs

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:13 PM

Posted 09 September 2008 - 09:39 PM

Help can't get rid of nasty virus.
Spybot tech support helped but can't fix. Below is my spybot log report and email correspondence with Spybot.
Computer won't let me delete BHO or start up entries.
Can't start computer in Safe Mode, F8 at start up.


Spybot email:

after having proved your report we need some suspicious files we found in your bug report of your system for further and direct examination.
Please download the suspicious file packer from our website on the following page to make this action easier:
http://www.safer-networking.org/files/sfp.zip
Then install it and open it. Simply copy the paths given below by copy/paste to the Step1 and press "continue". By pressing this button a file will be created on your desktop which contains the files below. Then please reply to this email with the file in the attachment.
With the help of these entries we will improve Spybot-S&D`s database so that the threats you have encountered can be removed by one of the very next updates.

If you recognize some of the files cannot be found or copied to the file packer please try again the procedure in Windows Safe Mode (restart Windows and press F8 while booting).

===[-]========
C:\WINNT\system32\xessspbb.dll
C:\WINNT\system32\awtutqRh.dll
C:\WINNT\system32\rtbcsq.dll
C:\WINNT\system32\yaywvSiF.dll
===[-]========

Please send the files now.


Then delete the following BHO's:
{4e160942-f81f-4447-bffa-64a3a13095ca}
{4F7E9D97-BEE7-4F55-811D-19F15F2120AD}
{A3AA67AC-47BF-46F9-B6DD-31A764C95CAB}
Open Spybot in the advanced mode via the menu item mode, go to 'tools'->'BHO's'.
Then mark the entries and remove them.


Please also delete the following Startup Entries:
C:\WINNT\system32\xessspbb.dll
C:\WINNT\system32\awtutqRh.dll
Open Spybot in the advanced mode via the menu item mode, go to 'tools'->'System Startup'
Then mark the entries and remove them.

Please update your Antivirus-Software!

If this does not help it seems to be a real nasty one.
This is a real good program against Smitfraud and Virtumonde called ComboFix.
Download ComboFix.exe from one of the links below:
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Then double click ComboFix.exe & follow the prompts.

Best regards
Sandra
Team Spybot

---------------------------------------------------------
Spybot-Search&Destroy: http://www.spybot.info/
.........................................................
All incoming and outgoing mails are scanned
using an up-to-date anti-virus application.
---------------------------------------------------------



I wrote:
Running Spybot 1.6.0.31 update 9/3/2008.
Followed directions in last email.
Ran program and restarts with computer disconnected from the internet.
"fix problems" option displays "problems fixed" after running fix option, but really aren't.
Internet Explorer has error report and won't open or run.
WINLOGON.exe error message. "generated errors and must close" must restart computer.

----- Original Message -----
From: Sandra Klass
To:
Sent: Monday, September 08, 2008 2:06 AM
Subject: Re: removal of Virtumonde.dll


Hello

Please make sure that you are running the latest version of Spybot - Search & Destroy including the latest updates.

To see which version number and/or updates of Spybot - Search & Destroy you are using please run Spybot-S&D and choose "Help" --> "About" in the menu bar.
There you can see which version you have and which updates are installed.
It should be version 1.6 and the updates from the 2008/09/03.


Now make a scan with Spybot and fix the found items.
It is important that you start the pc new after fixing the found items.
Scan again with Spybot and fix if anything is found.
Then please send us a complete bug report. In order to do so, please run Spybot - Search & Destroy and switch to Advanced Mode via the menu item Mode, let it scan, try to fix the problems (!) and then go to "Tools" --> "View Report". Tick all the 10 checkboxes (leave "Do not report disabled or known legitimate items" unchecked) you can find there and click on "View Report". Now choose "Export" and save the file to your desktop. Please attach this file to your email and send it again to detections@spybot.info.
Best regards
Sandra
Team Spybot

---------------------------------------------------------
Spybot-Search&Destroy: http://www.spybot.info/
.........................................................
All incoming and outgoing mails are scanned
using an up-to-date anti-virus application.
---------------------------------------------------------



I wrote:
Help. How can I removed Virumonde.dll? I tried Spyware Doctor and it will not remove it.
--- Search result list ---
Hint of the Day: Click the bar at the right of this to see more information! ()


Virtumonde: [SBI $42352499] User settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-1935655697-1844237615-725345543-1000\Software\Microsoft\rdfa

Virtumonde: [SBI $47E741CD] Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws

Virtumonde.dll: [SBI $0EAADE49] Browser helper object (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4F7E9D97-BEE7-4F55-811D-19F15F2120AD}

Virtumonde.dll: [SBI $0EAADE49] Class ID (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4F7E9D97-BEE7-4F55-811D-19F15F2120AD}


--- Spybot - Search & Destroy version: 1.6.0 (build: 20080729) ---

2008-07-30 blindman.exe (1.0.0.8)
2008-01-28 SDDelFile.exe (1.0.2.4)
2008-07-30 SDFiles.exe (1.6.0.4)
2008-07-30 SDMain.exe (1.0.0.6)
2008-07-30 SDShred.exe (1.0.2.3)
2008-07-30 SDUpdate.exe (1.6.0.9)
2008-07-30 SDWinSec.exe (1.0.0.12)
2008-07-30 SpybotSD.exe (1.6.0.31)
2008-08-18 TeaTimer.exe (1.6.2.23)
2006-08-27 unins000.exe (51.41.0.0)
2008-08-07 unins001.exe (51.49.0.0)
2008-07-30 Update.exe (1.6.0.7)
2008-07-30 advcheck.dll (1.6.1.12)
2007-04-02 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2008-06-14 DelZip179.dll (1.79.11.1)
2008-07-30 SDHelper.dll (1.6.0.12)
2008-06-19 sqlite3.dll
2008-07-30 Tools.dll (2.1.5.7)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2008-09-02 Includes\Adware.sbi (*)
2008-09-02 Includes\AdwareC.sbi (*)
2008-06-03 Includes\Cookies.sbi (*)
2008-09-02 Includes\Dialer.sbi (*)
2008-09-02 Includes\DialerC.sbi (*)
2008-07-23 Includes\HeavyDuty.sbi (*)
2008-09-02 Includes\Hijackers.sbi (*)
2008-09-02 Includes\HijackersC.sbi (*)
2008-09-02 Includes\Keyloggers.sbi (*)
2008-09-02 Includes\KeyloggersC.sbi (*)
2008-09-02 Includes\Malware.sbi (*)
2008-09-02 Includes\MalwareC.sbi (*)
2008-09-02 Includes\PUPS.sbi (*)
2008-09-02 Includes\PUPSC.sbi (*)
2007-11-07 Includes\Revision.sbi (*)
2008-06-18 Includes\Security.sbi (*)
2008-09-02 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2008-09-02 Includes\Spyware.sbi (*)
2008-09-02 Includes\SpywareC.sbi (*)
2008-06-03 Includes\Tracks.uti
2008-09-03 Includes\Trojans.sbi (*)
2008-09-02 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll



--- System information ---
Windows 2000 (Build: 2195) Service Pack 4 (5.0.2195)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Hotfix (KB928366)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
/ DataAccess: Microsoft Data Access Components KB870669
/ DirectX 9: Security Update for DirectX 9 (KB941568)
/ DirectX 9: Security Update for DirectX 9 (KB951698)
/ Internet Explorer 6 / SP1: Windows 2000 Hotfix - KB905495
/ Internet Explorer 6 / SP1: Windows 2000 Hotfix - KB918899
/ Internet Explorer 6 / SP1: Windows 2000 Hotfix - KB922760
/ Internet Explorer 6 / SP1: Windows 2000 Hotfix - KB925454
/ Internet Explorer 6 / SP1: Windows 2000 Hotfix - KB925486
/ Internet Explorer 6 / SP1: Windows 2000 Hotfix - KB928090
/ Internet Explorer 6 / SP1: Windows 2000 Hotfix - KB929969
/ Internet Explorer 6 / SP1: Windows 2000 Hotfix - KB931768
/ Internet Explorer 6 / SP1: Windows 2000 Hotfix - KB933566
/ Internet Explorer 6 / SP1: Windows 2000 Hotfix - KB938127
/ Internet Explorer 6 / SP1: Windows 2000 Hotfix - KB947864
/ Internet Explorer 6 / SP1: Windows 2000 Hotfix - KB948881
/ Internet Explorer 6 / SP1: Windows 2000 Hotfix - KB950759
/ Internet Explorer 6 / SP1: Windows 2000 Hotfix - KB953838
/ MSXML4SP2: FIX: ASP stops responding when calling Response.Redirect to another server using msxml4 sp2
/ MSXML4SP2: FIX: ASP stops responding when calling Response.Redirect to another server using msxml4 sp2
/ MSXML4SP2: Security update for MSXML4 SP2 (KB936181)
/ Outlook Express 6 / SP1: Windows 2000 Hotfix - KB911567
/ Outlook Express 6 / SP1: Windows 2000 Hotfix - KB923694
/ Outlook Express 6 / SP1: Windows 2000 Hotfix - KB941202
/ Outlook Express 6 / SP1: Windows 2000 Hotfix - KB951066
/ Windows 2000: Security Update for Windows 2000 (KB923689)
/ Windows 2000: Security Update for Windows 2000 (KB941569)
/ Windows 2000 / SP4: Windows 2000 Service Pack 4
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB842773
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB890046
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB893756
/ Windows 2000 / SP5: Windows Installer 3.1 (KB893803)
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB896358
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB896422
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB896423
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB896424
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB899587
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB899589
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB900725
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB901017
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB901214
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB905414
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB905749
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB908519
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB908531
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB911280
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB912919
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB913580
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB914388
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB914389
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB917008
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB917159
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB917422
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB917537
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB917736
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB917953
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB918118
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB920213
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB920670
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB920683
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB920685
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB920958
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB921398
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB921883
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB922582
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB922616
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB923191
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB923414
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB923810
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB923980
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB924191
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB924270
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB924667
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB925902
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB926122
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB926436
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB927891
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB928843
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB930178
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB931784
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB932168
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB933729
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB935839
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB935840
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB936021
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB937894
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB938827
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB941644
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB941693
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB943055
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB943485
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB944338
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB945553
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB948590
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB950749
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB950760
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB950974
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB951748
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB952954
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB953839
/ Windows 2000 / SP5: Update Rollup 1 for Windows 2000 SP4
/ Windows Media Player: Windows Media Player Hotfix [See Q828026 for more information]
/ Windows Media Player / SP0: Windows Media Player Hotfix [See Q828026 for more information]
/ Windows Media Player: Windows Media Update 817787
/ Windows Media Player 6.4: Security Update for Windows Media Player 6.4 (KB925398)
/ Windows Media Player 7.1: Security Update for Windows Media Player 7.1 (KB917734)
/ Windows Media Player 9: Security Update for Windows Media Player 9 (KB917734)
/ Windows Media Player 9: Security Update for Windows Media Player 9 (KB936782)


--- Startup entries list ---
Located: HK_LM:Run, 70801fee
command: rundll32.exe "C:\WINNT\system32\xessspbb.dll",b
file: C:\WINNT\system32\xessspbb.dll
size: 104064
MD5: BD26FFE0DB3CD4B03019661554DDC549

Located: HK_LM:Run, NvCplDaemon
command: RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
file: C:\WINNT\system32\NvCpl.dll
size: 7561216
MD5: DF83B8A33CAD04F4BAA645153259EBB8

Located: HK_LM:Run, Synchronization Manager
command: mobsync.exe /logon
file: C:\WINNT\system32\mobsync.exe
size: 111376
MD5: 9B2F5B9E745DEAAA57FB78329ED03061

Located: HK_CU:RunOnce, ^SetupICWDesktop
where: .DEFAULT...
command: C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
file: C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe
size: 186640
MD5: 76D94AF73FB4C5361239782170592C4E

Located: HK_CU:Run, DW4
where: PE_C_ADMINISTRATOR...
command: "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
file: C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:Run, DW6
where: S-1-5-21-1935655697-1844237615-725345543-1000...
command: "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
file: C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
size: 785520
MD5: 958925BA59B3F205A3F709F4E9379479

Located: Startup (disabled), Logitech Desktop Messenger (DISABLED)
command: C:\PROGRA~1\Logitech\DESKTO~1\8876480\Program\LDMConf.exe /start
file: C:\PROGRA~1\Logitech\DESKTO~1\8876480\Program\LDMConf.exe
size: 196608
MD5: 6F2E5108667BF1149D884E3CBEB9CDD1

Located: Startup (disabled), LUMIX Simple Viewer (DISABLED)
command: C:\PROGRA~1\PANASO~1\LUMIXS~1\PHLEAU~1.EXE
file: C:\PROGRA~1\PANASO~1\LUMIXS~1\PHLEAU~1.EXE
size: 61440
MD5: 6561399487153AAF46B6F78C633F8579

Located: Startup (disabled), Microsoft Find Fast (DISABLED)
command: C:\PROGRA~1\MICROS~2\Office\FINDFAST.EXE
file: C:\PROGRA~1\MICROS~2\Office\FINDFAST.EXE
size: 111376
MD5: 72B80AD4CB07BF67F5F33816C4F3789B

Located: Startup (disabled), Microsoft Office Shortcut Bar (DISABLED)
command: C:\PROGRA~1\MICROS~2\Office\MSOFFICE.EXE
file: C:\PROGRA~1\MICROS~2\Office\MSOFFICE.EXE
size: 333824
MD5: 514BC43B716926716FC6F0FE051ECB6D

Located: Startup (disabled), MySoftware NewsFlash (DISABLED)
command: C:\PROGRA~1\COMMON~1\MYSOFT~1\Newsflsh.exe
file: C:\PROGRA~1\COMMON~1\MYSOFT~1\Newsflsh.exe
size: 233472
MD5: 08D7A7012A588A60EE74B669678A93B7

Located: Startup (disabled), Office Startup (DISABLED)
command: C:\PROGRA~1\MICROS~2\Office\OSA.EXE -b
file: C:\PROGRA~1\MICROS~2\Office\OSA.EXE
size: 51984
MD5: D06276D4CAD46CDCEABEFDEB1A0D3C0D

Located: Startup (disabled), Quicken Scheduled Updates (DISABLED)
command: C:\PROGRA~1\Quicken\bagent.exe
file: C:\PROGRA~1\Quicken\bagent.exe
size: 57344
MD5: 1687EF005349A2D4D57C171548FF8D6D

Located: Startup (disabled), Remote Controller (DISABLED)
command: C:\PROGRA~1\TVTUNE~1\TVRMVCR.EXE
file: C:\PROGRA~1\TVTUNE~1\TVRMVCR.EXE
size: 102400
MD5: E00B9FF0CE1127C1765DFAEFD90E5A75

Located: Startup (disabled), Status Monitor (DISABLED)
command:
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: Startup (disabled), TVSCHL (DISABLED)
command: C:\PROGRA~1\TVTUNE~1\TVSCHL.EXE
file: C:\PROGRA~1\TVTUNE~1\TVSCHL.EXE
size: 118784
MD5: 94B044A6B59CBADD21AC416FCB762C42

Located: Startup (disabled), Resume Windows Update Installation (DISABLED)
command: C:\WINNT\WINDOW~1\ie6setup.exe
file: C:\WINNT\WINDOW~1\ie6setup.exe
size: 491768
MD5: 34429B572E1FF3EBCBA8090C811AE8F1

Located: WinLogon, awtutqRh
command: awtutqRh.dll
file: awtutqRh.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, crypt32chain
command: crypt32.dll
file: crypt32.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, cryptnet
command: cryptnet.dll
file: cryptnet.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, cscdll
command: cscdll.dll
file: cscdll.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, nwprovau
command: nwprovau.dll
file: nwprovau.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, SensLogn
command: WlNotify.dll
file: WlNotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, WRNotifier
command: WRLogonNTF.dll
file: WRLogonNTF.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, wzcnotif
command: wzcdlg.dll
file: wzcdlg.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!



--- Browser helper object list ---
{4e160942-f81f-4447-bffa-64a3a13095ca} ({ac59031a-3a46-affb-7444-f18f249061e4})
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name: {ac59031a-3a46-affb-7444-f18f249061e4}
CLSID name:
Path: C:\WINNT\system32\
Long name: rtbcsq.dll
Short name:
Date (created): 9/8/2008 7:38:56 AM
Date (last access): 9/8/2008 6:26:40 PM
Date (last write): 9/8/2008 7:38:56 AM
Filesize: 132224
Attributes: archive
MD5: 5773BA62A3ECC108827F4164D15F80F6
CRC32: C0C18FAB

{4F7E9D97-BEE7-4F55-811D-19F15F2120AD} ()
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name:
Path: C:\WINNT\system32\
Long name: awtutqRh.dll
Short name:
Date (created): 9/6/2008 12:08:44 PM
Date (last access): 9/8/2008 6:12:22 PM
Date (last write): 9/6/2008 12:08:44 PM
Filesize: 34688
Attributes:
MD5: 6AADFB8D343571675B7E758CA39B2727
CRC32: 802E52A4

{A3AA67AC-47BF-46F9-B6DD-31A764C95CAB} ()
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name:
Path: C:\WINNT\system32\
Long name: yaywvSiF.dll
Short name:
Date (created): 9/6/2008 12:18:06 PM
Date (last access): 9/8/2008 6:31:44 PM
Date (last write): 9/6/2008 12:18:12 PM
Filesize: 322048
Attributes: archive
MD5: 57B78C33C2E28A0396E6F50C4A46BCAF
CRC32: 21F951CE



--- ActiveX list ---
DirectAnimation Java Classes (DirectAnimation Java Classes)
DPF name: DirectAnimation Java Classes
CLSID name:
Installer:
Codebase: file://C:\WINNT\Java\classes\dajava.cab
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\dajava.cab
info link:
info source: Patrick M. Kolla

Microsoft XML Parser for Java (Microsoft XML Parser for Java)
DPF name: Microsoft XML Parser for Java
CLSID name:
Installer:
Codebase:
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\xmldso.cab
info link:
info source: Patrick M. Kolla

{02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control)
DPF name:
CLSID name: Microsoft Office Template and Media Control
Installer: C:\WINNT\Downloaded Program Files\ieawsdc.inf
Codebase: http://office.microsoft.com/templates/ieawsdc.cab
description:
classification: Legitimate
known filename: IEAWSDC.DLL
info link:
info source: Safer Networking Ltd.
Path: C:\WINNT\Downloaded Program Files\
Long name: IEAWSDC.DLL
Short name:
Date (created): 10/9/2006 4:32:12 AM
Date (last access): 9/7/2008 4:32:10 PM
Date (last write): 10/9/2006 4:32:12 AM
Filesize: 173328
Attributes: archive
MD5: 45F68BEA4AEA2A97D0891FA91378BB56
CRC32: 1E759E09
Version: 12.0.6024.0

{0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control)
DPF name:
CLSID name: Microsoft Data Collection Control
Installer:
Codebase: https://support.microsoft.com/oas/ActiveX/MSDcode.cab
Path: C:\WINNT\Downloaded Program Files\
Long name: MSDcode.dll
Short name:
Date (created): 9/21/2007 4:58:48 PM
Date (last access): 9/7/2008 4:32:10 PM
Date (last write): 9/21/2007 4:58:48 PM
Filesize: 394320
Attributes: archive
MD5: 88FFA5217EDA703394E51C14A0BD5506
CRC32: A6B74A27
Version: 2.6.1.19

{08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class)
DPF name:
CLSID name: PlxInstall Class
Installer: C:\WINNT\Downloaded Program Files\PlaxoInstall.inf
Codebase: https://www.plaxo.com/down/latest/PlaxoInstall.cab
description:
classification: Open for discussion
known filename: PlaxoInstall.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINNT\Downloaded Program Files\
Long name: PlaxoInstall.dll
Short name: PLAXOI~1.DLL
Date (created): 3/6/2007 11:27:52 AM
Date (last access): 9/7/2008 4:32:10 PM
Date (last write): 3/6/2007 11:27:52 AM
Filesize: 213064
Attributes: archive
MD5: FEE69B8BB7768906D751C0436506E00A
CRC32: B49A1C76
Version: 2.13.0.12

{3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class)
DPF name:
CLSID name: ActiveDataInfo Class
Installer:
Codebase: https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
description:
classification: Legitimate
known filename: SymAData.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINNT\Downloaded Program Files\
Long name: SymAData.dll
Short name:
Date (created): 6/26/2006 7:21:48 PM
Date (last access): 9/8/2008 6:24:34 PM
Date (last write): 6/26/2006 7:21:48 PM
Filesize: 169672
Attributes: archive
MD5: 8AD525FD082DB46EC2F26F928042EF2A
CRC32: 16E24E94
Version: 2.6.0.1

{41564D57-9980-0010-8000-00AA00389B71} ()
DPF name:
CLSID name:
Installer: C:\WINNT\Downloaded Program Files\wmvadvd.inf
Codebase: http://download.microsoft.com/download/0/A...01F/wmvadvd.cab
description:
classification: Legitimate
known filename:
info link:
info source: Safer Networking Ltd.

{44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue)
DPF name:
CLSID name: Symantec SmartIssue
Installer:
Codebase: https://www-secure.symantec.com/techsupp/as...trl/tgctlsi.cab
description:
classification: Legitimate
known filename: tgctlsi.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINNT\Downloaded Program Files\
Long name: tgctlsi.dll
Short name:
Date (created): 6/26/2006 7:21:50 PM
Date (last access): 9/7/2008 4:32:12 PM
Date (last write): 6/26/2006 7:21:50 PM
Filesize: 1091272
Attributes: archive
MD5: D0C06037624C20641F1AFEE5C6B5E6C9
CRC32: 8777DC13
Version: 6.8.520.0

{44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class)
DPF name:
CLSID name: Symantec Script Runner Class
Installer:
Codebase: https://www-secure.symantec.com/techsupp/as...trl/tgctlsr.cab
description:
classification: Legitimate
known filename: tgctlsr.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINNT\Downloaded Program Files\
Long name: tgctlsr.dll
Short name:
Date (created): 6/26/2006 7:21:52 PM
Date (last access): 9/7/2008 4:32:12 PM
Date (last write): 6/26/2006 7:21:52 PM
Filesize: 558792
Attributes: archive
MD5: 4DADC9B9D9E1FFE0D9CD8AB06254478E
CRC32: 4AA5DB1A
Version: 6.8.520.0

{5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class)
DPF name:
CLSID name: MUCatalogWebControl Class
Installer: C:\WINNT\Downloaded Program Files\MicrosoftUpdateCatalogWebControl.inf
Codebase: http://catalog.update.microsoft.com/v7/sit...b?1209859171500
Path: C:\WINNT\system32\
Long name: MicrosoftUpdateCatalogWebControl.dll
Short name: MICROS~1.DLL
Date (created): 7/31/2007 2:25:54 AM
Date (last access): 9/8/2008 6:51:56 PM
Date (last write): 7/31/2007 2:25:54 AM
Filesize: 142696
Attributes: archive
MD5: 6F28C6D6022AD49B36ED3A9BA5368805
CRC32: 91F5EA19
Version: 7.0.6000.569

{6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)
DPF name:
CLSID name: WUWebControl Class
Installer: C:\WINNT\Downloaded Program Files\wuweb.inf
Codebase: http://www.update.microsoft.com/windowsupd...b?1201727588156
description:
classification: Legitimate
known filename: wuweb.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINNT\system32\
Long name: wuweb.dll
Short name:
Date (created): 7/30/2007 8:19:46 PM
Date (last access): 9/8/2008 6:39:12 PM
Date (last write): 7/18/2008 10:09:44 PM
Filesize: 205000
Attributes: archive
MD5: 4889720E56E85E1FE4659039BB5F6E3F
CRC32: EE278BD5
Version: 7.2.6001.784

{6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class)
DPF name:
CLSID name: MUWebControl Class
Installer: C:\WINNT\Downloaded Program Files\muweb.inf
Codebase: http://www.update.microsoft.com/microsoftu...b?1209854628015
description:
classification: Legitimate
known filename: muweb.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINNT\system32\
Long name: muweb.dll
Short name:
Date (created): 7/30/2007 7:18:34 PM
Date (last access): 9/8/2008 6:39:12 PM
Date (last write): 7/18/2008 10:07:32 PM
Filesize: 210976
Attributes: archive
MD5: C5F2BE2C84D119CCE6DB901EA49D1528
CRC32: D65E48EB
Version: 7.2.6001.784



--- Process list ---
PID: 0 ( 0) [System]
PID: 156 ( 8) \SystemRoot\System32\smss.exe
size: 45840
PID: 184 ( 156) \??\C:\WINNT\system32\csrss.exe
size: 5392
PID: 204 ( 156) \??\C:\WINNT\system32\winlogon.exe
size: 186640
PID: 232 ( 204) C:\WINNT\system32\services.exe
size: 92944
MD5: B861B4E6E9637EB76A40C10C552E0229
PID: 244 ( 204) C:\WINNT\system32\lsass.exe
size: 33552
MD5: F19D0A319AB4BF5496F08807CB9B8651
PID: 436 ( 232) C:\WINNT\system32\svchost.exe
size: 7952
MD5: 9E64AD53CFD9DA2D22E8A924F8C6E62C
PID: 488 ( 232) C:\WINNT\system32\spoolsv.exe
size: 47376
MD5: FACFB75ECC070103619FA044E0B210D3
PID: 516 ( 232) C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
size: 611664
MD5: 17067069B9A7865028C1F2E6971D0CCC
PID: 528 ( 232) C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
size: 100032
MD5: 7768CE75C5CBF0D8F441CE2BBD806B7F
PID: 588 ( 232) C:\WINNT\System32\svchost.exe
size: 7952
MD5: 9E64AD53CFD9DA2D22E8A924F8C6E62C
PID: 608 ( 232) C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
size: 135168
MD5: 93CBFD618F2416703F1E3DB7C2A7D979
PID: 724 ( 232) C:\WINNT\system32\nvsvc32.exe
size: 143436
MD5: AA78C4677E06CFD4FE048718EE7F6332
PID: 740 ( 232) C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
size: 964496
MD5: BE5F061339C51E433EE03C3894067EC3
PID: 784 ( 232) C:\WINNT\system32\regsvc.exe
size: 68368
MD5: 250C4CE389783FA2398E3AFA4317008C
PID: 796 ( 232) C:\WINNT\system32\MSTask.exe
size: 122128
MD5: B00529EAE5D0CE97010B69CC677128C8
PID: 832 ( 232) C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
size: 176161
MD5: 8A3A2F3956BBC551A31C734BCD77419D
PID: 912 ( 232) C:\WINNT\system32\stisvc.exe
size: 61712
MD5: B75235626B950FF821146555C612F814
PID: 1000 ( 232) C:\WINNT\System32\WBEM\WinMgmt.exe
size: 196706
MD5: 05B2001E1BC653FD6091E741B46F71B4
PID: 1028 ( 996) C:\WINNT\Explorer.EXE
size: 243472
MD5: 59CF2B7DCED9111F48F51B4B570E672D
PID: 1044 ( 232) C:\WINNT\system32\mspmspsv.exe
size: 53248
MD5: AF619B3908BB1C9336FB6981609018FE
PID: 1208 (1028) C:\WINNT\system32\rundll32.exe
size: 10000
MD5: 1ED5274825CD1EEBBE102B9FF7C9EC31
PID: 1236 (1028) C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
size: 785520
MD5: 958925BA59B3F205A3F709F4E9379479
PID: 1344 (1028) C:\Program Files\SPYBOT~1\SpybotSD.exe
size: 4891984
MD5: 9C8F0F34F66BB845B42F70E92A972B5F
PID: 900 (1028) C:\Program Files\Southwest Airlines\Ding\Ding.exe
size: 462848
MD5: 40E3146462C1E71F3D9BF5BD56247230
PID: 8 ( 0) System


--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 9/8/2008 6:57:26 PM

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
about:blank
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
%SystemRoot%\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:13 PM

Posted 10 September 2008 - 12:49 AM

This is a real good program against Smitfraud and Virtumonde called ComboFix.
Download ComboFix.exe from one of the links below:
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Then double click ComboFix.exe & follow the prompts.

Best regards
Sandra
Team Spybot


http://www.bleepingcomputer.com/forums/ind...st&p=929733

would you please forward this link back to spybot

I love the program and have used it for years, the immunization has really improved


Would you give MBAM a try, make sure teatimer is disabled

http://www.bleepingcomputer.com/forums/ind...st&p=938314
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users