Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Infected with AdWare.Win32.Virtumonde.vbf

  • This topic is locked This topic is locked
16 replies to this topic

#1 ufikus


  • Members
  • 9 posts
  • Local time:05:23 AM

Posted 29 December 2008 - 08:12 PM

Not my AVG 8.0 and any other online scanner detects any threat. Just RemoveIt tool detected these two viruses: First AdWare.Win32.Virtumonde.vbf (nnnmmlji.dll) and second one identified as "trojan.win32.Monder.acoq" (pmnmnKDU.dll). Now, second day that monder.acoq mysteriously dissapeared and nothing detects it. Worst part is, that my pc is all wonky. After boot it shuts down explorer.exe. I am only able to access desktop and other programs through task manager. Starting new task explorer.exe will load desktop for about 2 seconds, till another shutting down. Its only moments I can start anything useful. Once is other program started, it works just fine. Only without explorer.exe (blank desktop and without taskbar). Horrible. Please what should I do?

Here is my DDS.txt.log

DDS (Version 1.1.0) - NTFSx86
Run by Ev§en Jindra at 1:22:07,95 on Łt 30.12.2008
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_07
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.420.1029.18.511.42 [GMT 1:00]

AV: AVG Anti-Virus *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Onlineeye\gmxffcsrv.exe
C:\Program Files\HNetInfo2\HServer\startsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\A4Tech\Mouse\Amoumain.exe
C:\program files\onlineeye\onlineeye.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\AnyDVD\AnyDVD.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Evžen Jindra\Plocha\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: N/A: {06663b56-0d73-4f9f-bcc5-4aa941470afd} - c:\program files\pandobar\srchastt\1.bin\P4SRCHAS.DLL
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: Pando Search Assistant BHO: {06663b51-0d73-4f9f-bcc5-4aa941470afd} - c:\program files\pandobar\srchastt\1.bin\P4SRCHAS.DLL
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll
BHO: CInterceptor Object: {38d3fe60-3d53-4f37-bb0e-c7a97a26a156} - c:\program files\pando networks\pando\PandoIEPlugin.dll
BHO: Game.OS: {3a303ef6-2598-4d2d-b4da-defa7cd0dc51} - c:\windows\system32\gopfa.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\nnnmmljI.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: ADSTechnology module: {831cbac0-8283-4653-9d81-feb9f3f6e47c} - ADSTechnology Class
BHO: ActivationManager module: {86a44ef7-78fc-4e18-a564-b18f806f7f56} - ActivationManager Class
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\avgtoolbar.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: {d002cd4b-5283-4f71-bf11-44696790e361} - c:\windows\system32\pmnmnKDU.dll
BHO: Pando Toolbar BHO: {e3ea4fd1-cade-4ae5-84f7-086eee888be4} - c:\program files\pandobar\bar\1.bin\PANDOBAR.DLL
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - No File
TB: Pando Toolbar: {e3ea4fd9-cade-4ae5-84f7-086eee888be4} - c:\program files\pandobar\bar\1.bin\PANDOBAR.DLL
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\avgtoolbar.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [AnyDVD] c:\program files\anydvd\AnyDVD.exe
uRun: [<NO NAME>]
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [ScreenPrint32] c:\program files\screenprint32 v3\ScreenPrint32.exe -startup
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [WheelMouse] c:\program files\a4tech\mouse\Amoumain.exe
mRun: [CHotkey] mHotkey.exe
mRun: [FinePrint Dispatcher v5] "c:\windows\system32\spool\drivers\w32x86\3\fpdisp5a.exe" /runonce
mRun: [OnlineTime] "c:\program files\onlineeye\onlineeye.exe"
mRun: [VersionCheck] "c:\program files\onlineeye\vcheck.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
TCP: {0DCBC69B-8E6E-4AB3-A68E-47F2F9147CD2} =,
TCP: {3C4FB0C2-CF17-45DB-89F4-33AAA2744D3E} =,
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: nnnmmljI - nnnmmljI.dll
AppInit_DLLs: avgrsstx.dll
SEH: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\nnnmmljI.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\awtuvVPF

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\evenji~1\dataap~1\mozilla\firefox\profiles\0vx7pmy4.default\
FF - prefs.js: browser.startup.homepage - hxxp://mail.google.com/mail/#inbox|http://my.ebay.com/ws/eBayISAPI.dll?MyeBay&CurrentPage=MyeBayWon&gbh=1&ssPageName=STRK:ME:LNLK
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll
FF - plugin: c:\program files\opera950\program\plugins\npdsplay.dll
FF - plugin: c:\program files\opera950\program\plugins\npwmsdrm.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.XMLHttpRequest.channel", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.SOAPEncoding.schemaCollection", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.XMLHttpRequest.channel", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("security.checkloaduri", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.key.chromeAccess", 4);
c:\program files\mozilla firefox\greprefs\all.js - pref("bidi.characterset", 1);
c:\program files\mozilla firefox\defaults\pref\channel-prefs.js - pref("app.update.channel", "release");
c:\program files\mozilla firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("keyword.URL", "chrome://browser-region/locale/region.properties");

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2008-8-16 12936]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-8-16 98440]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-12-10 26824]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-8-16 90632]
R1 VD_FileDisk;VD_FileDisk;c:\windows\system32\drivers\VD_FileDisk.sys [2006-1-13 15872]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-12-10 874776]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-12-10 231704]
R2 CX88XBAR;AVerMedia, AVerTV Crossbar (88x);c:\windows\system32\drivers\CX88XBAR.sys [2006-2-22 9414]
R2 gmxfwsvc;Onlineeye Firewall Service;"c:\program files\onlineeye\gmxffcsrv.exe" -service [2008-2-9 2379851]
R2 HNetInfo FTP Server;HNetInfo FTP Server;c:\program files\hnetinfo2\hserver\startsrv.exe [2004-11-20 57344]
R2 PD91Agent;PD91Agent;"c:\program files\raxco\perfectdisk2008\PD91Agent.exe" [2008-9-9 693512]
R3 axsaki;axsaki;c:\windows\system32\drivers\axsaki.sys [2003-3-30 102624]
R3 axskbus;axskbus;c:\windows\system32\drivers\axskbus.sys [2003-3-28 8640]
R3 iKeyEnum;Rainbow iKey Enumerator;c:\windows\system32\drivers\ikeyenum.sys [2006-3-27 11560]
R3 iKeyIFD;Rainbow iKey Virtual Reader;c:\windows\system32\drivers\ikeyifd.sys [2006-3-27 17256]
R3 Ndisrd;WinpkFilter Service;c:\windows\system32\drivers\ndisrd.sys [2008-1-24 20480]
R3 PSched;Plánovač paketů technologie QoS;c:\windows\system32\drivers\psched.sys [2004-8-18 69120]
R3 USBlyzer;USBlyzer Capture Driver;c:\windows\system32\drivers\USBlyzer.sys [2008-6-16 85376]
S2 NewServiceInstall1;NewServiceInstall1;"c:\program files\sdl international\t2007\tt\lng\Dialogs1031.lng" [2007-4-23 11264]
S3 Amps2prt;A4Tech PS/2 Port Mouse Driver;c:\windows\system32\drivers\Amps2prt.sys [2007-12-29 14336]
S3 Arfumftr;A4Tech USB RF-Mouse filter driver;c:\windows\system32\drivers\Arfumftr.sys [2006-2-23 7424]
S3 CEDTVLDR;DVB-T400 USB 2.0 device firmware loader;c:\windows\system32\drivers\CEDTVLDR.sys [2007-12-22 16768]
S3 esiasdrv;esiasdrv; []
S3 FXDRV;FXDRV;\??\c:\program files\superutilities\Fxdrv.sys [2006-2-22 13440]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-8-2 32512]
S3 PD91Engine;PD91Engine;"c:\program files\raxco\perfectdisk2008\PD91Engine.exe" [2008-9-9 906504]
S3 PD91VMDefrag;PD91VMDefrag;"c:\program files\raxco\perfectdisk2008\PD91VMDefrag.exe" [2008-2-29 226568]
S3 W8100PCI;ASUS 802.11b/g Driver for Windows XP;c:\windows\system32\drivers\mrv8k51.sys [2006-3-31 256512]

=============== Created Last 30 ================

2008-12-29 23:59 371 a--sh--- c:\windows\system32\FPVvutwa.ini
2008-12-29 23:59 235,520 -------- c:\windows\system32\awtuvVPF.dll
2008-12-29 22:54 280 a------- c:\windows\system32\PDBootState
2008-12-29 22:35 398,042 a------- c:\windows\system32\prfh0405.dat
2008-12-29 22:35 71,566 a------- c:\windows\system32\prfc0405.dat
2008-12-29 13:29 <DIR> --dsh--- C:\$RECYCLE.BIN
2008-12-29 11:31 <DIR> --d----- c:\program files\InCode Solutions
2008-12-28 00:24 487,424 a------- c:\windows\system32\msvcp70.dll
2008-12-28 00:24 344,064 a------- c:\windows\system32\msvcr70.dll
2008-12-28 00:24 974,848 a------- c:\windows\system32\mfc70.dll
2008-12-28 00:24 <DIR> --d----- c:\program files\Registry Cleaner
2008-12-27 21:02 <DIR> --d----- c:\program files\RemoveItPro
2008-12-27 20:06 250 a------- c:\windows\gmer.ini
2008-12-27 18:45 <DIR> --d----- C:\NTFS4DOS
2008-12-27 15:39 <DIR> --d----- c:\program files\ESET
2008-12-27 14:41 371 a--sh--- c:\windows\system32\UDKnmnmp.ini
2008-12-26 12:51 37,376 a------- c:\windows\system32\nnnmmljI.dll
2008-12-22 14:31 <DIR> --d----- c:\program files\Adobe CS4
2008-12-10 18:35 <DIR> --d-h--- C:\$AVG8.VAULT$
2008-12-10 17:30 10,520 a------- c:\windows\system32\avgrsstx.dll
2008-12-10 17:30 <DIR> --d----- c:\windows\system32\drivers\Avg
2008-12-10 17:30 <DIR> --d----- c:\docume~1\evenji~1\dataap~1\AVGTOOLBAR
2008-12-10 17:30 <DIR> --d----- c:\program files\AVG
2008-12-10 17:30 <DIR> --d----- c:\docume~1\alluse~1\dataap~1\avg8
2008-12-07 08:00 <DIR> --d----- c:\program files\Sublight

==================== Find3M ====================

2008-12-29 22:50 12,582,912 a------- c:\documents and settings\evžen jindra\NTUSER.DAT
2008-12-17 18:08 2,828 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-12-10 17:30 90,632 a------- c:\windows\system32\drivers\avgtdix.sys
2008-12-10 17:30 98,440 a------- c:\windows\system32\drivers\avgldx86.sys
2008-11-12 12:08 398,042 a------- c:\windows\system32\perfh005.dat
2008-11-12 12:08 71,566 a------- c:\windows\system32\perfc005.dat
2008-10-23 14:01 283,648 a------- c:\windows\system32\gdi32.dll
2008-10-16 11:39 660,480 a------- c:\windows\system32\wininet.dll
2008-10-03 11:17 247,326 a------- c:\windows\system32\strmdll.dll
2008-08-04 13:21 1,806,336 a------- c:\program files\HellShare.exe
2008-06-19 08:06 87,608 a------- c:\docume~1\evenji~1\dataap~1\inst.exe
2008-06-19 08:06 47,360 a------- c:\docume~1\evenji~1\dataap~1\pcouffin.sys
2002-10-01 01:37 430,080 a------- c:\program files\FSRaid.exe
2006-02-28 23:36 8 ---shr-- c:\windows\system32\B2DDB202DE.sys
2006-02-28 23:24 56 ---shr-- c:\windows\system32\E68C88D00E.sys

============= FINISH: 1:23:10,95 ===============

Attached Files

BC AdBot (Login to Remove)


#2 KoanYorel


    Bleepin' Conundrum

  • Staff Emeritus
  • 19,461 posts
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:11:23 PM

Posted 09 January 2009 - 08:34 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE

This may seem repetitive, but we need to see the current status of your system.
Please Hold on it may take us a day or so to get back with you.

The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 ufikus

  • Topic Starter

  • Members
  • 9 posts
  • Local time:05:23 AM

Posted 10 January 2009 - 10:03 PM

thanks very much. However, As I am using my comp also for my job, I had to do something rather fast. So I carefully read several topics here and afterwards did cleaning myself. First, after disabling all protection, I ran combofix, who deleted those horribles in restart. Afterward I did final cleaning with help of Malwarebytes Anti-Malware. It looks, as I was succesful, because now all techniques says I am clean.
I can say, that this board is simply best. I am attaching log files produced in cleaning process.
Again thanks.

Attached Files

#4 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer

  • Malware Response Team
  • 12,304 posts
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:08:23 PM

Posted 11 January 2009 - 10:34 PM

Hello, ufikus
ComboFix is an ADVANCED and POWERFUL tool which may damage the workings of your system! It's use without expert guidance is not recomended.

For example, this system has Spybot Search and Destroy's TeaTimer installed. CF can cause severe problems it TT is enabled.

You are nowhere near clean. Please follow the instructions Koan Yorel posted earlier.

Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#5 ufikus

  • Topic Starter

  • Members
  • 9 posts
  • Local time:05:23 AM

Posted 11 January 2009 - 11:29 PM

Many thanks for warning. I had no idea.
So I have turned off all protection together with firewall, disconnected from net and run DDS.
Here are results.
Evzen Jindra (Ufikus)

Attached Files

#6 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer

  • Malware Response Team
  • 12,304 posts
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:08:23 PM

Posted 11 January 2009 - 11:30 PM

Hello, ufikus
Your System is Infected with a Backdoor!!
Backdoors cause severe damage to windows' internals, and allow an attacker complete control over the infected system. Because this state allows the attacker to download new malware on demand, log keystrokes, execute programs, and/or view the system's screen, it is recommended to reformat and reinstall the operating system on this machine. Several experts in the security community believe that once a system is infected with one of these types of backdoors, the system itself can never be trusted again.

I ask that you disconnect this system from the internet NOW!. While it is attached to the internet, the attacker can modify the system, and prevent fixes from working as intended.

Another danger of this type of infection is that of Identity Theft. Because such malware can read all of your passwords, bank account numbers, etc. from your keystrokes, I would recomend contacting banking institutions accessed from this machine to ensure your accounts are secure. Most banks will not charge to send you new credit/debit cards, and getting these numbers replaced would be a good idea. It would also be a good idea to change passwords for anything you commonly use online. Online stores, Facebook/Myspace, Email, etc. If it has been on that machine it may have been read by someone else. Don't do it from this machine, as it is now compromised. Do it from another known clean machine. A good place to do this is at your local public library.

I would strongly recomend format and reinstallation of this machine. For more information, you may wish to read one of these excellent articles:Please let me know if you wish to continue to clean this machine or if you wish to format.

Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#7 ufikus

  • Topic Starter

  • Members
  • 9 posts
  • Local time:05:23 AM

Posted 11 January 2009 - 11:42 PM

Ouch. Thanks very much. Not much pleasant information. Damn.
So it will be quite a time, before I will be again able to properly work.

#8 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer

  • Malware Response Team
  • 12,304 posts
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:08:23 PM

Posted 12 January 2009 - 05:42 PM

Hello, ufikus
I suggest format/reinstall, but if you wish to continue, we can.
Please DELETE any copies of ComboFix you have on this machine. We need you to download a new copy so we can be sure of what's going on.

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:


* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

In your next reply, please include the following:
  • ComboFix.txt

Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#9 ufikus

  • Topic Starter

  • Members
  • 9 posts
  • Local time:05:23 AM

Posted 12 January 2009 - 06:53 PM

Thank you very much. You know, I am working on my comp, but it is not some business or store with client accounts etc... I am mostly translator, so translating from one language to another is my thing. Just fella, who gets translating jobs and has to get it done in given term. Plus ocassional work as typesetter.
If I will be able to continue, it will be simply incredible help.
Here is actual combofix log, as you requested.

Attached Files

#10 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer

  • Malware Response Team
  • 12,304 posts
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:08:23 PM

Posted 12 January 2009 - 10:49 PM

Hello, ufikus
I would like us to use ESET (NOD32)'s Online Scanner
  • Please go to ESET OnlineScan (NOD32)
  • You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
  • Now click Start
  • Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
  • Click Start
    • Note: (the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan
  • The Onlinescan will now start and scan your pc (this could take a while)
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
  • Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
  • The Scanresults will now open in Notepad
  • Click into the text area, right-click and chose "select all" (or use <Control>+A)
  • Right-click again and chose "Copy" (or <Control>+C)
  • Close/Exit Notepad
  • Navigate to this thread and post your log along with anything else requested from us, by right-clicking and "paste" (or ctrl+v) in the text area of the reply post you just created.
Note: For Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

In your next reply, please include the following:
  • ESET OnlineScan's Log

Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#11 ufikus

  • Topic Starter

  • Members
  • 9 posts
  • Local time:05:23 AM

Posted 13 January 2009 - 04:05 PM

This was quite timeconsuming task and also unfortunately unsuccesful.
Eset onlinescanner was working and working, but after about 3 hours, I saw that IE isnt open anymore. Also scanlog wasnt created. I tried it 3 times and it always after about 3 hours shuts down without log.
Last time I looked in its runs, about 2h45 minutes, it scanned full C:/, D:/, and started E:/ .
Hmmm. (drives D: etc... I am using only for data. There are not any programs installed.

#12 ufikus

  • Topic Starter

  • Members
  • 9 posts
  • Local time:05:23 AM

Posted 13 January 2009 - 04:06 PM

Ahh, I forgot. At that 2:45 it showed 0 discovered threats.

#13 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer

  • Malware Response Team
  • 12,304 posts
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:08:23 PM

Posted 13 January 2009 - 08:35 PM

Hello, ufikus
Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.
Alright... we'll use this one instead of ESET.

We need to run a system scan with Dr. Web CureIt
  • Please download DrWeb-CureIt & save it to your desktop.
    DO NOT perform a scan yet.
  • Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". Do not select "Safe Mode with Networking" or "Safe Mode with Command Prompt".
  • Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
  • Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan tab" and UNcheck "Heuristic analysis"
  • Back at the main window, click "Complete Scan"
  • Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
  • When done, a message will be displayed at the bottom advising if any viruses were found.
  • Click "Yes to all" if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
    (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
  • Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
In your next reply, please include the following:
  • Dr.Web's Log

Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#14 ufikus

  • Topic Starter

  • Members
  • 9 posts
  • Local time:05:23 AM

Posted 14 January 2009 - 06:43 PM

Hi again,
this time it worked fine. Scan took nearly 23 hours, but result is impressive. I am starting to wonder, how effective my AVG is.
Thanks for yout help.
DrWeb log is attached. I had to rename it, csv is not allowed type of attachment here.

Attached Files

#15 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer

  • Malware Response Team
  • 12,304 posts
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:08:23 PM

Posted 14 January 2009 - 08:58 PM

Hello, ufikus

I am starting to wonder, how effective my AVG is.

AVG isn't a bad scanner. In fact, AVG did a better job than Dr.Web here. Dr.Web found a ton of stuff inside of system restore, some files ComboFix deleted already (In CF's quarentine), and some files that are part of ComboFix itself.

Except this:
C:\Program Files\RapidshareDownloader

This one is open to debate. I'd reccomend removing it, but Dr. Web forces the job. It's a nice tool, don't get me wrong, but it's slow and is known to make mistakes from time to time. That's why I try ESET first ;)

Congratulations! You now appear clean! :thumbsup:

Are things running okay? Do you have any more questions?

System Still Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware
We Need to Remove ComboFix
  • Please go to Start -> Run
  • Enter "ComboFix /u" (without quotes). Note the space betwen "ComboFix" and "/u", it needs to be there.
    Posted Image
  • Press OK (Or hit enter).
  • Allow ComboFix to remove itself.
We Need to Clean Up Our Mess
  • Please download OTCleanIt from one of the following mirrors and save it to your desktop:
  • Double click the Posted Image icon.
  • Push the large "Cleanup" button.
  • Allow your system to reboot.
Below are some recommendations to lower your chances of (re)infection.
  • Install Spyware Blaster and update it regularly
    If you wish, the commercial version provides automatic updating.
  • Install the MVPs hosts file, and update it regularly
    You can use the HostMan host file manager to do this automaticly if you wish.
    For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts file
  • Install an Anti-Spyware program, and update it regularly
    Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
    SUPERAntiSpyware is another good scanner with high detection and removal rates.
    Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

    If you are using Windows XP or earlier
    Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

    If you are using Windows Vista
    • Click the "Start Menu" (or Windows Orb)
    • Click "All Programs"
    • Click "Windows Update"
    • On the left, choose "Change Settings"
    • Ensure that the checkbox "Use Microsoft Update" at the bottom of the window is checked.
    • Press OK and accept the UAC prompt.
      Note: You shouldn't need to check this checkbox every single time you update, only the first time.
    • Click "Check for Updates" in the upper left corner.
    • Follow the instructions to install the latest updates.
    • Reboot and repeat the "Check for Updates" until there are no more critical updates to install
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on your machine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :).
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users