Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't get rid of Virtumonde


  • This topic is locked This topic is locked
7 replies to this topic

#1 scrockett

scrockett

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:31 PM

Posted 12 January 2009 - 12:45 PM

Hello, this is my first post to Bleeping Computer so hopefully I'm using the proper channels. I've been tirelessly trying to rid my computer of Virtumonde with no luck. I've tried using Adaware, McAfee, Spybot, Symantec's FxVMonde, VundoFix, & VirtumondoBeGone. Nothing has solved the problem entirely. I have run Spybot repeatedly but it always finds it again. I also broke the roles slightly and ran ComboFix and it appeared as though it was gone. However after about two days it has reappeared in Spybot. I've seen various other topics on this malware in the bleeping computer community, but I can't determine what exactly I should do for my machine. Please take a look at the reports and let me know if you can help. Thanks in advance.


DDS (Ver_09-01-07.01) - NTFSx86
Run by office depot at 12:32:17.14 on Mon 01/12/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1060 [GMT -5:00]

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\TCtrlIOHook.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Motive\AsstCommon\motmon.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\office depot\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
BHO: {1A28F753-466C-41EC-876E-6889F72AD69D} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {69B720C0-C1C2-4BE7-9A19-DFAAE7009112} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
BHO: {9D0F6589-77C7-47F0-ADB4-2F5DDB1EED57} - No File
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRunOnce: [SpybotDeletingB3081] command /c del "c:\windows\system32\lybbuphk.dll_old"
uRunOnce: [SpybotDeletingD4416] cmd /c del "c:\windows\system32\lybbuphk.dll_old"
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [SVPWUTIL] c:\program files\toshiba\windows utilities\SVPWUTIL.exe SVPwUTIL
mRun: [TCtryIOHook] TCtrlIOHook.exe
mRun: [TFncKy] TFncKy.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [MotiveMonitor] "c:\program files\motive\asstcommon\motmon.exe"
mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [Dell Photo AIO Printer 922] "c:\program files\dell photo aio printer 922\dlbtbmgr.exe"
mRun: [DLBTCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLBTtime.dll,_RunDLLEntry@16
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [UVS12 Preload] c:\program files\corel\corel videostudio 12\uvPL.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [<NO NAME>]
mRunOnce: [SpybotDeletingA3108] command /c del "c:\windows\KHALMNPR.Exe"
mRunOnce: [SpybotDeletingC8499] cmd /c del "c:\windows\KHALMNPR.Exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - c:\program files\bodog poker\BPGame.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
Notify: psfus - psqlpwd.dll
AppInit_DLLs: digjtn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\ljJAQjHa
LSA: Notification Packages = scecli psqlpwd

============= SERVICES / DRIVERS ===============

R0 sonypvl3;sonypvl3;c:\windows\system32\drivers\sonypvl3.sys [2006-8-24 18110]
R1 bbcap;bbcap;c:\windows\system32\drivers\bbcap.sys [2006-8-29 2944]
R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2007-10-16 31784]
R1 sonypvf3;sonypvf3;c:\windows\system32\drivers\sonypvf3.sys [2006-8-24 619390]
R1 sonypvt3;sonypvt3;c:\windows\system32\drivers\sonypvt3.sys [2006-8-24 423454]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2007-8-13 72680]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2007-8-13 33960]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2007-8-13 171272]
R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-7-7 611664]
R4 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\adobe\photoshop elements 7.0\PhotoshopElementsFileAgent.exe [2008-9-16 169312]
R4 FdRedir;FdRedir;c:\program files\common files\protector suite ql\drivers\FdRedir.sys [2006-1-13 13568]
R4 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\common files\protector suite ql\drivers\filedisk.sys [2006-1-13 33024]
R4 Maxtor Sync Service;Maxtor Service;c:\program files\maxtor\sync\SyncServices.exe [2007-9-28 156976]
R4 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2007-8-13 103744]
R4 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R4 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2007-10-16 144704]
R4 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2007-10-16 54608]
R4 smihlp;SMI helper driver;c:\program files\protector suite ql\smihlp.sys [2006-1-13 3456]
S1 sonypvd3;Sony DVD Handycam;c:\windows\system32\drivers\sonypvd3.sys [2006-8-24 64964]
S3 PLUsbbc2;High-Speed USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc2.sys [2006-12-31 8960]
S3 vgadrv;vgadrv;c:\windows\system32\drivers\vgadrv.sys [2006-6-10 8078]

=============== Created Last 30 ================

2009-01-10 00:32 <DIR> a-dshr-- C:\cmdcons
2009-01-09 23:28 161,792 a------- c:\windows\SWREG.exe
2009-01-09 23:28 98,816 a------- c:\windows\sed.exe
2009-01-08 11:38 <DIR> --d----- C:\VundoFix Backups
2008-12-30 14:13 <DIR> --d----- c:\program files\SlySoft
2008-12-29 23:47 <DIR> --d----- c:\program files\iWin
2008-12-28 16:57 <DIR> --d----- c:\program files\pazera
2008-12-28 16:54 37,376 a------- c:\windows\system32\dwmapi.dll
2008-12-28 16:53 <DIR> --d----- c:\program files\common files\DVDVideoSoft
2008-12-28 16:33 <DIR> --d----- c:\program files\FreeStudio
2008-12-28 15:58 <DIR> --d----- c:\program files\HT
2008-12-24 09:12 512,000 -c------ c:\windows\system32\dllcache\jscript.dll
2008-12-24 09:12 430,080 -c------ c:\windows\system32\dllcache\vbscript.dll
2008-12-24 09:12 180,224 -c------ c:\windows\system32\dllcache\scrobj.dll
2008-12-24 09:12 172,032 -c------ c:\windows\system32\dllcache\scrrun.dll
2008-12-24 09:12 155,648 -c------ c:\windows\system32\dllcache\wscript.exe
2008-12-24 09:12 135,168 -c------ c:\windows\system32\dllcache\cscript.exe
2008-12-24 09:12 90,112 -c------ c:\windows\system32\dllcache\wshext.dll
2008-12-24 07:19 <DIR> --d----- c:\windows\system32\scripting
2008-12-24 07:19 <DIR> --d----- c:\windows\l2schemas
2008-12-24 07:19 <DIR> --d----- c:\windows\system32\en
2008-12-24 07:19 <DIR> --d----- c:\windows\system32\bits
2008-12-24 07:15 <DIR> --d----- c:\windows\ServicePackFiles
2008-12-24 02:10 67,866 -------- c:\windows\system32\drivers\netwlan5.img
2008-12-24 01:35 23,576 a------- c:\windows\system32\wuapi.dll.mui
2008-12-23 14:40 <DIR> --d----- c:\program files\Bonjour
2008-12-20 17:18 <DIR> --d----- c:\program files\FrostWire
2008-12-18 19:16 286,720 -c------ c:\windows\system32\dllcache\gdi32.dll
2008-12-14 11:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\espionServerData
2008-12-14 10:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SmartSound Software Inc
2008-12-14 10:23 <DIR> --d----- c:\program files\SmartSound Software
2008-12-14 10:18 <DIR> --d--r-- c:\program files\AdobeElements
2008-12-14 02:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\InterVideo
2008-12-14 02:53 <DIR> --d----- c:\program files\common files\Ulead Systems
2008-12-14 02:52 <DIR> --d----- c:\program files\Corel
2008-12-14 01:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SmartSound Software Inc(2)
2008-12-14 01:47 <DIR> --d----- c:\program files\SmartSound Software(2)
2008-12-14 01:06 <DIR> --d----- c:\windows\system32\syncdb

==================== Find3M ====================

2008-12-26 00:13 4,700 ac------ c:\docume~1\office~1\applic~1\ViewerApp.dat
2008-12-24 07:25 87,931 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-12-14 10:15 118,520 a------- c:\windows\system32\pxinsi64.exe
2008-12-12 11:18 87,336 a------- c:\windows\system32\dns-sd.exe
2008-12-12 11:11 61,440 a------- c:\windows\system32\dnssd.dll
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 15:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-16 14:07 208,744 a------- c:\windows\system32\muweb.dll
2008-04-17 23:24 20 ----h--- c:\docume~1\alluse~1\applic~1\PKP_DLds.DAT
2008-04-17 23:24 20 ----h--- c:\docume~1\alluse~1\applic~1\PKP_DLec.DAT
2007-07-22 23:05 4 a------- c:\docume~1\office~1\applic~1\wklnhst.dat
2007-03-31 11:56 45,176 ac------ c:\docume~1\office~1\applic~1\GDIPFONTCACHEV1.DAT
2006-10-20 11:36 251 ac------ c:\program files\wt3d.ini

============= FINISH: 12:32:53.28 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:06:31 AM

Posted 14 January 2009 - 05:02 PM

Hello Scrockett and welcome to Bleeping Computer,

Please read [url="http://"http://www.bleepingcomputer.com/combofix/how-to-use-combofix"]this tutorial[/url] carefully to download ComboFix from one of the locations specified, and save it to your Desktop.
Double click the ComboFix icon to run it.
If ComboFix askes you to install the Recovery Console, please do so..
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.
Once the Recovery Console is installed, continue with the malware scan.

Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 scrockett

scrockett
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:31 PM

Posted 15 January 2009 - 07:01 PM

Hey Thunder,

Thanks so much for the reply. I still have the file from the first time I ran it. I followed the steps exactly like was stated on the webiste. I have attached the corresonding ComboFix file to this post. Please let me know if you see anything.

Thanks,

scrockett

Attached Files



#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:06:31 AM

Posted 16 January 2009 - 07:15 AM

Hello Scrockett,

Since that log is almost a week old,
please run ComboFix again, let it update itself,
and post the fresh log in your next reply.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 scrockett

scrockett
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:31 PM

Posted 19 January 2009 - 04:36 PM

Hey Thunder,

Just ran ComboFix again. Please let me know if you can detect any issues. Thanks.

Attached Files



#6 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:06:31 AM

Posted 19 January 2009 - 05:26 PM

Hello Scrockett,

This log looks quite good actually. :thumbsup:

Open Notepad and copy and paste the bold, blue text below in it:
(don't forget to copy and paste REGEDIT4)REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

Save this as fix.reg Choose to save as "all files" and place it on your Desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click Yes/OK.
(In case you are unsure how to create a reg file, take a look here with screenshots.)

Then, you can remove all used tools and folders created in the process.
To remove ComboFix :
Go to Start > Run, and copy and paste next command in the field:ComboFix /u
Make sure there's a space between Combofix and /u
Then press Enter.
This will uninstall Combofix, delete its related folders and files, restore your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Your JavaVM is also out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java SE Runtime Environment (JRE) 6 Update11.
  • Scroll down to where it says The Java SE Runtime Environment (JRE) allows end-users to run Java applications.
  • Click the Download button to the right.
  • Check the box that says: Accept License Agreement
  • The page will refresh.
  • Click on the link to download Windows Offline Installation (jre-6u11-windows-i586-p.exe) and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u11-windowsi586-p.exe to install the newest version.
Still having problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#7 scrockett

scrockett
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:31 PM

Posted 20 January 2009 - 08:56 PM

Hey Thunder,

Thanks again for the follow up. I followed your directions. The only thing I couldn't do was manually uninstall ComboFix. It seemed to have uninstalled on its own before I got the chance to do it myself. It no longer appears on my desktop or add/remove programs so I assume it uninstalled itself. Aside from that everything looks pretty good. I ran Spybot a few more times for good measure and the only thing it shows now is a Right Media tracking cookie. Overall peformance seems to be better now as I'm not seeing any more "fix your comptuer" popups in internet explorer. If you don't see any potential harm from the Right Media thing, then I think I'm all set. Thanks for your help.

scrockett

#8 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:06:31 AM

Posted 21 January 2009 - 05:56 AM

Glad we could help, Scrockett :thumbsup:

Please read this Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks.
To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Please also read Tony Klein's excellent article: How I got Infected in the First Place
and/or Grinlers tutorial on how malware is hidden and installed

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users