Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Infected with Virtumonde and several rogue antispyware programs

  • This topic is locked This topic is locked
6 replies to this topic

#1 Jimbo Jambo

Jimbo Jambo

  • Members
  • 3 posts
  • Local time:05:52 PM

Posted 22 February 2009 - 12:33 AM

A few days ago Ad-Aware found a Virtumonde registry key on my computer. I attempted to remove it, but of course that didn't work. It didn't seem to be doing much at the time, but about a day later, all sorts of junk started pouring in: another Vitumonde reg key and reg value, several dozen data miners, and some rogue antispyware, the most annoying of which being MS Antivirus 2009, as well as a Windows vulnerability which seems to prevent me from opening the Task Manager. I'm able to get rid of the data miners and the vulnerability with Ad-Aware (which thankfully in turn allows me to end the MS Antivirus 2009 processes, stopping the pop-ups temporarily), although much of it comes right back as soon as I restart my computer, and the Virtumonde junk, which I'm assuming is the source of all this, comes back immediately after being supposedly removed.

Symptoms in addition to not being able to use safe mode and my computer running slowly are frequent pop-ups from the task bar, as well as web browsers and My Documents occasionally opening. I also get various error messages from time to time, one of which in particular involves System32 and forces my to shut down my computer.

I ran into a Virtumonde something a week or two ago, but that didn't stick around after I restored my computer to a previous state from before I picked up the bug. As mentioned in the topic description, I'm now prevented from using safe mode, let alone the system restore, so that's not much help in this situation. I also downloaded VundoFixer when I read a positive review on a Wikipedia discussion page, but far from actually fixing the problem, it wasn't even able to detect the malware on my system. At least I didn't pay for it....

Any help would hugely be appreciated. This is the last of my ideas of free solutions before turning to Lavasoft or McAfee and actually paying money to renew my decade-old subscriptions (which, really, I should probably do anyway, but...).

DDS (Ver_09-02-01.01) - NTFSx86
Run by HP_Administrator at 23:53:31.26 on Sat 02/21/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.290 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\DISC\DISCover.exe
C:\Program Files\DISC\DiscUpdateMgr.exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uWindow Title = Windows Internet Explorer provided by Comcast
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
uURLSearchHooks: N/A: {0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2} - c:\program files\asksbar\srchastt\1.bin\A2SRCHAS.DLL
mURLSearchHooks: N/A: {0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2} - c:\program files\asksbar\srchastt\1.bin\A2SRCHAS.DLL
mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\twext.exe,
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: Ask Search Assistant BHO: {0579b4b1-0293-4d73-b02d-5ebb0ba0f0a2} - c:\program files\asksbar\srchastt\1.bin\A2SRCHAS.DLL
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {1cad29df-1d6d-41a2-8c55-eaa2c7edcdeb} - c:\windows\microsoft.net\framework\v1.1.4322\libcmd.dll
BHO: {1cad29df-1d6d-41a2-8c55-eaa2c7edcdeb} - c:\windows\microsoft.net\framework\v1.1.4322\libcmd.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Comcast Toolbar: {4e7bd74f-2b8d-469e-93be-be2df4d9ae29} - c:\progra~1\comcas~2\COMCAS~1.DLL
BHO: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\hgGwUoOi.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {77701e16-9bfe-4b63-a5b4-7bd156758a37} - No File
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: {9d95fd42-eedb-425b-2da4-c42b11ca9b7a}: {a7b9ac11-b24c-4ad2-b524-bdee24df59d9} - c:\windows\system32\ippjky.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0311.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Ask Toolbar BHO: {f0d4b231-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\asksbar\bar\2.bin\ASKSBAR.DLL
TB: McAfee VirusScan: {ba52b914-b692-46c4-b683-905236f6f655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: Comcast Toolbar: {4e7bd74f-2b8d-469e-93be-be2df4d9ae29} - c:\progra~1\comcas~2\COMCAS~1.DLL
TB: Ask Toolbar: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\asksbar\bar\2.bin\ASKSBAR.DLL
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0311.0\msneshellx.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {A057A204-BACC-4D26-8087-36EE87E26986} - No File
uRun: [Aim6]
uRun: [Veoh] "c:\program files\veoh networks\veoh\VeohClient.exe" /VeohHide
uRun: [<NO NAME>]
uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MS AntiSpyware 2009] "c:\documents and settings\all users\application data\crucialsoft ltd\ms antispyware 2009\msas2009.exe" /autorun
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [HPHUPD08] "c:\program files\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exe"
mRun: [DISCover] "c:\program files\disc\DISCover.exe"
mRun: [DiscUpdateManager] "c:\program files\disc\DiscUpdateMgr.exe"
mRun: [<NO NAME>]
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [VSOCheckTask] "c:\progra~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
mRun: [VirusScan Online] "c:\program files\mcafee.com\vso\mcvsshld.exe"
mRun: [OASClnt] "c:\program files\mcafee.com\vso\oasclnt.exe"
mRun: [MCAgentExe] c:\progra~1\mcafee.com\agent\mcagent.exe
mRun: [MCUpdateExe] c:\progra~1\mcafee.com\agent\mcupdate.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [tgcmd] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf
mRun: [FixCamera] c:\windows\FixCamera.exe
mRun: [tsnp325] c:\windows\tsnp325.exe
mRun: [snp325] c:\windows\vsnp325.exe
mRun: [SeekmoOE] c:\program files\seekmo\bin\10.0.406.0\OEAddOn.exe
mRun: [SeekmoSA] "c:\program files\seekmo\bin\10.0.406.0\SeekmoSA.exe"
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [prunnet] "c:\windows\system32\prunnet.exe"
mRun: [Framework Windows] frmwrk32.exe
mRun: [c83fcbd8] rundll32.exe "c:\windows\system32\gfdrwong.dll",b
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodaks~1.lnk - c:\program files\kodak\kodak software updater\7288971\program\Kodak Software Updater.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\tabuse~1.lnk - c:\windows\system32\wtablet\TabUserW.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\9972322\program\Updates from HP.exe
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
LSP: c:\windows\temp\ntdll64.dll
Trusted Zone: trymedia.com
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
TCP: NameServer =
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: hgGwUoOi - hgGwUoOi.dll
Notify: libcmd - c:\windows\microsoft.net\framework\v1.1.4322\libcmd.dll
AppInit_DLLs: ippjky.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\hgGwUoOi.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_adm~1\applic~1\mozilla\firefox\profiles\2iwqavum.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\documents and settings\hp_administrator\application data\mozilla\firefox\profiles\2iwqavum.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\google\google updater\2.4.1487.6512\npCIDetect13.dll
FF - plugin: c:\program files\google\update\\npGoogleOneClick7.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAskSBr.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npclntax_SeekmoSA.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-4 98304]
R2 McDetect.exe;McAfee WSC Integration;c:\program files\mcafee.com\agent\Mcdetect.exe [2005-12-29 126976]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 McTskshd.exe;McAfee Task Scheduler;c:\progra~1\mcafee.com\agent\mctskshd.exe [2005-12-29 122368]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-4 118784]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-10 24652]
S0 auvtrdth;auvtrdth;c:\windows\system32\drivers\tydzabrn.sys [2009-2-19 25088]
S0 aylnlfdx;aylnlfdx;c:\windows\system32\drivers\phqghume.sys [2009-2-21 25088]
S0 cowbytkp;cowbytkp;c:\windows\system32\drivers\mowvcnzz.sys [2009-2-20 25088]
S0 heaoxpjx;heaoxpjx;c:\windows\system32\drivers\ybucfuvo.sys [2009-2-21 25088]
S0 hnrngpha;hnrngpha;c:\windows\system32\drivers\kcvruxdc.sys [2009-2-21 25088]
S0 leuogrnp;leuogrnp;c:\windows\system32\drivers\ijiceazc.sys [2009-2-21 25088]
S0 mtlunpsr;mtlunpsr;c:\windows\system32\drivers\pltimbwi.sys [2009-2-21 25088]
S0 qqycxrws;qqycxrws;c:\windows\system32\drivers\pqfxhhgy.sys [2009-2-21 25088]
S0 rhlnzzxr;rhlnzzxr;c:\windows\system32\drivers\tbduhhuh.sys [2009-2-20 25088]
S0 wytwaoca;wytwaoca;c:\windows\system32\drivers\pbnviqbd.sys [2009-2-21 25088]
S0 xjoohyvv;xjoohyvv;c:\windows\system32\drivers\qxjcoywr.sys []
S2 gupdate1c98ae64a902d66;Google Update Service (gupdate1c98ae64a902d66);c:\program files\google\update\GoogleUpdate.exe [2009-2-9 133104]
S2 KPOFYLFO;KPOFYLFO;\??\c:\windows\system32\kpofylfo.stb --> c:\windows\system32\kpofylfo.stb [?]
S2 RPCDB;RPC Debug Control;"c:\windows\system32\csts.exe" --> c:\windows\system32\csts.exe [?]
S3 2397f50a-47ac-4273-9426-b4829efb675a;2397f50a-47ac-4273-9426-b4829efb675a;\??\e:\cds300\cds300.dll --> e:\cds300\cds300.dll [?]
S3 McShield;McAfee.com McShield;c:\progra~1\mcafee.com\vso\mcshield.exe [2005-12-29 221184]
S3 mcupdmgr.exe;McAfee SecurityCenter Update Manager;c:\progra~1\mcafee.com\agent\mcupdmgr.exe [2005-12-29 245760]
S3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2005-12-29 114464]
S3 SNP325;USB PC Camera (SNPSTD325);c:\windows\system32\drivers\snp325.sys [2007-12-26 10260864]

=============== Created Last 30 ================

2009-02-21 23:42 25,088 a------- c:\windows\system32\drivers\kcvruxdc.sys
2009-02-21 23:04 25,088 a------- c:\windows\system32\drivers\pltimbwi.sys
2009-02-21 17:21 2,328 a------- c:\windows\xjoohyvv
2009-02-21 17:21 25,088 a------- c:\windows\system32\drivers\pqfxhhgy.sys
2009-02-21 14:20 1,607,789 ---sh--- c:\windows\system32\gnowrdfg.ini
2009-02-21 14:20 123,392 a------- c:\windows\system32\ippjky.dll
2009-02-21 14:20 123,392 a------- c:\windows\system32\welwlxth.dll
2009-02-21 14:18 1,607,789 ---sh--- c:\windows\system32\hkqgdeom.ini
2009-02-21 14:18 123,392 a------- c:\windows\system32\pxricm.dll
2009-02-21 14:18 123,392 a------- c:\windows\system32\mkbbucaj.dll
2009-02-21 13:16 1,716 a------- c:\windows\wytwaoca
2009-02-21 13:16 25,088 a------- c:\windows\system32\drivers\ijiceazc.sys
2009-02-21 06:55 25,088 a------- c:\windows\system32\drivers\pbnviqbd.sys
2009-02-21 06:54 123,392 a------- c:\windows\system32\endmng.dll
2009-02-21 06:54 123,392 a------- c:\windows\system32\jlyhdwue.dll
2009-02-21 00:07 25,088 a------- c:\windows\system32\drivers\phqghume.sys
2009-02-21 00:07 1,716 a------- c:\windows\rhlnzzxr
2009-02-21 00:07 25,088 a------- c:\windows\system32\drivers\ybucfuvo.sys
2009-02-20 23:59 25,088 a------- c:\windows\system32\drivers\mowvcnzz.sys
2009-02-20 23:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\CrucialSoft Ltd
2009-02-20 23:55 213,029 a------- c:\windows\system32\opwqdlno.exe
2009-02-20 23:53 123,392 a------- c:\windows\system32\mjrtun.dll
2009-02-20 23:53 123,392 a------- c:\windows\system32\bgvhgsgs.dll
2009-02-20 23:53 1,607,797 ---sh--- c:\windows\system32\dxakcbcb.ini
2009-02-20 23:28 123,392 a------- c:\windows\system32\qzhwyp.dll
2009-02-20 23:28 123,392 a------- c:\windows\system32\sobtxwhv.dll
2009-02-20 23:25 1,607,797 ---sh--- c:\windows\system32\japqbimo.ini
2009-02-20 23:25 372 a--sh--- c:\windows\system32\ssBdLRqr.ini2
2009-02-20 23:25 372 a--sh--- c:\windows\system32\ssBdLRqr.ini
2009-02-20 23:25 25,088 a------- c:\windows\system32\drivers\tbduhhuh.sys
2009-02-20 22:51 1,607,797 ---sh--- c:\windows\system32\xydoguax.ini
2009-02-20 22:51 69,120 -------- c:\windows\system32\xaugodyx.dll
2009-02-20 22:51 123,392 a------- c:\windows\system32\jptjov.dll
2009-02-20 22:51 123,392 a------- c:\windows\system32\evyljame.dll
2009-02-20 22:51 372 a--sh--- c:\windows\system32\JQWadfii.ini2
2009-02-20 19:33 143 a------- c:\windows\system32\mcrh.tmp
2009-02-20 19:03 104,960 a------- c:\windows\system32\ntdll64.exe
2009-02-20 18:33 4,785 a------- c:\windows\system32\warning.gif
2009-02-20 18:33 1,347 a------- c:\windows\system32\ahtn.htm
2009-02-20 18:33 104,960 a------- c:\windows\system32\dllcache\userinit.exe
2009-02-20 18:33 433 a------- c:\windows\system32\win32hlp.cnf
2009-02-20 18:33 1 a------- c:\windows\system32\uniq.tll
2009-02-20 18:33 26,624 a------- c:\windows\system32\frmwrk32.exe
2009-02-20 18:33 26,624 a------- c:\windows\system32\998.exe
2009-02-20 18:28 529 a------- c:\windows\system32\winlogon2.exe
2009-02-20 14:58 123,392 a------- c:\windows\system32\kloopt.dll
2009-02-20 14:57 123,392 a------- c:\windows\system32\jquswjjr.dll
2009-02-20 14:55 1,598,385 a--sh--- c:\windows\system32\jupvdepl.ini
2009-02-20 02:30 <DIR> --d----- C:\VundoFix Backups
2009-02-19 22:35 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\ooVoo Details
2009-02-19 22:34 <DIR> --d----- c:\program files\oovooToolbar
2009-02-19 14:55 48,640 a------- c:\windows\system32\ljJCuUmm.dll
2009-02-19 14:52 124,416 a------- c:\windows\system32\cytmqf.dll
2009-02-19 14:52 1,598,385 a--sh--- c:\windows\system32\ckwixaxx.ini
2009-02-19 14:52 124,416 a------- c:\windows\system32\ukfltyjn.dll
2009-02-19 14:51 4,900 a--sh--- c:\windows\system32\JQWadfii.ini
2009-02-19 14:51 1,924 a------- c:\windows\auvtrdth
2009-02-19 14:51 25,088 a------- c:\windows\system32\drivers\tydzabrn.sys
2009-02-19 14:46 47,616 a------- c:\windows\system32\hgGwUoOi.dll
2009-02-11 00:13 36,352 a------- c:\windows\system32\hgGvtspM.dll
2009-02-08 02:22 126,976 a------- c:\windows\system32\uzdeju(2).dll
2009-02-08 02:21 59,435 a--sh--- c:\windows\system32\MnqBaccf.ini2
2009-02-08 02:21 281,088 a------- c:\windows\system32\fccaBqnM(2).dll
2009-02-08 02:15 36,352 a------- c:\windows\system32\jkkLfGAT.dll

==================== Find3M ====================

2009-02-20 18:33 104,960 a------- c:\windows\system32\userinit.exe
2009-01-16 21:35 3,594,752 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-19 04:10 70,656 a------- c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 04:10 13,824 a------- c:\windows\system32\dllcache\ieudinit.exe
2008-12-19 00:25 634,024 a------- c:\windows\system32\dllcache\iexplore.exe
2008-12-19 00:23 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2008-12-11 05:57 333,952 a------- c:\windows\system32\dllcache\srv.sys
2008-12-08 02:14 410,984 a------- c:\windows\system32\deploytk.dll
2008-07-07 20:13 0 a------- c:\docume~1\hp_adm~1\applic~1\wklnhst.dat
2008-11-03 21:25 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008110320081104\index.dat

============= FINISH: 23:57:46.29 ===============

Attached Files

BC AdBot (Login to Remove)


#2 miekiemoes


    Malware Killer Dog

  • Malware Response Team
  • 19,420 posts
  • Gender:Female
  • Location:Belgium
  • Local time:11:52 PM

Posted 22 February 2009 - 05:53 AM


Your system is severly infected. Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.
Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.
So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.

In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start. Reason I am telling this is because when a system is so terribly infected and we try to clean this up manually, the damage that is already present may interfere with our removal attempts.

First of all, Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, click the browse button next to it and browse to next file:


Select it and click ok:
Then click the Send File button below.

Then, I see you have Viewpoint installed...
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
Also uninstall the Ask toolbar since it's not recommended either.

Then, * Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Jimbo Jambo

Jimbo Jambo
  • Topic Starter

  • Members
  • 3 posts
  • Local time:05:52 PM

Posted 04 March 2009 - 01:50 PM

Not what I really wanted to hear, but thank you very much for your help. I got rid of the Ask toolbar and Viewpoint, but for some reason I can't remove Viewpoint Manager and Viewpoint Media Player. Right now I'm struggling with the Cobain backup program - I'm trying to back everything up onto a CD in the E drive, but it keeps giving me an "incorrect function" error. I also tried copying and pasting everything manually in My Computer, but it tells me the destination is a subfolder of the source. I'm almost ready to throw caution to the wind and try cleaning up the computer without backing it up; in that case I'd at very least me able to back up my files and documents using one of the media player programs.

Anyway, supposing I get that all sorted out and manage to clean up most of the stuff on my system, if I'm able to use System Restore again, how much do you think that would help in the way of getting rid of the remainder of the stuff and repairing any otherwise permanent damage to my system? Would it help, or am I putting too much faith in it?

#4 miekiemoes


    Malware Killer Dog

  • Malware Response Team
  • 19,420 posts
  • Gender:Female
  • Location:Belgium
  • Local time:11:52 PM

Posted 04 March 2009 - 02:04 PM


I think you're doing something wrong with the backups... unless your Windows became really corrupted in a meanwhile (which doesn't surprise me since we are already 1 week later). System Restore won't help anyway, so don't bother to try. A system restore isn't the same as a format and reinstall.
Anyway, I think it would be a good idea to perform the steps I asked previously :thumbup2:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Jimbo Jambo

Jimbo Jambo
  • Topic Starter

  • Members
  • 3 posts
  • Local time:05:52 PM

Posted 04 March 2009 - 04:27 PM

Before I actually proceed with he rest of your instructions, I'd really like to try and push past the first step you suggested, backing up my data, which is where I'm having the trouble. I can only assume I'm doing something wrong or asking the program to do something it can't do, since I tried this only a few days after the initial infection, and nothing has really changed since then. My computer's been off and disconnected from the internet most of the time between efforts to back my stuff up. I'll see if I can find an FAQ or troubleshooting guide.

#6 miekiemoes


    Malware Killer Dog

  • Malware Response Team
  • 19,420 posts
  • Gender:Female
  • Location:Belgium
  • Local time:11:52 PM

Posted 04 March 2009 - 04:33 PM

Can't you manually backup your data? Burn them on cd? Or transfer them to another drive? Or even upload them somewhere (for example via skydrive) or whatever?
If everything is giving you an error there, then it actually already looks like this is a game over situation where the malware already damaged too much.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 miekiemoes


    Malware Killer Dog

  • Malware Response Team
  • 19,420 posts
  • Gender:Female
  • Location:Belgium
  • Local time:11:52 PM

Posted 16 March 2009 - 08:26 AM

Since there is no feedback anymore, I assume this issue is resolved ... so, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users