Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hello, I have Virtumonde! Please help...


  • This topic is locked This topic is locked
11 replies to this topic

#1 dummest evar

dummest evar

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:21 AM

Posted 22 March 2009 - 10:13 AM

Hello. Normal surfing via Firefox resulted in a pop-up from Winpatrol alerting me of a violation - Spybot scans indicate that it is Virtumonde. Of course, this thing keeps installing itself when deleted. I am able to disallow registry changes and therefore the only issues I am having are multiple pop-ups from Spybot and Winpatrol asking about allowing registry changes. Winpatrol does it so often that I have closed the program for now.

Issue 2 - I realize I have not (probably) kept all updates current, but I have tried. There are so many things on my computer - Winpatrol, AVG Free, SuperAntiSpyware, Spybot - are any of these an actual firewall??? I guess I know most are not, but what exactly is Winpatrol? Anyway, here is the DDS stuff. I greatly appreciate any help, and I thank you in advance.

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

DDS (Ver_09-03-16.01) - NTFSx86
Run by User at 9:01:04.98 on Sun 03/22/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.39 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
FW: Norton Internet Worm Protection *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\PSIService.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\MSN\MSNCoreFiles\msn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\User\Desktop\3-21-09 Virtumonde remove\dds.com

============== Pseudo HJT Report ===============

mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: {136f8d84-cff9-47e0-8784-c16a7235065e} - c:\windows\system32\piyepolo.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: MSN: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn apps\msn toolbar\01.02.3000.1001\en-us\msntb.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [f87d4cd3] rundll32.exe "c:\windows\system32\tigayadi.dll",b
mRun: [CPMfb4e7f4f] Rundll32.exe "c:\windows\system32\puzohilo.dll",a
mRun: [rigewavoge] Rundll32.exe "c:\windows\system32\ladesava.dll",s
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
uPolicies-explorer: <NO NAME> =
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo.walgreens.com/WalgreensActivia.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1174968086125
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {92CA8ACC-4E99-4A2A-93F1-B2C5CADC8613} - hxxp://a14.g.akamai.net/f/14/7141/1d/www.nielsennetpanel.com/netmeter4_6/NetMeter_preinstaller_activex_en_4.60.38.0_MEGAPANEL_USA.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: x-excid - {9D6CC632-1337-4a33-9214-2DA092E776F4} - c:\windows\downloaded program files\mimectl.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: avgrsstarter - avgrsstx.dll
AppInit_DLLs: c:\windows\system32\jokabaje.dll mcgmmi.dll xckdpm.dll c:\windows\system32\puzohilo.dll c:\windows\system32\zomumuzo.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\puzohilo.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\puzohilo.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli c:\windows\system32\jokabaje.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\8tarj7dr.default\
FF - prefs.js: browser.startup.homepage - hxxp://msn.com
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-14 325640]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-4-6 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-14 107912]
R1 kbfilter;Keyboard Filter Driver;c:\windows\system32\drivers\Kbfilter.sys [2004-1-27 11682]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-9-3 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-9-3 55024]
R2 IOPort;IOPort;c:\windows\system32\drivers\IOPORT.SYS [1998-11-27 6144]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-9-3 7408]
RUnknown aswFsBlk;aswFsBlk; [x]
RUnknown aswSP;aswSP; [x]
S3 NMUSB;NMUSB;c:\windows\system32\drivers\Nmusb.sys [2004-6-6 40625]

=============== Created Last 30 ================

2009-03-22 05:17 1,791,169 ---sh--- c:\windows\system32\idayagit.ini
2009-03-22 05:17 128,512 a--sh--- c:\windows\system32\xckdpm.dll
2009-03-21 17:16 1,791,169 ---sh--- c:\windows\system32\ufebavij.ini
2009-03-21 17:16 129,536 a--sh--- c:\windows\system32\mcgmmi.dll
2009-03-21 05:17 128,000 a--sh--- c:\windows\system32\mzdorz.dll
2009-03-21 05:17 1,791,147 ---sh--- c:\windows\system32\atadanal.ini
2009-03-21 05:17 95,232 a--sh--- c:\windows\system32\bovusuyo.dll
2009-03-21 05:17 128,000 a--sh--- c:\windows\system32\gufulise.dll
2009-03-20 19:36 153 a------- c:\windows\wininit.ini
2009-03-20 17:16 129,536 a--sh--- c:\windows\system32\rmmpxy.dll
2009-03-14 10:06 107,912 a------- c:\windows\system32\drivers\avgtdix.sys
2009-03-14 10:06 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-03-14 10:06 325,640 a------- c:\windows\system32\drivers\avgldx86.sys
2009-03-14 10:06 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-03-14 10:06 <DIR> --d----- c:\program files\AVG
2009-03-14 10:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8

==================== Find3M ====================

2009-03-22 05:16 128,512 a--sh--- c:\windows\system32\mirawize.dll
2009-03-22 05:16 95,232 a--sh--- c:\windows\system32\puzohilo.dll
2009-03-22 05:16 90,624 a--sh--- c:\windows\system32\tigayadi.dll
2009-03-21 17:16 90,624 -------- c:\windows\system32\jivabefu.dll
2009-03-21 17:16 129,536 a--sh--- c:\windows\system32\tisisiga.dll
2009-03-21 17:16 94,720 a--sh--- c:\windows\system32\zomumuzo.dll
2009-03-21 05:17 90,112 -------- c:\windows\system32\lanadata.dll
2009-03-20 17:16 129,536 a--sh--- c:\windows\system32\kikoyara.dll
2009-02-09 05:13 1,846,784 a------- c:\windows\system32\win32k.sys
2008-12-25 07:20 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-10-21 18:12 163 a------- c:\documents and settings\user\xrt_log.dat
2008-09-16 10:00 1,111,632 a------- c:\docume~1\alluse~1\applic~1\pswi_preloaded.exe
2006-07-11 17:10 61,737,440 a------- c:\program files\World_Wind_1.3.5_Full.exe
2006-07-11 14:18 24,265,736 a------- c:\program files\dotnetfx.exe
2006-07-11 12:44 61,737,440 a------- c:\program files\Nasa World Wind Setup.exe
2005-06-05 14:17 63,488 a------- c:\documents and settings\all users\Norton - June 5 2005 Password Manager SETUP.exe
2005-01-05 23:27 2,184 a------- c:\program files\uninstal.log
0000-00-00 00:00 58,880 a--sh--- c:\windows\system32\jokabaje.dll
0000-00-00 00:00 58,880 a--sh--- c:\windows\system32\ladesava.dll
0000-00-00 00:00 58,880 a--sh--- c:\windows\system32\piyepolo.dll

============= FINISH: 9:05:40.04 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:02:21 PM

Posted 22 March 2009 - 10:44 AM

Hello, dummest evar

Welcome to the Bleeping Computer Forums. My name is Jat, and I will be helping you with your situation.

If you do not make a reply in 5 days, we will have to close your topic.


You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.


I need some time to look over your log, I will post back soon.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#3 dummest evar

dummest evar
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:21 AM

Posted 22 March 2009 - 10:49 AM

Thanks. I will be able to respond to you almost immediately, and I greatly appreciate your help.

#4 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:02:21 PM

Posted 22 March 2009 - 11:06 AM

Hello,

MBAM

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

ReScan

Please rescan with DDS and post DDS.txt


In your next reply, please post:
  • MBAM log
  • DDS log

- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#5 dummest evar

dummest evar
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:21 AM

Posted 22 March 2009 - 11:52 AM

okay. have baby in one hand; one handed typing. winpatrol, upon reboot that mab asked for, found new startup files - all the bad things, so i disallowed them. thats whats been happening all along. here are the new dds things:

note - apparently i cant find the attach option now. i will try to find it again, if not available will post text here unless you say not to...







DDS (Ver_09-03-16.01) - NTFSx86
Run by User at 10:45:01.43 on Sun 03/22/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.54 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
FW: Norton Internet Worm Protection *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Documents and Settings\User\Desktop\3-21-09 Virtumonde remove\dds.com

============== Pseudo HJT Report ===============

mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: {136f8d84-cff9-47e0-8784-c16a7235065e} - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: MSN: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn apps\msn toolbar\01.02.3000.1001\en-us\msntb.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [CPMfb4e7f4f] Rundll32.exe "c:\windows\system32\zomumuzo.dll",a
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
uPolicies-explorer: <NO NAME> =
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo.walgreens.com/WalgreensActivia.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1174968086125
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {92CA8ACC-4E99-4A2A-93F1-B2C5CADC8613} - hxxp://a14.g.akamai.net/f/14/7141/1d/www.nielsennetpanel.com/netmeter4_6/NetMeter_preinstaller_activex_en_4.60.38.0_MEGAPANEL_USA.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: x-excid - {9D6CC632-1337-4a33-9214-2DA092E776F4} - c:\windows\downloaded program files\mimectl.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: avgrsstarter - avgrsstx.dll
AppInit_DLLs: ,,, c:\windows\system32\zomumuzo.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\8tarj7dr.default\
FF - prefs.js: browser.startup.homepage - hxxp://msn.com
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-14 325640]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-4-6 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-14 107912]
R1 kbfilter;Keyboard Filter Driver;c:\windows\system32\drivers\Kbfilter.sys [2004-1-27 11682]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-9-3 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-9-3 55024]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-3-14 298264]
R2 IOPort;IOPort;c:\windows\system32\drivers\IOPORT.SYS [1998-11-27 6144]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-9-3 7408]
S3 NMUSB;NMUSB;c:\windows\system32\drivers\Nmusb.sys [2004-6-6 40625]

=============== Created Last 30 ================

2009-03-22 05:17 128,512 a--sh--- c:\windows\system32\xckdpm.dll
2009-03-21 17:16 129,536 a--sh--- c:\windows\system32\mcgmmi.dll
2009-03-21 05:17 128,000 a--sh--- c:\windows\system32\mzdorz.dll
2009-03-21 05:17 95,232 a--sh--- c:\windows\system32\bovusuyo.dll
2009-03-20 19:36 153 a------- c:\windows\wininit.ini
2009-03-20 17:16 129,536 a--sh--- c:\windows\system32\rmmpxy.dll
2009-03-14 10:06 107,912 a------- c:\windows\system32\drivers\avgtdix.sys
2009-03-14 10:06 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-03-14 10:06 325,640 a------- c:\windows\system32\drivers\avgldx86.sys
2009-03-14 10:06 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-03-14 10:06 <DIR> --d----- c:\program files\AVG
2009-03-14 10:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8

==================== Find3M ====================

2009-03-22 05:16 128,512 a--sh--- c:\windows\system32\mirawize.dll
2009-03-21 17:16 94,720 a--sh--- c:\windows\system32\zomumuzo.dll
2009-03-20 17:16 129,536 a--sh--- c:\windows\system32\kikoyara.dll
2009-02-11 10:19 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 10:19 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-09 05:13 1,846,784 a------- c:\windows\system32\win32k.sys
2008-12-25 07:20 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-10-21 18:12 163 a------- c:\documents and settings\user\xrt_log.dat
2008-09-16 10:00 1,111,632 a------- c:\docume~1\alluse~1\applic~1\pswi_preloaded.exe
2006-07-11 17:10 61,737,440 a------- c:\program files\World_Wind_1.3.5_Full.exe
2006-07-11 14:18 24,265,736 a------- c:\program files\dotnetfx.exe
2006-07-11 12:44 61,737,440 a------- c:\program files\Nasa World Wind Setup.exe
2005-06-05 14:17 63,488 a------- c:\documents and settings\all users\Norton - June 5 2005 Password Manager SETUP.exe
2005-01-05 23:27 2,184 a------- c:\program files\uninstal.log

============= FINISH: 10:46:17.53 ===============

#6 dummest evar

dummest evar
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:21 AM

Posted 22 March 2009 - 11:56 AM

Sorry - failed to read properly. Won't post the other, here is Malware log:

Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 5.1.2600 Service Pack 3

3/22/2009 10:34:29 AM
mbam-log-2009-03-22 (10-34-29).txt

Scan type: Quick Scan
Objects scanned: 82062
Time elapsed: 16 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 8
Registry Keys Infected: 8
Registry Values Infected: 5
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\tigayadi.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\jokabaje.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\puzohilo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\ladesava.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\piyepolo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\jivabefu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\gufulise.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\tisisiga.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{136f8d84-cff9-47e0-8784-c16a7235065e} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{136f8d84-cff9-47e0-8784-c16a7235065e} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{136f8d84-cff9-47e0-8784-c16a7235065e} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f87d4cd3 (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpmfb4e7f4f (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rigewavoge (Trojan.Vundo.H) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\jokabaje.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\jokabaje.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\jokabaje.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\puzohilo.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\puzohilo.dll -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\jivabefu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\ufebavij.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lanadata.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\atadanal.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tigayadi.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\idayagit.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\puzohilo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\piyepolo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\jokabaje.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\ladesava.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Documents and Settings\User\Local Settings\temp\e.exe (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\FR9735SO\load[1].php (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gufulise.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\tisisiga.dll (Trojan.Vundo) -> Delete on reboot.

#7 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:02:21 PM

Posted 22 March 2009 - 06:44 PM

Hello,

Registry Backup

Backup Your Registry with ERUNT
  • Download from here
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

OTMoveIt

We need to execute an OTMoveIt3 script
  • Please download OTMoveIt3 by OldTimer and save it to your desktop.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    :files
    c:\windows\system32\xckdpm.dll
    c:\windows\system32\mcgmmi.dll
    c:\windows\system32\mzdorz.dll
    c:\windows\system32\bovusuyo.dll
    c:\windows\system32\rmmpxy.dll
    c:\windows\system32\mirawize.dll
    c:\windows\system32\zomumuzo.dll
    c:\windows\system32\kikoyara.dll
    
    :reg
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CPMfb4e7f4f"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppinitDLLs"=-
    
    :commands
    [EmptyTemp]
    [Reboot]
  • Push the large Posted Image button.
  • OTMI3 may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
ESET Online Scan

Please go to Eset website to perform an online scan. Please use Internet Explorer as it uses ActiveX.
  • Check (tick) this box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • When prompted to run ActiveX. click Yes.
  • You will be asked to install an ActiveX. Click Install.
  • Once installed, the scanner will be initialized.
  • After the scanner is initialized, click Start.
  • Uncheck (untick) Remove found threats box.
  • Check (tick) Scan unwanted applications.
  • Click on Scan.
  • It will start scanning. Please be patient.
  • Once the scan is done, you will find a log in C:\Program Files\esetonlinescanner\log.txt. Please post this log in your next reply.
ReScan

Please rescan with DDS and post DDS.txt


In your next reply, please post:
  • OTMI log
  • ESET log
  • DDS log

- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#8 dummest evar

dummest evar
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:21 AM

Posted 22 March 2009 - 11:45 PM

Hi again. (Note - I downloaded Move It from your link, but when I opened it there was already a bunch of stuff in the results box. I had a virus many months ago and used Move It at that time under the advice of someone much like yourself - could that be a remnant from then? I thought it was, since there should be no results from just having downloaded the file tonight... so, I highlighted them and deleted them (!). I hope that is okay... Move it log:


========== FILES ==========
DllUnregisterServer procedure not found in c:\windows\system32\xckdpm.dll
c:\windows\system32\xckdpm.dll NOT unregistered.
c:\windows\system32\xckdpm.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\mcgmmi.dll
c:\windows\system32\mcgmmi.dll NOT unregistered.
c:\windows\system32\mcgmmi.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\mzdorz.dll
c:\windows\system32\mzdorz.dll NOT unregistered.
c:\windows\system32\mzdorz.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\bovusuyo.dll
c:\windows\system32\bovusuyo.dll NOT unregistered.
c:\windows\system32\bovusuyo.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\rmmpxy.dll
c:\windows\system32\rmmpxy.dll NOT unregistered.
c:\windows\system32\rmmpxy.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\mirawize.dll
c:\windows\system32\mirawize.dll NOT unregistered.
c:\windows\system32\mirawize.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\zomumuzo.dll
c:\windows\system32\zomumuzo.dll NOT unregistered.
c:\windows\system32\zomumuzo.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\kikoyara.dll
c:\windows\system32\kikoyara.dll NOT unregistered.
c:\windows\system32\kikoyara.dll moved successfully.
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\CPMfb4e7f4f deleted successfully.
Registry value HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows\\AppinitDLLs not found.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\User\LOCALS~1\Temp\etilqs_3Pgys7HAmOQz5B61MAhu scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\User\LOCALS~1\Temp\~DFE5B7.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\User\LOCALS~1\Temp\~DFE60E.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\User\LOCALS~1\Temp\~DFEF36.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\User\LOCALS~1\Temp\~DFEF53.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_7c.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\User\Local Settings\Application Data\Mozilla\Firefox\Profiles\8tarj7dr.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\User\Local Settings\Application Data\Mozilla\Firefox\Profiles\8tarj7dr.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\User\Local Settings\Application Data\Mozilla\Firefox\Profiles\8tarj7dr.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\User\Local Settings\Application Data\Mozilla\Firefox\Profiles\8tarj7dr.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\User\Local Settings\Application Data\Mozilla\Firefox\Profiles\8tarj7dr.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\User\Local Settings\Application Data\Mozilla\Firefox\Profiles\8tarj7dr.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.9.0 log created on 03222009_211922


------------------------------------------------------------------------------------------------------

ESET log:


# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3953 (20090321)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=5db53b5587adbf4ea461c25e680c74a7
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2009-03-23 04:37:28
# local_time=2009-03-22 10:37:28 (-0700, Mountain Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=210743
# found=0
# scan_time=3654

-----------------------------------------------------------------------------


DDS Log:

DDS (Ver_09-03-16.01) - NTFSx86
Run by User at 22:41:47.21 on Sun 03/22/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.189 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
FW: Norton Internet Worm Protection *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\User\Desktop\3-21-09 Virtumonde remove\dds.com

============== Pseudo HJT Report ===============

mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: {136f8d84-cff9-47e0-8784-c16a7235065e} - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: MSN: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn apps\msn toolbar\01.02.3000.1001\en-us\msntb.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
uPolicies-explorer: <NO NAME> =
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo.walgreens.com/WalgreensActivia.cab
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1174968086125
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {92CA8ACC-4E99-4A2A-93F1-B2C5CADC8613} - hxxp://a14.g.akamai.net/f/14/7141/1d/www.nielsennetpanel.com/netmeter4_6/NetMeter_preinstaller_activex_en_4.60.38.0_MEGAPANEL_USA.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: x-excid - {9D6CC632-1337-4a33-9214-2DA092E776F4} - c:\windows\downloaded program files\mimectl.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: avgrsstarter - avgrsstx.dll
AppInit_DLLs: ,,,
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\8tarj7dr.default\
FF - prefs.js: browser.startup.homepage - hxxp://msn.com
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-14 325640]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-4-6 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-14 107912]
R1 kbfilter;Keyboard Filter Driver;c:\windows\system32\drivers\Kbfilter.sys [2004-1-27 11682]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-9-3 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-9-3 55024]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-3-14 298264]
R2 IOPort;IOPort;c:\windows\system32\drivers\IOPORT.SYS [1998-11-27 6144]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-9-3 7408]
S3 NMUSB;NMUSB;c:\windows\system32\drivers\Nmusb.sys [2004-6-6 40625]

=============== Created Last 30 ================

2009-03-22 21:34 <DIR> --d----- c:\program files\EsetOnlineScanner
2009-03-22 21:17 <DIR> --d----- C:\_OTMoveIt
2009-03-20 19:36 153 a------- c:\windows\wininit.ini
2009-03-14 10:06 107,912 a------- c:\windows\system32\drivers\avgtdix.sys
2009-03-14 10:06 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-03-14 10:06 325,640 a------- c:\windows\system32\drivers\avgldx86.sys
2009-03-14 10:06 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-03-14 10:06 <DIR> --d----- c:\program files\AVG
2009-03-14 10:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8

==================== Find3M ====================

2009-02-11 10:19 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 10:19 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-09 05:13 1,846,784 a------- c:\windows\system32\win32k.sys
2008-12-25 07:20 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-10-21 18:12 163 a------- c:\documents and settings\user\xrt_log.dat
2008-09-16 10:00 1,111,632 a------- c:\docume~1\alluse~1\applic~1\pswi_preloaded.exe
2006-07-11 17:10 61,737,440 a------- c:\program files\World_Wind_1.3.5_Full.exe
2006-07-11 14:18 24,265,736 a------- c:\program files\dotnetfx.exe
2006-07-11 12:44 61,737,440 a------- c:\program files\Nasa World Wind Setup.exe
2005-06-05 14:17 63,488 a------- c:\documents and settings\all users\Norton - June 5 2005 Password Manager SETUP.exe
2005-01-05 23:27 2,184 a------- c:\program files\uninstal.log

============= FINISH: 22:43:26.31 ===============

#9 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:02:21 PM

Posted 24 March 2009 - 12:52 PM

Hello,

Congratulations you are now clean! :thumbup2:

We should tidy up our mess though.

OTCleanIt
  • Please download OTCleanIt from one of the following mirrors and save it to your desktop:
  • Double click the Posted Image icon.
  • Push the large "Cleanup!" button.
  • Allow your system to reboot.
Other Deletions

Locate where you saved DDS.exe, right click the file and select Delete.



Take a read of this excellent tutorial:

Simple and easy ways to keep your computer safe and secure on the Internet


Disable and Enable System Restore.

You should disable and re-enable system restore to make sure there are no infected files found in a restore point. You should now create a new restore point, since your system is clean.

You can find instructions on how to disable and re-enable system restore here:

Windows XP System Restore Guide

Visit Microsoft's Windows Update Site Frequently
  • It is important that you visit http://www.windowsupdate.com regularly.
  • This will ensure your computer has always the latest security updates available installed on your computer.
  • If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
System still slow?

You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware.

Next, I would recommend the download and installation of some (I would say two is enough) of the following programs:

Spybot© - Search and Destroy
  • This will provide real-time spyware & hijacker protection on your computer alongside your virus protection.
  • You should also scan your computer with program on a regular basis just as you would an anti virus software.
SUPERAntiSpyware
  • You should also scan your computer with the program on a regular basis just as you would an anti virus software in conjunction with Spybot.
  • Each antispyware product has different detection rates for different infections, using different products therefore increases your chances of finding and killing most malware.
Javacools© SpywareBlaster
  • SpywareBlaster will added a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs.
Update all these programs regularly - Make sure you update all the programs I have listed regularly.
Without regular updates you WILL NOT be protected when new malicious programs are released.

Glad I could Help :)
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#10 dummest evar

dummest evar
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:21 AM

Posted 24 March 2009 - 01:39 PM

Jat, thank you.

One final question - about a firewall. Free and good, what do I choose, and what exactly is Winpatrol (OK 2 questions)?

Again, thank you very much for all your help, I really appreciate it!

#11 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:02:21 PM

Posted 26 March 2009 - 12:43 PM

Hello,

Some good free firewalls are ZoneAlarm, Comodo, or Outpost
Make sure you only use one firewall though. A tutorial on understanding and using firewalls may be found here.

As for WinPatrol, it:

Manage Startup programs, tasks, cookies; will sniff out Worms, Trojan horses, Cookies, Adware, Spyware, Klez, Assumption and other malicious programs


Edited by Jat90, 26 March 2009 - 12:43 PM.

- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#12 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:21 AM

Posted 28 March 2009 - 07:01 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :thumbup2:

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users