Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Virtumonde


  • Please log in to reply
8 replies to this topic

#1 phombus

phombus

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:24 PM

Posted 19 October 2006 - 10:44 PM

Hello Everyone!
Haven't been able to get rid of this one.
Used Vundofix to no avail.
Many Thanks in advance.

Here's the log file:

Logfile of HijackThis v1.99.1
Scan saved at 11:40:27 PM, on 10/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Napster\napster.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Adam\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4180C256-36A6-99C9-6D2D-0B83D898A73E} - C:\WINDOWS\system32\nmzfgwe.dll (file missing)
O2 - BHO: (no name) - {47A8E2D8-BB33-44F1-AA9F-3C6398F53751} - C:\WINDOWS\system32\pmnlk.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {849B9523-785F-4014-9CAF-079FB4A74C61} - C:\WINDOWS\system32\bbnmkmqs.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinService32] C:\Program Files\Common Files\Microsoft Shared\DAO\System32\svchost.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [NapsterShell] "C:\Program Files\Napster\napster.exe" /systray
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} (WaveTab Control) - http://www.riffinteractive.com/setup/RiffLick.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1137379770281
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

Also, getting messages on webroot about winlogonhook
Thanks Again

BC AdBot (Login to Remove)

 


#2 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:11:24 PM

Posted 20 October 2006 - 07:11 PM

Are you having Spysweeper fix what it finds - post its log

Right click on hijackthis.exe and rename it to bleep.exe

You may want to print this or save it to notepad as we will go to safe mode.

Fix these with HiJackThis – mark them, close IE, click fix checked

O2 - BHO: (no name) - {4180C256-36A6-99C9-6D2D-0B83D898A73E} - C:\WINDOWS\system32\nmzfgwe.dll (file missing)

O2 - BHO: (no name) - {47A8E2D8-BB33-44F1-AA9F-3C6398F53751} - C:\WINDOWS\system32\pmnlk.dll (file missing)

O2 - BHO: (no name) - {849B9523-785F-4014-9CAF-079FB4A74C61} - C:\WINDOWS\system32\bbnmkmqs.dll (file missing)

O4 - HKLM\..\Run: [WinService32] C:\Program Files\Common Files\Microsoft Shared\DAO\System32\svchost.exe

O16 - DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} (WaveTab Control) - http://www.riffinteractive.com/setup/RiffLick.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab

DownLoad http://www.downloads.subratam.org/KillBox.zip or
http://www.thespykiller.co.uk/files/killbox.exe

Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\Program Files\Common Files\Microsoft Shared\DAO\System32\svchost.exe


Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

START – RUN – type in %temp% - OK - Edit – Select all – File – Delete

Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

Not all temp files will delete and that is normal
Empty the recycle bin
Boot and post a new log from normal NOT safe mode

Please give feedback on what worked/didn’t work and the current status of your system
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#3 phombus

phombus
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:24 PM

Posted 21 October 2006 - 03:18 PM

Webroot still finds virtumonde

Heres what else it shows:
virtumonde
trojan agent winlogonhook
system monitor ufp 007 spy
2o7.net cookie

Most recent hijhavk this logfile:

Logfile of HijackThis v1.99.1
Scan saved at 4:11:29 PM, on 10/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Napster\napster.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Documents and Settings\Adam\Desktop\bleep.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [NapsterShell] "C:\Program Files\Napster\napster.exe" /systray
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1137379770281
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

P.S. Got rid of 2o7.net cookie

#4 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:11:24 PM

Posted 21 October 2006 - 03:33 PM

Turn off restore points, boot, turn them back on – here’s how

XP
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam
=================
IE - Block Third party cookies
1. Click on the Tools button on the Internet Explorer tool bar.
2. Highlight and click on Internet options at the bottom of the Tools menu.
3. Select the Privacy Tab of the Internet Options menu.
4. Select the Advanced... button at the bottom of the screen.
5. Select override automatic cookie handling button.
6. To block third party cookies select block under "Third-party cookies".
7. Select "always allow session cookies".
8. Click on the OK button at the bottom of the screen.
===============
In firefox - TOOLS - OPTIONS - PRIVACY - COOKIES - Check originating site only
=====================

delete the vundofix you have and then get the current

Please download http://www.atribune.org/ccount/click.php?id=4 to C:\
Double-click VundoFix.exe to run it.
click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES.
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Please post the contents of C:\vundofix.txt and a new HijackThis log.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot.
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#5 phombus

phombus
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:24 PM

Posted 21 October 2006 - 04:42 PM

No infected files fonud with vundofix
same results in webroot
i think its somewhere in the java ???



Logfile of HijackThis v1.99.1
Scan saved at 5:41:17 PM, on 10/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Napster\napster.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Adam\Desktop\bleep.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [NapsterShell] "C:\Program Files\Napster\napster.exe" /systray
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1137379770281
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

#6 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:11:24 PM

Posted 21 October 2006 - 04:45 PM

Post the Spysweeper log
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#7 phombus

phombus
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:24 PM

Posted 21 October 2006 - 04:51 PM

heres the file to 10/18
using the preview version

5:36 PM: Sweep Status: 1 Item Found
5:36 PM: Traces Found: 1
5:36 PM: Memory Sweep Complete, Elapsed Time: 00:00:13
5:36 PM: Sweep Canceled
5:36 PM: Starting Memory Sweep
5:36 PM: HKCR\clsid\{b7672baf-e9a3-49b6-86b2-c81719a18a4c}\inprocserver32\ (ID = 1738138)
5:36 PM: Found Adware: virtumonde
5:36 PM: Sweep initiated using definitions version 783
5:36 PM: Spy Sweeper 5.0.7.1608 started
5:36 PM: | Start of Session, Saturday, October 21, 2006 |
********
5:36 PM: | End of Session, Saturday, October 21, 2006 |
5:36 PM: Sweep Status: 1 Item Found
5:36 PM: Traces Found: 1
5:36 PM: Memory Sweep Complete, Elapsed Time: 00:00:07
5:36 PM: Sweep Canceled
5:36 PM: Starting Memory Sweep
5:36 PM: HKCR\clsid\{b7672baf-e9a3-49b6-86b2-c81719a18a4c}\inprocserver32\ (ID = 1738138)
5:36 PM: Found Adware: virtumonde
5:36 PM: Sweep initiated using definitions version 783
5:36 PM: Spy Sweeper 5.0.7.1608 started
5:36 PM: | Start of Session, Saturday, October 21, 2006 |
********
5:36 PM: | End of Session, Saturday, October 21, 2006 |
Keylogger Shield: Off
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites Shield: Off
Hosts File Shield: On
Spy Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
5:35 PM: Shield States
5:35 PM: Spyware Definitions: 783
5:35 PM: Spy Sweeper 5.0.7.1608 started
5:20 PM: | End of Session, Saturday, October 21, 2006 |
4:10 PM: Traces Found: 9
4:10 PM: Full Sweep has completed. Elapsed time 00:11:21
4:10 PM: File Sweep Complete, Elapsed Time: 00:09:56
4:09 PM: C:\Documents and Settings\Adam\My Documents\Installers\007ssinstall.exe (ID = 197648)
4:08 PM: Warning: Failed to open file "c:\windows\temp\_avast4_\webshlock.txt". The operation completed successfully
4:00 PM: C:\Program Files\Common Files\Microsoft Shared\DAO\ssdata (2 subtraces) (ID = 2147503330)
4:00 PM: Found System Monitor: ufp 007 spy
4:00 PM: Starting File Sweep
4:00 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
4:00 PM: c:\documents and settings\adam\cookies\adam@2o7[2].txt (ID = 1957)
4:00 PM: Found Spy Cookie: 2o7.net cookie
4:00 PM: Starting Cookie Sweep
4:00 PM: Registry Sweep Complete, Elapsed Time:00:00:09
4:00 PM: HKLM\software\classes\clsid\{b7672baf-e9a3-49b6-86b2-c81719a18a4c}\ (ID = 1697697)
4:00 PM: HKCR\clsid\{b7672baf-e9a3-49b6-86b2-c81719a18a4c}\ (ID = 1697618)
4:00 PM: HKLM\software\microsoft\mssmgr\ (ID = 937101)
4:00 PM: Found Trojan Horse: trojan agent winlogonhook
4:00 PM: Starting Registry Sweep
4:00 PM: Memory Sweep Complete, Elapsed Time: 00:01:12
3:59 PM: Starting Memory Sweep
3:59 PM: HKCR\clsid\{b7672baf-e9a3-49b6-86b2-c81719a18a4c}\inprocserver32\ (ID = 1738138)
3:59 PM: Found Adware: virtumonde
3:59 PM: Sweep initiated using definitions version 783
3:59 PM: Spy Sweeper 5.0.7.1608 started
3:59 PM: | Start of Session, Saturday, October 21, 2006 |
********
5:32 PM: Traces Found: 9
5:32 PM: Full Sweep has completed. Elapsed time 00:11:07
5:32 PM: File Sweep Complete, Elapsed Time: 00:09:32
5:30 PM: C:\Documents and Settings\Adam\My Documents\Installers\007ssinstall.exe (ID = 197648)
5:30 PM: Warning: Failed to open file "c:\documents and settings\adam\application data\mozilla\firefox\profiles\ckn367s8.default\parent.lock". The operation completed successfully
5:30 PM: Warning: Failed to open file "c:\windows\temp\_avast4_\webshlock.txt". The operation completed successfully
5:22 PM: C:\Program Files\Common Files\Microsoft Shared\DAO\ssdata (2 subtraces) (ID = 2147503330)
5:22 PM: Found System Monitor: ufp 007 spy
5:22 PM: Starting File Sweep
5:22 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
5:22 PM: Starting Cookie Sweep
5:22 PM: c:\documents and settings\adam\cookies\adam@2o7[1].txt (ID = 1957)
5:22 PM: Found Spy Cookie: 2o7.net cookie
5:22 PM: Registry Sweep Complete, Elapsed Time:00:00:10
5:22 PM: HKLM\software\classes\clsid\{b7672baf-e9a3-49b6-86b2-c81719a18a4c}\ (ID = 1697697)
5:22 PM: HKCR\clsid\{b7672baf-e9a3-49b6-86b2-c81719a18a4c}\ (ID = 1697618)
5:22 PM: HKLM\software\microsoft\mssmgr\ (ID = 937101)
5:22 PM: Found Trojan Horse: trojan agent winlogonhook
5:22 PM: Starting Registry Sweep
5:22 PM: Memory Sweep Complete, Elapsed Time: 00:01:22
5:21 PM: Starting Memory Sweep
5:21 PM: HKCR\clsid\{b7672baf-e9a3-49b6-86b2-c81719a18a4c}\inprocserver32\ (ID = 1738138)
5:21 PM: Found Adware: virtumonde
5:20 PM: Sweep initiated using definitions version 783
5:20 PM: Spy Sweeper 5.0.7.1608 started
5:20 PM: | Start of Session, Saturday, October 21, 2006 |
********
3:59 PM: | End of Session, Saturday, October 21, 2006 |
Keylogger Shield: Off
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites Shield: Off
Hosts File Shield: On
Spy Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
3:58 PM: Shield States
3:58 PM: Spyware Definitions: 783
3:58 PM: Spy Sweeper 5.0.7.1608 started
Operation: Terminate
Target: C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPERUI.EXE
Source: C:\WINDOWS\SYSTEM32\CSRSS.EXE
3:50 PM: Tamper Detection
Operation: Terminate
Target: C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPERUI.EXE
Source: C:\WINDOWS\SYSTEM32\CSRSS.EXE
3:50 PM: Tamper Detection
3:01 PM: Your definitions are up to date.
3:01 PM: Automated check for program update in progress.
2:02 PM: Your definitions are up to date.
2:02 PM: Automated check for program update in progress.
Operation: File Access
Target:
Source: C:\DOCUMENTS AND SETTINGS\ADAM\DESKTOP\STNG260.EXE
11:21 PM: Tamper Detection
11:21 PM: Warning: Failed to load image: C:\DOCUMENTS AND SETTINGS\ADAM\DESKTOP\STNG260.EXE
Keylogger Shield: Off
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites Shield: Off
Hosts File Shield: On
Spy Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
10:53 PM: Shield States
10:53 PM: Spyware Definitions: 783
10:52 PM: Spy Sweeper 5.0.7.1608 started
10:40 PM: | End of Session, Thursday, October 19, 2006 |
Keylogger Shield: Off
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites Shield: Off
Hosts File Shield: On
Spy Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
10:32 PM: Shield States
10:32 PM: Spyware Definitions: 783
10:32 PM: Spy Sweeper 5.0.7.1608 started
10:24 PM: | End of Session, Thursday, October 19, 2006 |
10:11 PM: Traces Found: 15
10:11 PM: Full Sweep has completed. Elapsed time 00:11:16
10:11 PM: File Sweep Complete, Elapsed Time: 00:09:50
10:10 PM: C:\Documents and Settings\Adam\My Documents\Installers\007ssinstall.exe (ID = 197648)
10:09 PM: Warning: Failed to open file "c:\windows\temp\_avast4_\webshlock.txt". The operation completed successfully
10:01 PM: C:\Program Files\Common Files\Microsoft Shared\DAO\ssdata (2 subtraces) (ID = 2147503330)
10:01 PM: Starting File Sweep
10:01 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
10:01 PM: c:\documents and settings\adam\cookies\adam@2o7[1].txt (ID = 1957)
10:01 PM: Found Spy Cookie: 2o7.net cookie
10:01 PM: Starting Cookie Sweep
10:01 PM: Registry Sweep Complete, Elapsed Time:00:01:23
10:01 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{849b9523-785f-4014-9caf-079fb4a74c61}\ (ID = 1704220)
10:01 PM: HKLM\software\classes\clsid\{849b9523-785f-4014-9caf-079fb4a74c61}\ (ID = 1704202)
10:01 PM: HKCR\clsid\{849b9523-785f-4014-9caf-079fb4a74c61}\ (ID = 1704193)
10:01 PM: HKLM\software\classes\clsid\{b7672baf-e9a3-49b6-86b2-c81719a18a4c}\ (ID = 1697697)
10:01 PM: HKCR\clsid\{b7672baf-e9a3-49b6-86b2-c81719a18a4c}\ (ID = 1697618)
10:01 PM: HKLM\software\microsoft\windows\currentversion\run\ || windows lsass service (ID = 1693337)
10:01 PM: HKLM\software\microsoft\mssmgr\ (ID = 937101)
10:01 PM: Found Trojan Horse: trojan agent winlogonhook
10:01 PM: HKLM\software\microsoft\windows\currentversion\run\ || winservice32 (ID = 101812)
10:01 PM: Found System Monitor: ufp 007 spy
10:01 PM: Memory Sweep Complete, Elapsed Time: 00:00:00
10:01 PM: Starting Registry Sweep
10:00 PM: Starting Memory Sweep
10:00 PM: HKCR\clsid\{b7672baf-e9a3-49b6-86b2-c81719a18a4c}\inprocserver32\ (ID = 1738138)
10:00 PM: HKCR\clsid\{849b9523-785f-4014-9caf-079fb4a74c61}\inprocserver32\ (ID = 1728503)
10:00 PM: Found Adware: virtumonde
10:00 PM: Sweep initiated using definitions version 783
10:00 PM: Spy Sweeper 5.0.7.1608 started
10:00 PM: | Start of Session, Thursday, October 19, 2006 |
********
10:29 PM: Sweep Status: 3 Items Found
10:29 PM: Traces Found: 12
10:29 PM: File Sweep Complete, Elapsed Time: 00:03:21
10:29 PM: Sweep Canceled
10:26 PM: C:\Program Files\Common Files\Microsoft Shared\DAO\ssdata (2 subtraces) (ID = 2147503330)
10:26 PM: Starting File Sweep
10:26 PM: Registry Sweep Complete, Elapsed Time:00:01:13
10:26 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{849b9523-785f-4014-9caf-079fb4a74c61}\ (ID = 1704220)
10:26 PM: HKLM\software\classes\clsid\{849b9523-785f-4014-9caf-079fb4a74c61}\ (ID = 1704202)
10:26 PM: HKCR\clsid\{849b9523-785f-4014-9caf-079fb4a74c61}\ (ID = 1704193)
10:26 PM: HKLM\software\classes\clsid\{b7672baf-e9a3-49b6-86b2-c81719a18a4c}\ (ID = 1697697)
10:26 PM: HKCR\clsid\{b7672baf-e9a3-49b6-86b2-c81719a18a4c}\ (ID = 1697618)
10:26 PM: HKLM\software\microsoft\mssmgr\ (ID = 937101)
10:26 PM: Found Trojan Horse: trojan agent winlogonhook
10:26 PM: HKLM\software\microsoft\windows\currentversion\run\ || winservice32 (ID = 101812)
10:26 PM: Found System Monitor: ufp 007 spy
10:26 PM: Memory Sweep Complete, Elapsed Time: 00:00:00
10:26 PM: Starting Registry Sweep
10:24 PM: Starting Memory Sweep
10:24 PM: HKCR\clsid\{b7672baf-e9a3-49b6-86b2-c81719a18a4c}\inprocserver32\ (ID = 1738138)
10:24 PM: HKCR\clsid\{849b9523-785f-4014-9caf-079fb4a74c61}\inprocserver32\ (ID = 1728503)
10:24 PM: Found Adware: virtumonde
10:24 PM: Sweep initiated using definitions version 783
10:24 PM: Spy Sweeper 5.0.7.1608 started
10:24 PM: | Start of Session, Thursday, October 19, 2006 |
********
10:46 PM: Sweep Status: 3 Items Found
10:46 PM: Traces Found: 12
10:46 PM: File Sweep Complete, Elapsed Time: 00:04:37
10:46 PM: Sweep Canceled
10:42 PM: C:\Program Files\Common Files\Microsoft Shared\DAO\ssdata (2 subtraces) (ID = 2147503330)
10:41 PM: Starting File Sweep
10:41 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
10:41 PM: Starting Cookie Sweep
10:41 PM: Registry Sweep Complete, Elapsed Time:00:01:15
10:41 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{849b9523-785f-4014-9caf-079fb4a74c61}\ (ID = 1704220)
10:41 PM: HKLM\software\classes\clsid\{849b9523-785f-4014-9caf-079fb4a74c61}\ (ID = 1704202)
10:41 PM: HKCR\clsid\{849b9523-785f-4014-9caf-079fb4a74c61}\ (ID = 1704193)
10:41 PM: HKLM\software\classes\clsid\{b7672baf-e9a3-49b6-86b2-c81719a18a4c}\ (ID = 1697697)
10:41 PM: HKCR\clsid\{b7672baf-e9a3-49b6-86b2-c81719a18a4c}\ (ID = 1697618)
10:41 PM: HKLM\software\microsoft\mssmgr\ (ID = 937101)
10:41 PM: Found Trojan Horse: trojan agent winlogonhook
10:41 PM: HKLM\software\microsoft\windows\currentversion\run\ || winservice32 (ID = 101812)
10:41 PM: Found System Monitor: ufp 007 spy
10:41 PM: Memory Sweep Complete, Elapsed Time: 00:00:00
10:41 PM: Starting Registry Sweep
10:40 PM: Starting Memory Sweep
10:40 PM: HKCR\clsid\{b7672baf-e9a3-49b6-86b2-c81719a18a4c}\inprocserver32\ (ID = 1738138)
10:40 PM: HKCR\clsid\{849b9523-785f-4014-9caf-079fb4a74c61}\inprocserver32\ (ID = 1728503)
10:40 PM: Found Adware: virtumonde
10:40 PM: Sweep initiated using definitions version 783
10:40 PM: Spy Sweeper 5.0.7.1608 started
10:40 PM: | Start of Session, Thursday, October 19, 2006 |
********
10:00 PM: | End of Session, Thursday, October 19, 2006 |
1:58 PM: Your definitions are up to date.
1:58 PM: Automated check for program update in progress.
Keylogger Shield: Off
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites Shield: Off
Hosts File Shield: On
Spy Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
8:41 PM: Shield States
8:41 PM: Spyware Definitions: 783
8:41 PM: Spy Sweeper 5.0.7.1608 started
Operation: Terminate
Target: C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPERUI.EXE
Source: C:\WINDOWS\SYSTEM32\CSRSS.EXE
8:38 PM: Tamper Detection
Operation: Terminate
Target: C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPERUI.EXE
Source: C:\WINDOWS\SYSTEM32\CSRSS.EXE
8:38 PM: Tamper Detection
Keylogger Shield: Off
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites Shield: Off
Hosts File Shield: On
Spy Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
5:23 PM: Shield States
5:23 PM: Spyware Definitions: 783
5:23 PM: Spy Sweeper 5.0.7.1608 started
3:59 PM: | End of Session, Wednesday, October 18, 2006 |
3:58 PM: Program Version 5.0.7.1608 Using Spyware Definitions 783
2:49 PM: None
2:49 PM: Traces Found: 0
2:49 PM: Explorer Sweep has completed. Elapsed time 00:00:00
2:49 PM: File Sweep Complete, Elapsed Time: 00:00:00
2:49 PM: Starting File Sweep
2:49 PM: Sweep initiated using definitions version 783
2:49 PM: Spy Sweeper 5.0.7.1608 started
2:49 PM: | Start of Session, Wednesday, October 18, 2006 |
********
4:21 PM: Traces Found: 16
4:21 PM: Full Sweep has completed. Elapsed time 00:22:34
4:21 PM: File Sweep Complete, Elapsed Time: 00:21:29
4:20 PM: 007ssinstall.exe (ID = 197648)
4:00 PM: ssdata (2 subtraces) (ID = 2147503330)
4:00 PM: Starting File Sweep
4:00 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
4:00 PM: adam@ugo[1].txt (ID = 3608)
4:00 PM: Found Spy Cookie: ugo cookie
4:00 PM: adam@2o7[2].txt (ID = 1957)
4:00 PM: Found Spy Cookie: 2o7.net cookie
4:00 PM: Starting Cookie Sweep
4:00 PM: Registry Sweep Complete, Elapsed Time:00:00:14
4:00 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{849b9523-785f-4014-9caf-079fb4a74c61}\ (ID = 1704220)
4:00 PM: HKLM\software\classes\clsid\{849b9523-785f-4014-9caf-079fb4a74c61}\ (ID = 1704202)
4:00 PM: HKCR\clsid\{849b9523-785f-4014-9caf-079fb4a74c61}\ (ID = 1704193)
4:00 PM: HKLM\software\classes\clsid\{b7672baf-e9a3-49b6-86b2-c81719a18a4c}\ (ID = 1697697)
4:00 PM: HKCR\clsid\{b7672baf-e9a3-49b6-86b2-c81719a18a4c}\ (ID = 1697618)
4:00 PM: HKLM\software\microsoft\windows\currentversion\run\ || windows lsass service (ID = 1693337)
4:00 PM: HKLM\software\microsoft\mssmgr\ (ID = 937101)
4:00 PM: Found Trojan Horse: trojan agent winlogonhook
3:59 PM: HKLM\software\microsoft\windows\currentversion\run\ || winservice32 (ID = 101812)
3:59 PM: Found System Monitor: ufp 007 spy
3:59 PM: Starting Registry Sweep
3:59 PM: Memory Sweep Complete, Elapsed Time: 00:00:40
3:59 PM: Starting Memory Sweep
3:59 PM: HKCR\clsid\{b7672baf-e9a3-49b6-86b2-c81719a18a4c}\inprocserver32\ (ID = 1738138)
3:59 PM: HKCR\clsid\{849b9523-785f-4014-9caf-079fb4a74c61}\inprocserver32\ (ID = 1728503)
3:59 PM: Found Adware: virtumonde
3:59 PM: Sweep initiated using definitions version 783
3:59 PM: Spy Sweeper 5.0.7.1608 started
3:59 PM: | Start of Session, Wednesday, October 18, 2006 |
********
2:49 PM: | End of Session, Wednesday, October 18, 2006

#8 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:11:24 PM

Posted 21 October 2006 - 05:08 PM

Download Superantispyware

http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

1. Load Superantispyware and click the check for updates button.
2. Once the update is finished click the scan your computer button.
3. Check Perform Complete Scan and then next.
4. Superantispyware will now scan your computer and when its finished it will list all the infections it has found.
5. Make sure that they all have a check next to them and press next.
6. Click finish and you will be taken back to the main interface.
7. Click Preferences and then click the statistics/logs tab. Click the dated log and press view log and a text file will appear.
8. Copy and paste the log onto the forum.
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#9 phombus

phombus
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:24 PM

Posted 21 October 2006 - 08:29 PM

Got it!
Doesn't come up when I scan with spysweeper or
or superantispyware

Thanks so very much for your help




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users