Please review HJT log- persistent virtumonde

Unknown · June 2007

Hi- I've been plagued by persistent pop-ups and slow performance. SpySweeper found "virtumonde" and "core adware", but has been unable to remove them successfully. I downloaded and ran HijackThis and VundoFix as instructed in an archived thread. VundoFix is no longer detecting any harmful files, but the pop-ups haven't stopped. SpySweeper still picks up the same two programs. I've posted my logs below for review- thanks for your help!

Logfile of HijackThis v1.99.1
Scan saved at 9:38:08 AM, on 6/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Creative\VoiceCenter\AndreaVC.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\retadpu2000219.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\Jason\LOCALS~1\Temp\clclean.0001
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Hijackthis\Scanner.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
O2 - BHO: (no name) - {049CE894-CD69-4750-8177-9D36C617FA50} - C:\Program Files\Online Services\hosecunyz58441.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {6F5F8322-FBFD-471C-A220-5CECB7DF8CDC} - C:\WINDOWS\system32\geedb.dll (file missing)
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O2 - BHO: (no name) - {B3B06415-7A5C-40C4-975C-036186D741DA} - C:\Program Files\Online Services\hosecunyz43855.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [VoiceCenter] "C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" /tray
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [dlccmon.exe] "C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [{69-9D-D9-99-ZN}] C:\windows\system32\dwdsregt.exe CHD003
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu2000219.exe 61A847B5BBF72810329B385473F001F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: dlcc_device - - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

VundoFix V6.5.1
Checking Java version...
Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.
Scan started at 8:41:41 AM 6/19/2007
Listing files found while scanning....
C:\windows\system32\bdeeg.bak1
C:\WINDOWS\system32\bdeeg.bak2
C:\WINDOWS\system32\bdeeg.ini
C:\WINDOWS\system32\cbxuspm.dll
C:\WINDOWS\system32\geedb.dll
C:\WINDOWS\system32\kcupolro.dll
C:\windows\system32\lmnyhspt.dll
C:\windows\system32\lsqcsieq.ini
C:\windows\system32\orlopuck.ini
C:\windows\system32\qeiscqsl.dll
C:\WINDOWS\system32\wndygiot.dll
C:\windows\system32\wvuvsqo.dll
C:\windows\system32\xbtvvbml.exe
Beginning removal...
Attempting to delete C:\windows\system32\bdeeg.bak1
C:\windows\system32\bdeeg.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\bdeeg.bak2
C:\WINDOWS\system32\bdeeg.bak2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\bdeeg.ini
C:\WINDOWS\system32\bdeeg.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\cbxuspm.dll
C:\WINDOWS\system32\cbxuspm.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\geedb.dll
C:\WINDOWS\system32\geedb.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\kcupolro.dll
C:\WINDOWS\system32\kcupolro.dll Could not be deleted.
Attempting to delete C:\windows\system32\lmnyhspt.dll
C:\windows\system32\lmnyhspt.dll Has been deleted!
Attempting to delete C:\windows\system32\lsqcsieq.ini
C:\windows\system32\lsqcsieq.ini Has been deleted!
Attempting to delete C:\windows\system32\orlopuck.ini
C:\windows\system32\orlopuck.ini Has been deleted!
Attempting to delete C:\windows\system32\qeiscqsl.dll
C:\windows\system32\qeiscqsl.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\wndygiot.dll
C:\WINDOWS\system32\wndygiot.dll Has been deleted!
Attempting to delete C:\windows\system32\wvuvsqo.dll
C:\windows\system32\wvuvsqo.dll Has been deleted!
Attempting to delete C:\windows\system32\xbtvvbml.exe
C:\windows\system32\xbtvvbml.exe Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.5.1
Checking Java version...
Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.
Scan started at 8:49:05 AM 6/19/2007
Listing files found while scanning....
C:\windows\system32\kcupolro.dll
Beginning removal...
Attempting to delete C:\windows\system32\kcupolro.dll
C:\windows\system32\kcupolro.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.5.1
Checking Java version...
Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.
Scan started at 8:56:23 AM 6/19/2007
Listing files found while scanning....
No infected files were found.

chiaz · June 2007

Hello, and welcome to Icrontic.

1. Download VirtumundoBegone and save it to your desktop:
http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe

2. Now reboot into Safe Mode. This can be done tapping the F8 key as soon as you start your computer. You will be brought to a menu where you can choose to boot into safe mode. Select safe mode using your arrow keys on the keyboard and then press enter.

3. When you computer reaches the desktop make sure you log in as the same user.

4. Once you are logged into safe mode, double-click VirtumundoBeGone.exe file you just downloaded and follow the instructions.

5. Exit when it has finished, and reboot back to normal mode.

Post back with a new HijackThis log, and we'll take it from there.

jk148 · June 2007

Hey, thanks for your prompt response- this is much appreciated! I'm working the night shift as part of my medical residency, so I'll do the best I can to keep working on the problem and report back ASAP. Anyway, I downloaded and ran VirtumundoBeGone, which didn't appear to detect anything harmful. Unfortunately, the pop-ups are still continuing. I created a new HJT log, which I posted below. I've also posted results from Panda and Kaspersky online scans, in case those are useful at all. Thanks again for your help!

(HJT log)

Logfile of HijackThis v1.99.1
Scan saved at 1:00:03 PM, on 6/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Creative\VoiceCenter\AndreaVC.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe
C:\Program Files\D-Tools\daemon.exe
C:\DOCUME~1\Jason\LOCALS~1\Temp\clclean.0001
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Hijackthis\Scanner.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [VoiceCenter] "C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" /tray
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [dlccmon.exe] "C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: dlcc_device - - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

(VirtumundoBeGone log)

[06/20/2007, 12:54:03] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Jason\Desktop\VirtumundoBeGone.exe" )
[06/20/2007, 12:54:10] - Detected System Information:
[06/20/2007, 12:54:10] - Windows Version: 5.1.2600, Service Pack 2
[06/20/2007, 12:54:10] - Current Username: Jason (Admin)
[06/20/2007, 12:54:10] - Windows is in NORMAL mode.
[06/20/2007, 12:54:10] - Searching for Browser Helper Objects:
[06/20/2007, 12:54:10] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[06/20/2007, 12:54:10] - BHO 2: {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} (McAfee AntiPhishing Filter)
[06/20/2007, 12:54:10] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} ()
[06/20/2007, 12:54:10] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/20/2007, 12:54:10] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[06/20/2007, 12:54:10] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[06/20/2007, 12:54:10] - BHO 4: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
[06/20/2007, 12:54:10] - BHO 5: {A7327C09-B521-4EDB-8509-7D2660C9EC98} (Viewpoint Toolbar BHO)
[06/20/2007, 12:54:10] - Finished Searching Browser Helper Objects
[06/20/2007, 12:54:10] - Finishing up...
[06/20/2007, 12:54:10] - Nothing found! Exiting...

(Panda Active Scan)

Incident Status Location
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Jason\Cookies\jason@bravenet[1].txt
Potentially unwanted tool:Application/ViewPoint Not disinfected C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\cbxuspm.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\geedb.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\kcupolro.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\qeiscqsl.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\wndygiot.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\wvuvsqo.dll.bad
Virus:Trj/Lowzones.TP Disinfected C:\VundoFix Backups\xbtvvbml.exe.bad
Virus:Malware Generic

(Kaspersky Online Scan)
Wednesday, June 20, 2007 12:35:02 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 20/06/2007
Kaspersky Anti-Virus database records: 349613

Scan SettingsScan using the following antivirus databaseextendedScan ArchivestrueScan Mail BasestrueScan TargetMy ComputerC:\
D:\
E:\ Scan StatisticsTotal number of scanned objects61588Number of viruses found9Number of infected objects22 / 0Number of suspicious objects0Duration of the scan process00:34:28
Infected Object NameVirus NameLast ActionC:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\Logs\TaskScheduler\McTskshd001.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\McAfee.com\VSO\OASLogs\OAS.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_24adf822-76f7-4481-b30b-ff1b40f8687f Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare Object is locked skipped C:\Documents and Settings\Jason\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt.log Object is locked skipped C:\Documents and Settings\Jason\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt_GTActions.log Object is locked skipped C:\Documents and Settings\Jason\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\gdql_d_DSAgnt.log Object is locked skipped C:\Documents and Settings\Jason\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\glog.log Object is locked skipped C:\Documents and Settings\Jason\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG Object is locked skipped C:\Documents and Settings\Jason\Application Data\Webroot\Spy Sweeper\Logs\070619181710.ses Object is locked skipped C:\Documents and Settings\Jason\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Jason\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped C:\Documents and Settings\Jason\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Jason\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Jason\Local Settings\Application Data\Musicmatch\Jukebox\mmjbaltlog.txt Object is locked skipped C:\Documents and Settings\Jason\Local Settings\Application Data\Musicmatch\Jukebox\mmjblog.txt Object is locked skipped C:\Documents and Settings\Jason\Local Settings\Application Data\Musicmatch\MIM\Database\Default.ldb Object is locked skipped C:\Documents and Settings\Jason\Local Settings\Application Data\Musicmatch\MIM\Database\Default.mdb Object is locked skipped C:\Documents and Settings\Jason\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\Jason\Local Settings\History\History.IE5\MSHist012007062020070621\index.dat Object is locked skipped C:\Documents and Settings\Jason\Local Settings\Temp\clclean.0001.dir.0001\~efe2.tmp Object is locked skipped C:\Documents and Settings\Jason\Local Settings\Temp\JET2B13.tmp Object is locked skipped C:\Documents and Settings\Jason\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped C:\Documents and Settings\Jason\Local Settings\Temporary Internet Files\Content.IE5\1FSLU9J4\Free-SpyHunter-Scanner-Install[1].exe/PRE/data/{65145FC9-DEA0-4738-A4FE-376C2BA51806}/1/EnigmaUpdater.dll Infected: not-a-virus:FraudTool.Win32.SpyHunter.b skipped C:\Documents and Settings\Jason\Local Settings\Temporary Internet Files\Content.IE5\1FSLU9J4\Free-SpyHunter-Scanner-Install[1].exe/PRE/data/{65145FC9-DEA0-4738-A4FE-376C2BA51806}/2/esgi_md5h.dll Infected: not-a-virus:FraudTool.Win32.SpyHunter.b skipped C:\Documents and Settings\Jason\Local Settings\Temporary Internet Files\Content.IE5\1FSLU9J4\Free-SpyHunter-Scanner-Install[1].exe/PRE/data/{65145FC9-DEA0-4738-A4FE-376C2BA51806}/7/SpyHunter.exe Infected: not-a-virus:FraudTool.Win32.SpyHunter.b skipped C:\Documents and Settings\Jason\Local Settings\Temporary Internet Files\Content.IE5\1FSLU9J4\Free-SpyHunter-Scanner-Install[1].exe/PRE/data/{65145FC9-DEA0-4738-A4FE-376C2BA51806}/17/Esgiutl1.dll Infected: not-a-virus:FraudTool.Win32.SpyHunter.b skipped C:\Documents and Settings\Jason\Local Settings\Temporary Internet Files\Content.IE5\1FSLU9J4\Free-SpyHunter-Scanner-Install[1].exe/PRE/data/{65145FC9-DEA0-4738-A4FE-376C2BA51806}/18/SHSched.dll Infected: not-a-virus:FraudTool.Win32.SpyHunter.b skipped C:\Documents and Settings\Jason\Local Settings\Temporary Internet Files\Content.IE5\1FSLU9J4\Free-SpyHunter-Scanner-Install[1].exe/PRE Infected: not-a-virus:FraudTool.Win32.SpyHunter.b skipped C:\Documents and Settings\Jason\Local Settings\Temporary Internet Files\Content.IE5\1FSLU9J4\Free-SpyHunter-Scanner-Install[1].exe Ghost Installer: infected - 6 skipped C:\Documents and Settings\Jason\Local Settings\Temporary Internet Files\Content.IE5\1FSLU9J4\Free-SpyHunter-Scanner-Install[1].exe UPX: infected - 6 skipped C:\Documents and Settings\Jason\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Jason\NTUSER.DAT Object is locked skipped C:\Documents and Settings\Jason\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Program Files\DIGStream\digstream.exe Infected: not-a-virus:Downloader.Win32.DigStream skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP307\A0021437.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP307\A0021438.exe Infected: Trojan-Clicker.Win32.VB.po skipped C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP307\A0022541.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP307\A0022543.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP307\A0022544.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kj skipped C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP307\A0022546.exe Infected: Trojan.Win32.Agent.anr skipped C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP307\A0022556.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP309\change.log Object is locked skipped C:\VundoFix Backups\cbxuspm.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\VundoFix Backups\geedb.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped C:\VundoFix Backups\kcupolro.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped C:\VundoFix Backups\qeiscqsl.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped C:\VundoFix Backups\wndygiot.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.kj skipped C:\VundoFix Backups\wvuvsqo.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\WINDOWS\CSC\00000001 Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\ModemLog_Conexant HDA D110 MDC V.92 Modem.txt Object is locked skipped C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{F51592F8-981A-44A7-BC6D-F9916AF1E36F}.crmlog Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\DEFAULT Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\Internet.evt Object is locked skipped C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SYSTEM Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\drivers\core.cache.dsk Object is locked skipped C:\WINDOWS\system32\drivers\core.sys Object is locked skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\Temp\CS01471664-B4B9-43AF-A2F7-B92D09845D16.tmp Object is locked skipped C:\WINDOWS\Temp\CS04C85D58-E3FC-4428-B4D2-C2A70FFFF1F1.tmp Object is locked skipped C:\WINDOWS\Temp\CS06D8768A-9B06-413A-A023-49A24EE0665E.tmp Object is locked skipped C:\WINDOWS\Temp\CS078B6BEE-8B6C-48BF-9264-4246B2D24CDE.tmp Object is locked skipped C:\WINDOWS\Temp\CS0859E1D3-1EE8-41C5-9E8A-AE626587DEF3.tmp Object is locked skipped C:\WINDOWS\Temp\CS08F9BE17-9152-4193-A69D-9D8D3BBFD31B.tmp Object is locked skipped C:\WINDOWS\Temp\CS0B177BD2-30BE-4983-A2ED-EDE56B87A026.tmp Object is locked skipped C:\WINDOWS\Temp\CS15E129F0-98E2-40FA-AF2F-3BCAD052F3CD.tmp Object is locked skipped C:\WINDOWS\Temp\CS16B7EFAF-380B-4584-A355-2776D3649446.tmp Object is locked skipped C:\WINDOWS\Temp\CS1942E5ED-DBE8-4FDE-A2B8-73B7083EDA44.tmp Object is locked skipped C:\WINDOWS\Temp\CS1B801C13-5F61-42B1-9913-F184BED12EF6.tmp Object is locked skipped C:\WINDOWS\Temp\CS1CCAE884-A494-4AE1-8500-1CF1872A23F5.tmp Object is locked skipped C:\WINDOWS\Temp\CS1F949AF7-8156-4132-8BE3-7319FA54BB87.tmp Object is locked skipped C:\WINDOWS\Temp\CS21BC0C1C-A215-46A7-912D-65B02463BFA8.tmp Object is locked skipped C:\WINDOWS\Temp\CS224B7D68-4DA9-41DD-91B9-57A778A836E1.tmp Object is locked skipped C:\WINDOWS\Temp\CS27E52231-FB6C-4B21-904C-9E9A288BB5E0.tmp Object is locked skipped C:\WINDOWS\Temp\CS2C284D0C-A145-49A1-9550-C765D0A429F9.tmp Object is locked skipped C:\WINDOWS\Temp\CS2E751FD2-D8F8-4108-A981-4360B545E96D.tmp Object is locked skipped C:\WINDOWS\Temp\CS2EBEAEE1-E4C1-4DF4-9D80-6D452AEB1AEF.tmp Object is locked skipped C:\WINDOWS\Temp\CS326DCE41-3BB3-419C-A4A5-3806A159D870.tmp Object is locked skipped C:\WINDOWS\Temp\CS376513B3-4177-4C0D-8C7E-3B51981BAB75.tmp Object is locked skipped C:\WINDOWS\Temp\CS388833A7-EC01-4AE9-B7FD-022929184BDB.tmp Object is locked skipped C:\WINDOWS\Temp\CS3CF89790-536C-4072-8242-F7DE68EB4021.tmp Object is locked skipped C:\WINDOWS\Temp\CS43F95CF0-355E-460C-BC65-1C823F60349C.tmp Object is locked skipped C:\WINDOWS\Temp\CS4673D57E-1AA7-4D12-9E84-600C135B23BD.tmp Object is locked skipped C:\WINDOWS\Temp\CS46A8D226-3F62-4B01-AFD1-5BAE9C1B34B9.tmp Object is locked skipped C:\WINDOWS\Temp\CS50411DF5-F933-43D0-9FE8-3E139A8E0DDD.tmp Object is locked skipped C:\WINDOWS\Temp\CS582C59F7-1F1E-4F30-93B9-ECA563BC928D.tmp Object is locked skipped C:\WINDOWS\Temp\CS584C7A69-6E1E-4289-9CA5-094E8505C849.tmp Object is locked skipped C:\WINDOWS\Temp\CS58D5A674-FB3E-4C87-AA85-7CF6D236B0D3.tmp Object is locked skipped C:\WINDOWS\Temp\CS5C62ABBC-EEF0-4910-AF57-AFD6C9E70C16.tmp Object is locked skipped C:\WINDOWS\Temp\CS5E83F0F4-61ED-4C9B-AF13-A7670108C2C3.tmp Object is locked skipped C:\WINDOWS\Temp\CS61D6E338-C725-44B7-A7CB-01386CEF2BBB.tmp Object is locked skipped C:\WINDOWS\Temp\CS667118BD-28D8-4015-9C9F-0C2142DB81F1.tmp Object is locked skipped C:\WINDOWS\Temp\CS6A6AD902-3287-4C9F-A3EC-D61C83DE796A.tmp Object is locked skipped C:\WINDOWS\Temp\CS7F15EA2E-CFF3-4869-B23A-F6689EEFE1A0.tmp Object is locked skipped C:\WINDOWS\Temp\CS7F7E80DC-4878-4100-92DB-0C1EB763E785.tmp Object is locked skipped C:\WINDOWS\Temp\CS7FB8F69C-4B79-47F6-940E-215A12327333.tmp Object is locked skipped C:\WINDOWS\Temp\CS81EB56D1-7A5F-4FF9-A30C-C2E3EFFAB86A.tmp Object is locked skipped C:\WINDOWS\Temp\CS832EEF51-C6EE-4015-B3E1-DCEE12CA94B0.tmp Object is locked skipped C:\WINDOWS\Temp\CS86A0A8F4-ABEC-44EF-BDA9-F7309DE19FDE.tmp Object is locked skipped C:\WINDOWS\Temp\CS87D955C1-1836-4541-8EAC-9AB44B71120B.tmp Object is locked skipped C:\WINDOWS\Temp\CS8A7C18EC-C0F5-4196-AA0C-4A1C7A08F9A6.tmp Object is locked skipped C:\WINDOWS\Temp\CS8BE89460-5F19-46F9-87DB-437107B47B01.tmp Object is locked skipped C:\WINDOWS\Temp\CS8C1AC30F-D1BA-4132-8517-9906EBA47437.tmp Object is locked skipped C:\WINDOWS\Temp\CS8C905B29-B4BD-443A-9491-E18661AF1F30.tmp Object is locked skipped C:\WINDOWS\Temp\CS8CF1F2B9-0398-494F-8BAF-08C6D5F47BBA.tmp Object is locked skipped C:\WINDOWS\Temp\CS8D8EE76D-D726-43CD-A81E-BB6F1FF53CFC.tmp Object is locked skipped C:\WINDOWS\Temp\CS8DA6B818-F87B-4A01-A2C9-CB7FCE212EFB.tmp Object is locked skipped C:\WINDOWS\Temp\CS8F4B288E-9FE5-434E-B839-CD05C0897CEA.tmp Object is locked skipped C:\WINDOWS\Temp\CS915D7B56-FE35-4321-B16A-3E7194B0DB3E.tmp Object is locked skipped C:\WINDOWS\Temp\CS91D2A2B0-4008-40A4-9DE4-CE8AFA0948A0.tmp Object is locked skipped C:\WINDOWS\Temp\CS93952E5A-0D73-46E6-A0E4-AB6DA57604EB.tmp Object is locked skipped C:\WINDOWS\Temp\CS94BFAD1B-BE4E-4442-87EF-0966B3EB78E6.tmp Object is locked skipped C:\WINDOWS\Temp\CS95F4AB24-7E96-402D-BEA8-E46CB255BBEB.tmp Object is locked skipped C:\WINDOWS\Temp\CS9882978D-BF31-44B8-A847-54C09B2AD372.tmp Object is locked skipped C:\WINDOWS\Temp\CS9DDA9B3D-5A78-45A2-B4DD-D59B92C9F60B.tmp Object is locked skipped C:\WINDOWS\Temp\CSA01042F7-38A4-4426-B514-12911106948C.tmp Object is locked skipped C:\WINDOWS\Temp\CSA2A5033B-B288-4C9E-8DCE-0BDBA84929ED.tmp Object is locked skipped C:\WINDOWS\Temp\CSA7976691-3F25-4B64-94A2-F593883912B9.tmp Object is locked skipped C:\WINDOWS\Temp\CSA9747952-5ED0-4A73-A139-F7C5103A4DC1.tmp Object is locked skipped C:\WINDOWS\Temp\CSA9EAEDF9-CB1C-4F10-AD5B-D9F76D9AA212.tmp Object is locked skipped C:\WINDOWS\Temp\CSAA880F81-7D8F-4B54-8EE4-E74F817A844A.tmp Object is locked skipped C:\WINDOWS\Temp\CSAF3262BF-45C5-45D8-9845-B9429F474541.tmp Object is locked skipped C:\WINDOWS\Temp\CSB59AAE2A-5DC5-45EF-99CC-97CD2AE484D8.tmp Object is locked skipped C:\WINDOWS\Temp\CSB77A3908-E7D3-4C0D-8856-0834DDCD9BB1.tmp Object is locked skipped C:\WINDOWS\Temp\CSB7C7689F-75A0-4B1C-BBE7-C957C5BF2704.tmp Object is locked skipped C:\WINDOWS\Temp\CSB8E594DB-4DA4-4C65-A518-EA754DD9684D.tmp Object is locked skipped C:\WINDOWS\Temp\CSBC0AA2DD-E245-42EA-B109-48BCF55A3783.tmp Object is locked skipped C:\WINDOWS\Temp\CSBE125A12-F887-4FF6-B5B6-90804D5A5719.tmp Object is locked skipped C:\WINDOWS\Temp\CSC29FFE14-AC7E-4FFB-94B2-E9496B86AEA7.tmp Object is locked skipped C:\WINDOWS\Temp\CSC5C80A7F-6736-4BB0-9A52-D70864F316D6.tmp Object is locked skipped C:\WINDOWS\Temp\CSC6DC483F-F7CE-4781-AE8A-06E598221EC9.tmp Object is locked skipped C:\WINDOWS\Temp\CSC6F24D79-923A-4AAA-9993-90F9CE807E34.tmp Object is locked skipped C:\WINDOWS\Temp\CSC853422B-9F1C-4CFF-94D6-9E209C0B2D34.tmp Object is locked skipped C:\WINDOWS\Temp\CSC9C8600B-7AC0-41B5-B579-A8B89E7955F0.tmp Object is locked skipped C:\WINDOWS\Temp\CSCAB9D4AD-3817-4AD1-9CE1-050A4FA69679.tmp Object is locked skipped C:\WINDOWS\Temp\CSCCEA08C5-5FF3-42C9-90FF-49B6F3CDDC00.tmp Object is locked skipped C:\WINDOWS\Temp\CSCEF93BE7-07F6-4947-9408-9686857013B6.tmp Object is locked skipped C:\WINDOWS\Temp\CSCFA6A3DC-A8FA-450D-8FD8-EEC4C3EF7728.tmp Object is locked skipped C:\WINDOWS\Temp\CSD4344847-4C9F-4AC8-97AA-9C1B4C2D029C.tmp Object is locked skipped C:\WINDOWS\Temp\CSD83B0909-13C3-442A-A593-B8B9B86A589A.tmp Object is locked skipped C:\WINDOWS\Temp\CSDA3F9034-40EB-476A-9830-BFC0EDFD9DCF.tmp Object is locked skipped C:\WINDOWS\Temp\CSDA86A886-FE63-4DF1-A293-A30FC44609DC.tmp Object is locked skipped C:\WINDOWS\Temp\CSDC5BC6AF-4E2E-4FA3-8074-019E077FE260.tmp Object is locked skipped C:\WINDOWS\Temp\CSDD33B94B-57B8-4CD0-B210-CC913315DCEC.tmp Object is locked skipped C:\WINDOWS\Temp\CSDF670865-ECDF-4F54-8CF4-F0C4B8B404E6.tmp Object is locked skipped C:\WINDOWS\Temp\CSE115B7BF-5167-41E6-9950-D8D48C326EC0.tmp Object is locked skipped C:\WINDOWS\Temp\CSE1EB5C08-7CB5-4FCA-9B72-CEF0E1D54ED3.tmp Object is locked skipped C:\WINDOWS\Temp\CSE2F25FED-84D4-4172-A648-9FA880C7AF92.tmp Object is locked skipped C:\WINDOWS\Temp\CSE5C8555C-8A08-49DB-956F-E809F9665E6A.tmp Object is locked skipped C:\WINDOWS\Temp\CSE62D59D1-18C2-4CA3-B972-C9D739019972.tmp Object is locked skipped C:\WINDOWS\Temp\CSE925E91A-6AD4-4331-9D25-1A30FD5F6781.tmp Object is locked skipped C:\WINDOWS\Temp\CSE9FAB2D2-6E5E-47FC-A75E-412399A3E794.tmp Object is locked skipped C:\WINDOWS\Temp\CSEE45736F-4836-4240-BB05-5AC7C8B531D6.tmp Object is locked skipped C:\WINDOWS\Temp\CSF16FDB93-06EA-43AC-B270-1A18055CD403.tmp Object is locked skipped C:\WINDOWS\Temp\CSF23991D9-3135-4BAA-BCAC-9C443CC284A9.tmp Object is locked skipped C:\WINDOWS\Temp\CSF3A07B9B-5CDC-4E88-BB6B-E21C4739AA68.tmp Object is locked skipped C:\WINDOWS\Temp\CSF3C2E668-0B2D-485F-8ED0-EAB4C7F8FFC4.tmp Object is locked skipped C:\WINDOWS\Temp\CSF7E5026A-A8EA-46EA-BF78-DE2EBA8C1EDA.tmp Object is locked skipped C:\WINDOWS\Temp\CSF997F0B1-AE4E-41FF-B7A5-DBD062E54BB4.tmp Object is locked skipped C:\WINDOWS\wiadebug.log Object is locked skipped C:\WINDOWS\wiaservc.log Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped Scan process completed.

chiaz · June 2007

The new HijackThis log showed no signs of a Vundo infection.

Delete this folder:
C:\VundoFix Backups\

Is McAfee still prompting you?

jk148 · June 2007

OK, I deleted the VundoFix Backups file. Still having the same problem with random pop-ups whenever I run Internet Explorer. I'm no longer getting any prompts regarding "virtumonde". I re-ran Spy Sweeper, which again picked up "core adware", which could not be fully removed. It no longer showed "virtumonde". Also re-ran Spybot S+D, which showed "smitfraud", and was unable to remove one of the infected registry keys.

Should I go ahead and run the "smitfraud" fix as detailed in one of the threads in the main forums page?

Thanks again for your continuing help!

chiaz · June 2007

We can check...
Download
SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

jk148 · June 2007

OK, here we go... SmitfraudFix search results are below.

SmitFraudFix v2.195
Scan done at 11:53:34.34, Thu 06/21/2007
Run from C:\Documents and Settings\Jason\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
c:\program files\mcafee. com\agent\mcdetect.exe
c:\PROGRA~1\mcafee. com\vso\mcshield.exe
c:\PROGRA~1\mcafee. com\agent\mctskshd.exe
c:\PROGRA~1\mcafee. com\vso\OasClnt.exe
c:\program files\mcafee. com\vso\mcvsshld.exe
c:\progra~1\mcafee. com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee. com\PERSON~1\MpfService.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Creative\VoiceCenter\AndreaVC.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\DOCUME~1\Jason\LOCALS~1\Temp\clclean.0001
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\mcafee. com\agent\mcagent.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\PROGRA~1\McAfee. com\PERSON~1\MpfTray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\PROGRA~1\McAfee. com\PERSON~1\MpfAgent.exe
c:\progra~1\mcafee. com\vso\mcvsftsn.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Jason

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Jason\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Jason\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="about:Home"
"SubscribedURL"="about:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: Motorola SURFboard SB5101 USB Cable Modem - Packet Scheduler Miniport
DNS Server Search Order: 68.9.16.30
DNS Server Search Order: 68.9.16.25
DNS Server Search Order: 68.100.16.30
HKLM\SYSTEM\CCS\Services\Tcpip\..\{4330B223-2DA6-4C28-9279-8549F389AF11}: DhcpNameServer=68.9.16.30 68.9.16.25 68.100.16.30
HKLM\SYSTEM\CS1\Services\Tcpip\..\{4330B223-2DA6-4C28-9279-8549F389AF11}: DhcpNameServer=68.9.16.30 68.9.16.25 68.100.16.30
HKLM\SYSTEM\CS3\Services\Tcpip\..\{4330B223-2DA6-4C28-9279-8549F389AF11}: DhcpNameServer=68.9.16.30 68.9.16.25 68.100.16.30
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=68.9.16.30 68.9.16.25 68.100.16.30

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

chiaz · June 2007

SmitfraudFix did not detect any Smitfraud infection. We'll now try to clear some things that were detected by the online scanners you ran earlier on...

ViewPoint was detected by Panda ActiveScan. Read the following and decide for yourself whether you want to remove it:
http://ask-leo.com/viewmgrexe.html
http://www.pchell.com/support/viewpoint.shtml

After that, download ATF Cleaner

Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.

If you use Firefox browser, do this also:

Click Firefox at the top and choose Select All from the list.
Click the Empty Selected button.
NOTE : If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:

Click Opera at the top and choose Select All from the list.
Click the Empty Selected button.
NOTE : If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Please run new scans with Panda ActiveScan and Kaspersky Online Scanner now.

P.S. The "Object is locked skipped" entries in the Kaspersky log are not malicious...

jk148 · June 2007

I decided not to delete Viewpoint, but I went ahead and did everything else as suggested. Here are the new Panda and Kaspersky online scan results.

Kaspersky Online Scan:

Friday, June 22, 2007 10:31:02 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 22/06/2007
Kaspersky Anti-Virus database records: 350974

Scan SettingsScan using the following antivirus databaseextendedScan ArchivestrueScan Mail BasestrueScan TargetMy ComputerC:\
D:\
E:\ Scan StatisticsTotal number of scanned objects61436Number of viruses found8Number of infected objects9 / 0Number of suspicious objects0Duration of the scan process00:35:06
Infected Object NameVirus NameLast ActionC:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Program Files\DIGStream\digstream.exe Infected: not-a-virus:Downloader.Win32.DigStream skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP307\A0021437.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP307\A0021438.exe Infected: Trojan-Clicker.Win32.VB.po skipped C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP307\A0022541.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP307\A0022543.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP307\A0022544.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kj skipped C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP307\A0022546.exe Infected: Trojan.Win32.Agent.anr skipped C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP307\A0022556.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP311\A0023774.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP311\change.log Object is locked skipped

Panda ActiveScan:

Incident Status Location
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Jason\Local Settings\Temp\nse13.tmp
Potentially unwanted tool:Application/ViewPoint Not disinfected C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
Virus:Malware Generic Disinfected C:\WINDOWS\system32\drivers\core.sys
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe

chiaz · June 2007

I don't know why Kaspersky detected Digstream:
http://www.castlecops.com/s921-DIGStream.html
I suppose you want to keep it, in any case?

Otherwise everything looks good....any problems now?

You should also flush your system restore points and create a new one now:
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

jk148 · June 2007

Well, I'm still getting some annoying pop-ups when I use Internet Explorer...but the computer's functional, anyway. I went ahead and erased the saved restore points, and created a new one. Any other thoughts on potential sources of those pop-ups? Thanks again for all of your help.

chiaz · June 2007

Do those pop-ups occur only when you visit specific sites? Or do they seem to appear from nowhere?

Right-click one of the pop-ups, and click Properties. Post the URL it's leading to in your next reply, but disable the link please by inserting hxxp instead of http.

jk148 · June 2007

The pop-ups seem to appear out of nowhere, and occur intermittently (perhaps 1 out of 4 websites I visit generates a pop-up). Here's a sample URL: [URL="hxxp://crackspace.net/"]hxxp://crackspace.net/[/URL]

chiaz · June 2007

Try re-installing your browser to see if that does the trick.

Please download the AVG Antirootkit program.
http://free.grisoft.com/doc/avg-anti-rootkit-free/lng/us/tpl/v5
Install the program, then restart your computer if prompted.

Run the program and click the "Perform in-depth search." Allow AVG to complete the scan. The AVG scanner will give the "Rootkit path" Do not fix anything yet. Let me know what is found in your reply.

Please review HJT log- persistent virtumonde

Comments