[Closed] virtumonde

Computer forums for help with removing malicious software (malware) and improving computer security

Welcome Guest to What the Tech! ( Log In | Register ) We specialize in the removal of malicious software (malware), but here you'll find free help and support for all your tech questions. We invite you to ask questions, share experiences, and learn. Explore our message boards, or register now to post messages of your own. Please Start Here. Register today (registration removes advertising)

What the Tech > Spyware / Malware / Virus Removal > HijackThis™ Logs and Infections Removal

[Closed] virtumonde, infected

Options

big666 View Member Profile	Aug 15 2008, 06:38 PM Post #1
New Member Group: Authentic Member Posts: 6 Joined: 15-August 08 From: canada quebec Member No.: 80,982 Operating System: windows xp pro OEM virtumonde virus	Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 20:34:09, on 2008-08-15 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\cisvc.exe C:\WINDOWS\system32\CTsvcCDA.exe C:\WINDOWS\system32\inetsrv\inetinfo.exe C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe C:\WINDOWS\system32\tcpsvcs.exe C:\PROGRA~1\AVG\AVG8\avgam.exe C:\WINDOWS\System32\snmp.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\system32\svchost.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\WINDOWS\system32\SearchIndexer.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\WINDOWS\system32\fxssvc.exe C:\WINDOWS\system32\mqsvc.exe C:\WINDOWS\system32\mqtgsvc.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\system32\cidaemon.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\Program Files\HP\HP Software Update\HPWuSchd.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\Program Files\Windows Desktop Search\WindowsSearch.exe C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\PowerQuest\PartitionMagic 8.0\PMagic.exe C:\Program Files\PowerQuest\PartitionMagic 8.0\PMagicnt.exe C:\Program Files\Trend Micro\HijackThis\Scanner.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: (no name) - {661778F7-CDDA-4611-99B0-43245C7E971D} - C:\WINDOWS\system32\mlJBSjkk.dll O2 - BHO: (no name) - {6A88CF3E-2DB7-4683-89BC-D04DBCEF55F6} - C:\WINDOWS\system32\nnnmMGXp.dll O2 - BHO: {f95c245e-4484-c63a-eb84-7009fc276da6} - {6ad672cf-9007-48be-a36c-4844e542c59f} - C:\WINDOWS\system32\gijkde.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: Programme d'aide de l'Assistant de connexion Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: vwsrfton - {ABA69CF4-20FB-42CE-BB6D-B6171D64B8EC} - C:\WINDOWS\vwsrfton.dll (file missing) O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe" O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [b8ac99d5] rundll32.exe "C:\WINDOWS\system32\cgyevspj.dll",b O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Ajout Direct - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra 'Tools' menuitem: &Ajout Direct dans Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1217776867015 O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD44/JSCDL/jdk/6u...ows-i586-jc.cab O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su2...15103/CTPID.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: avgrsstx.dll O20 - Winlogon Notify: mlJBSjkk - C:\WINDOWS\SYSTEM32\mlJBSjkk.dll O21 - SSODL: wbqxfpgl - {7B22FE29-2FD1-4027-9529-CC02835AE9BE} - C:\WINDOWS\wbqxfpgl.dll (file missing) O21 - SSODL: tpabfelq - {E4F62242-276E-4E31-B409-D78C4CA3972D} - C:\WINDOWS\tpabfelq.dll (file missing) O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Fichiers communs\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Fichiers communs\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing) O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- End of file - 11414 bytes

mschroe919 View Member Profile	Aug 15 2008, 07:06 PM Post #2
basic Group: Malware Team Posts: 2,332 Joined: 12-January 05 From: Michigan Member No.: 22,799 Operating System: XP HOME	Hi big666 Welcome to the What the tech Forums My name is mschroe919 and I am going to read your log. I would like to help you So if you would.... Please be patient and I will be back as soon as possible. But first fix your wordpad I don't want the log in the middle please I will miss something for sure that way. Please while I am gone do these steps: Show hidden files, Here is how: Windows XP * Click Start. * Open My Computer. * Select the Tools menu and click Folder Options. * Select the View Tab. * Under the Hidden files and folders heading select Show hidden files and folders. * Uncheck the Hide protected operating system files (recommended) option. * Click Yes to confirm. * Click OK. NEXT: Please download ATF Cleaner by Atribune. Download it HERE: This program is for XP and Windows 2000 only Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. NEXT: Malwarebytes' Anti-Malware HERE * Double-click mbam-setup.exe and follow the prompts to install the program. * Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. * If an update is found, it will download and install the latest version. * Once the program has loaded, select Perform FULL SCAN, then click Scan. * When the scan is complete, click OK, then Show Results to view the results. * Be sure that everything is checked, and click Remove Selected. * When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt post a new scanner[HJT] log and the Malwarebytes' Anti-Malware log Be sure not to delete anything intill said ok to. also don't run any other cleanup programs till we get done it may goof ours up. Also if you have any questions feel fre to ask first. When you post another rhjt log and the Malwarebytes' Anti-Malware log , let me know how your PC is behavuing I will be waiting to see new logs mschroe919

big666 View Member Profile	Aug 15 2008, 09:35 PM Post #3
New Member Group: Authentic Member Posts: 6 Joined: 15-August 08 From: canada quebec Member No.: 80,982 Operating System: windows xp pro OEM virtumonde virus	excuse me i m forget this im cannot update malware because the virus stop my connection internet but at present the connection is ready for update im rescann with new update and resend log thank and excuse my english

big666 View Member Profile	Aug 15 2008, 10:54 PM Post #4
New Member Group: Authentic Member Posts: 6 Joined: 15-August 08 From: canada quebec Member No.: 80,982 Operating System: windows xp pro OEM virtumonde virus	(resolved) virtumonde infected thank

mschroe919 View Member Profile	Aug 15 2008, 11:27 PM Post #5
basic Group: Malware Team Posts: 2,332 Joined: 12-January 05 From: Michigan Member No.: 22,799 Operating System: XP HOME	Hi big666 What do you mean: QUOTE resolved) virtumonde infected are you telling me you pc is clean? I should see another hjt log to be sure. I think you log will show me some more bad stuff. please send anothe hjt log mschroe919

big666 View Member Profile	Aug 17 2008, 03:06 PM Post #6
New Member Group: Authentic Member Posts: 6 Joined: 15-August 08 From: canada quebec Member No.: 80,982 Operating System: windows xp pro OEM virtumonde virus	hy mschroe919 yes i think to my pc is clean i send you my last hijackthis log thank you Attached File(s) hijackthis2.txt ( 11.77K ) Number of downloads: 6

mschroe919 View Member Profile	Aug 18 2008, 10:26 AM Post #7
basic Group: Malware Team Posts: 2,332 Joined: 12-January 05 From: Michigan Member No.: 22,799 Operating System: XP HOME	Hi Big666, Your Pc may be running better but more work to be done. NEXT: Make sure Internet Explorer isn't open Run hijackthis again. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on these: (Not to worry if not there) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = O2 - BHO: (no name) - {46DFB27F-34AE-482F-8B24-97B1967CF91B} - C:\WINDOWS\system32\nnnmMGXp.dll (file missing) O2 - BHO: (no name) - {661778F7-CDDA-4611-99B0-43245C7E971D} - C:\WINDOWS\system32\mlJBSjkk.dll (file missing) O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O3 - Toolbar: vwsrfton - {ABA69CF4-20FB-42CE-BB6D-B6171D64B8EC} - C:\WINDOWS\vwsrfton.dll (file missing) O20 - Winlogon Notify: mlJBSjkk - mlJBSjkk.dll (file missing) O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing) Close ALL windows and browsers except HijackThis and click []b]Fix checked[/b] Then reboot NEXT: After reboot Do a search for theses and if found: Delete the files in RED>>not to worry if not there. C:\WINDOWS\vwsrfton.dll mlJBSjkk.dll reboot and post a HijackThis log good luck mschroe919

mschroe919 View Member Profile	Sep 6 2008, 07:51 AM Post #8
basic Group: Malware Team Posts: 2,332 Joined: 12-January 05 From: Michigan Member No.: 22,799 Operating System: XP HOME	Due to inactivity this topic will be closed. If you need help please start a new thread and post a new HJT log

« Next Oldest · HijackThis™ Logs and Infections Removal · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Topic Title	Replies	Topic Starter	Views	Last Action
HijackThis™ Logs and Infections Removal [Resolved] Trojan.Vundo + Fixed part of it and now I get BUNCH of 12	15	Parth	99	38 minutes ago Last post by: Rorschach112
HijackThis™ Logs and Infections Removal [Closed] HJT Log - Please help, so so many popups	6	Pepito00	74	Today, 09:00 AM Last post by: BHowett
HijackThis™ Logs and Infections Removal [Closed] Please help me to remove Rapid Antivirus	8	fragolla	314	Today, 08:59 AM Last post by: BHowett
HijackThis™ Logs and Infections Removal [Resolved] That stupid AntiVirus 2008 thing	12	Megamuffin	131	Today, 06:24 AM Last post by: ken545