Problem with Virtumonde and Win32.WinFixer [RESOLVED]

Need a geek? Geeks to Go offers free, quality tech support -- in terms anyone can understand. Volunteers are waiting to help, friendly, technology experts who have knowledge to share, and enjoy helping others. Feel free to browse the site as a guest. However, you must log in to reply to existing topics, or to start a new topic of your own. Other benefits of joining include richer forum features, and removal of all advertising. Learn more in our Welcome Guide Infected? Malware and Spyware Cleaning Guide. What are you waiting for? Click here to join for free today!

> Geeks to Go! » Security » Virus, Spyware and Trojan Removal

Problem with Virtumonde and Win32.WinFixer [RESOLVED]

Options

TaterState View Member Profile	Sep 9 2007, 09:12 PM Post #1
Member Posts: 26 From: Boise, ID OS: Windows XP	Hi, I completed all tasks In the "Before Posting" section. Problem before arriving at your site: The kids formatted drive C: and loaded Windows XP. They failed to process any upgrades. System became sluggish with numerous pop-ups about every 30 seconds. I processed all Windows updates to SP2 then found this site which advises not to put SP2 on top of viruses. Sorry! The problem of pop-ups seems to be gone for now, but each step in your pre-post process identifies malware, viruses, or rootkits still in the system. Thanks in advance for all your help. FYI a Drive E: is present and has some infections. All scans were run on both drives. Home Network sharing currently enabled. Do you recommend stopping all shared files? HJT: Logfile of HijackThis v1.99.1 Scan saved at 9:01:41 PM, on 9/9/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\tcpsvcs.exe C:\WINDOWS\System32\snmp.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Setup Files\HijackThis\HijackThis.exe O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKCU\..\Run: [EPSON Stylus Photo RX580 Series on DPR1260 (dlinkps-fb2b65 USB Port_1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBPA.EXE /FU "C:\WINDOWS\TEMP\E_S66.tmp" /EF "HKCU" O4 - HKCU\..\Run: [Auto EPSON Stylus Photo RX580 Series on DPR1260 (dlinkps-fb2b65 USB Port_1) on MAIN] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBPA.EXE /FU "C:\WINDOWS\TEMP\E_S3.tmp" /EF "HKCU" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll (file missing) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1187927644452 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe KASPERSKI Sunday, September 09, 2007 11:57:22 AM Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.93.1 Kaspersky Anti-Virus database last update: 9/09/2007 Kaspersky Anti-Virus database records: 410615 Scan Settings Scan using the following antivirus database extended Scan Archives true Scan Mail Bases true Scan Target Folders C:\Documents and Settings\ C:\Program Files\ C:\System Volume Information\ C:\WINDOWS\ Scan Statistics Total number of scanned objects 29784 Number of viruses found 4 Number of infected objects 11 Number of suspicious objects 0 Duration of the scan process 00:23:37 Infected Object Name Virus Name Last Action C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\Sarah\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Sarah\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Sarah\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Sarah\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\Sarah\Local Settings\History\History.IE5\MSHist012007090920070910\index.dat Object is locked skipped C:\Documents and Settings\Sarah\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Sarah\NTUSER.DAT Object is locked skipped C:\Documents and Settings\Sarah\NTUSER.DAT.LOG Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{6B2242CF-1819-4A14-BF82-3E9F3C958AA7}\RP36\A0009107.exe/file2 Infected: not-a-virus:Downloader.Win32.WinFixer.t skipped C:\System Volume Information\_restore{6B2242CF-1819-4A14-BF82-3E9F3C958AA7}\RP36\A0009107.exe Inno: infected - 1 skipped C:\System Volume Information\_restore{6B2242CF-1819-4A14-BF82-3E9F3C958AA7}\RP40\A0013313.exe/file05/file2 Infected: not-a-virus:Downloader.Win32.WinFixer.t skipped C:\System Volume Information\_restore{6B2242CF-1819-4A14-BF82-3E9F3C958AA7}\RP40\A0013313.exe/file05 Infected: not-a-virus:Downloader.Win32.WinFixer.t skipped C:\System Volume Information\_restore{6B2242CF-1819-4A14-BF82-3E9F3C958AA7}\RP40\A0013313.exe/file26 Infected: not-a-virus:Downloader.Win32.WinFixer.t skipped C:\System Volume Information\_restore{6B2242CF-1819-4A14-BF82-3E9F3C958AA7}\RP40\A0013313.exe/file39 Infected: not-a-virus:Downloader.Win32.WinFixer.x skipped C:\System Volume Information\_restore{6B2242CF-1819-4A14-BF82-3E9F3C958AA7}\RP40\A0013313.exe Inno: infected - 4 skipped C:\System Volume Information\_restore{6B2242CF-1819-4A14-BF82-3E9F3C958AA7}\RP40\A0013314.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped C:\System Volume Information\_restore{6B2242CF-1819-4A14-BF82-3E9F3C958AA7}\RP41\A0013923.exe/file2 Infected: not-a-virus:Downloader.Win32.WinFixer.t skipped C:\System Volume Information\_restore{6B2242CF-1819-4A14-BF82-3E9F3C958AA7}\RP41\A0013923.exe Inno: infected - 1 skipped C:\System Volume Information\_restore{6B2242CF-1819-4A14-BF82-3E9F3C958AA7}\RP41\A0013938.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\System Volume Information\_restore{6B2242CF-1819-4A14-BF82-3E9F3C958AA7}\RP43\change.log Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\EventCache\{B653C56E-E8F9-45C7-8555-17CBF50D6CA9}.bin Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\SOFTWARE.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\SYSTEM.LOG Object is locked skipped C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\Temp\Perflib_Perfdata_604.dat Object is locked skipped C:\WINDOWS\Temp\Perflib_Perfdata_698.dat Object is locked skipped C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped Scan process completed. PANDA ACTIVESCAN Incident Status Location Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Sarah\Desktop\ComboFix.exe[nircmd.exe] Virus:Generic Malware Disinfected C:\qoobox\Quarantine\C\Program Files\WinAntiSpyware 2007\AsAgents.dll.vir Virus:Generic Malware Disinfected C:\qoobox\Quarantine\C\Program Files\WinAntiSpyware 2007\fopnl.dll.vir Virus:Generic Malware Disinfected C:\qoobox\Quarantine\C\Program Files\WinAntiSpyware 2007\InstUp.exe.vir Virus:Generic Malware Disinfected C:\qoobox\Quarantine\C\Program Files\WinAntiSpyware 2007\shellext.dll.vir Spyware:Spyware/Virtumonde Not disinfected C:\qoobox\Quarantine\catchme2007-09-09_ 01126.07.zip[fccdcbc.dll] Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\NirCmd.exe Regards - TaterState

MoNsTeReNeRgY22 View Member Profile	Sep 13 2007, 04:50 PM Post #2
GeekU Junior Posts: 2,435 From: California OS: Windows XP Media Center Editon SP3	Hello and Welcome to Geeks to Go. I am MoNsTeReNeRgY22 and I will be assisting you with your malware problem today. Sorry for the delay, we have been quite busy around here. Step 1 Download Deckard's System Scanner (DSS) to your Desktop. Close all applications and windows. Double-click on DSS.exe to run it, and follow the prompts. When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply. Extra Note: When running DSS, some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so. Also, it may happen that your Antivirus flags DSS as suspicious. Please allow the Deckard's System Scanner to run and don't let your Antivirus delete it. (In this case, it may be better to temporary disable your Antivirus) Step 2 Download and scan with SUPERAntiSpyware Free for Home Users Double-click SUPERAntiSpyware.exe and use the default settings for installation. An icon will be created on your desktop. Double-click that icon to launch the program. If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.) Under "*Configuration and Preferences", click the Preferences* button. Click the Scanning Control tab. Under Scanner Options make sure the following are checked (leave all others unchecked): Close browsers before scanning. Scan for tracking cookies. Terminate memory threats before quarantining. Click the "Close" button to leave the control center screen. Back on the main screen, under "*Scan for Harmful Software" click Scan your computer. On the left, make sure you check C:\Fixed Drive. On the right, under "Complete Scan", choose Perform Complete Scan. Click "Next" to start the scan. Please be patient while it scans your computer. After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK". Make sure everything has a checkmark next to it and click "Next". A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu. If asked if you want to reboot, click "Yes". To retrieve the removal information after reboot, launch SUPERAntispyware again. Click Preferences, then click the Statistics/Logs tab.* Under Scanner Logs, double-click SUPERAntiSpyware Scan Log. If there are several logs, click the current dated log and press View log. A text file will open in your default text editor. Please copy and paste the Scan Log results in your next reply along with the DSS log. Click Close to exit the program.

TaterState View Member Profile	Sep 13 2007, 10:20 PM Post #4
Member Posts: 26 From: Boise, ID OS: Windows XP	Sorry, I didn't realize part of the first post got ignored. Here's the snipped file and the Scan log missing from above EXTRA.TXT (complete file) Deckard's System Scanner v20070905.67 Extra logfile - please post this as an attachment with your post. -------------------------------------------------------------------------------- -- System Information ---------------------------------------------------------- Microsoft Windows XP Home Edition (build 2600) SP 2.0 Architecture: X86; Language: English CPU 0: AMD Athlon™ XP 3000+ Percentage of Memory in Use: 40% Physical Memory (total/avail): 1023.36 MiB / 605.48 MiB Pagefile Memory (total/avail): 2461.72 MiB / 2121.63 MiB Virtual Memory (total/avail): 2047.88 MiB / 1963.26 MiB A: is Removable (Unformatted) C: is Fixed (NTFS) - 27.95 GiB total, 17.18 GiB free. D: is CDROM (No Media) E: is Fixed (NTFS) - 232.88 GiB total, 136.72 GiB free. F: is CDROM (No Media) P: is Network (NTFS) \\.\PHYSICALDRIVE1 - WDC WD2500JB-00REA0 - 232.88 GiB - 1 partition \PARTITION0 - Installable File System - 232.88 GiB - E: \\.\PHYSICALDRIVE0 - WDC WD300AB-00BVA0 - 27.95 GiB - 1 partition \PARTITION0 (bootable) - Installable File System - 27.95 GiB - C: -- Security Center ------------------------------------------------------------- AUOptions is scheduled to auto-install. Windows Internal Firewall is enabled. AV: avast! antivirus 4.7.1043 [VPS 000774-5] v4.7.1043 (ALWIL Software) Disabled [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe::Enabled:Windows Live Messenger 8.1" "C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe::Enabled:Windows Live Messenger 8.1 (Phone)" [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe::Enabled:Windows Live Messenger 8.1" "C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe::Enabled:Windows Live Messenger 8.1 (Phone)" -- Environment Variables ------------------------------------------------------- ALLUSERSPROFILE=C:\Documents and Settings\All Users APPDATA=C:\Documents and Settings\Sarah\Application Data CLIENTNAME=Console CommonProgramFiles=C:\Program Files\Common Files COMPUTERNAME=UPSTAIRS ComSpec=C:\WINDOWS\system32\cmd.exe FP_NO_HOST_CHECK=NO HOMEDRIVE=C: HOMEPATH=\Documents and Settings\Sarah LOGONSERVER=\\UPSTAIRS NUMBER_OF_PROCESSORS=1 OS=Windows_NT Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH PROCESSOR_ARCHITECTURE=x86 PROCESSOR_IDENTIFIER=x86 Family 6 Model 10 Stepping 0, AuthenticAMD PROCESSOR_LEVEL=6 PROCESSOR_REVISION=0a00 ProgramFiles=C:\Program Files PROMPT=$P$G SESSIONNAME=Console SystemDrive=C: SystemRoot=C:\WINDOWS TEMP=C:\DOCUME~1\Sarah\LOCALS~1\Temp TMP=C:\DOCUME~1\Sarah\LOCALS~1\Temp USERDOMAIN=UPSTAIRS USERNAME=Sarah USERPROFILE=C:\Documents and Settings\Sarah windir=C:\WINDOWS -- User Profiles --------------------------------------------------------------- Sarah (admin) Administrator (admin) -- Add/Remove Programs --------------------------------------------------------- --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf �Torrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL Ace Utilities --> "C:\Program Files\Ace Utilities\uninstall.exe" Ad-Aware 2007 --> MsiExec.exe /X{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF} Adobe Flash Player ActiveX --> C:\WINDOWS\System32\Macromed\Flash\uninstall_activeX.exe Adobe Reader 8.1.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003} avast! Antivirus --> rundll32 C:\PROGRA~1\ALWILS~1\Avast4\Setup\setiface.dll,RunSetup AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe C-Media 3D Audio --> C:\WINDOWS\CMIUnInstall.exe C-Media WDM Audio Driver --> C:\WINDOWS\system32\cmirmdrv.exe EPSON Printer Software --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R getPlus®_ocx --> rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\inf\GETPLUSo.INF, DefaultUninstall Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29} Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar1.dll" HijackThis 1.99.1 --> C:\DOCUME~1\Sarah\LOCALS~1\Temp\Rar$EX00.078\HijackThis.exe /uninstall Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020} Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe Need for Speed� Carbon --> C:\Program Files\Electronic Arts\Need for Speed Carbon\EAUninstall.exe NVIDIA Drivers --> C:\WINDOWS\System32\nvudisp.exe UninstallGUI Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA} Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F} WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe -- Application Event Log ------------------------------------------------------- Event Record #/Type264 / Success Event Submitted/Written: 09/10/2007 08:54:48 AM Event ID/Source: 12001 / usnjsvc Event Description: The Messenger Sharing USN Journal Reader service started successfully. Event Record #/Type258 / Success Event Submitted/Written: 09/10/2007 08:50:45 AM Event ID/Source: 12001 / usnjsvc Event Description: The Messenger Sharing USN Journal Reader service started successfully. Event Record #/Type257 / Warning Event Submitted/Written: 09/10/2007 08:13:47 AM Event ID/Source: 1015 / EvntAgnt Event Description: TraceLevel parameter not located in registry; Default trace level used is 32. Event Record #/Type256 / Warning Event Submitted/Written: 09/10/2007 08:13:47 AM Event ID/Source: 1003 / EvntAgnt Event Description: TraceFileName parameter not located in registry; Default trace file used is . Event Record #/Type255 / Warning Event Submitted/Written: 09/10/2007 08:13:46 AM Event ID/Source: 32068 / Microsoft Fax Event Description: The outgoing routing rule is not valid because it cannot find a valid device. The outgoing faxes that use this rule will not be routed. Verify that the targeted device or devices (if routed to a group of devices) is connected and installed correctly, and turned on. If routed to a group, verify that the group is configured correctly. Country/region code: '' Area code: '' -- Security Event Log ---------------------------------------------------------- No Errors/Warnings found. -- System Event Log ------------------------------------------------------------ Event Record #/Type1294 / Error Event Submitted/Written: 09/11/2007 00:15:29 PM Event ID/Source: 59 / SideBySide Event Description: Generate Activation Context failed for C:\Program Files\Ace Utilities\MFC80.DLL. Reference error message: The operation completed successfully. . Event Record #/Type1293 / Error Event Submitted/Written: 09/11/2007 00:15:29 PM Event ID/Source: 59 / SideBySide Event Description: Resolve Partial Assembly failed for Microsoft.VC80.MFCLOC. Reference error message: The referenced assembly is not installed on your system. . Event Record #/Type1292 / Error Event Submitted/Written: 09/11/2007 00:15:29 PM Event ID/Source: 32 / SideBySide Event Description: Dependent Assembly Microsoft.VC80.MFCLOC could not be found and Last Error was The referenced assembly is not installed on your system. Event Record #/Type1291 / Error Event Submitted/Written: 09/11/2007 00:15:29 PM Event ID/Source: 59 / SideBySide Event Description: Generate Activation Context failed for C:\Program Files\Ace Utilities\MFC80.DLL. Reference error message: The operation completed successfully. . Event Record #/Type1290 / Error Event Submitted/Written: 09/11/2007 00:15:29 PM Event ID/Source: 59 / SideBySide Event Description: Resolve Partial Assembly failed for Microsoft.VC80.MFCLOC. Reference error message: The referenced assembly is not installed on your system. . -- End of Deckard's System Scanner: finished at 2007-09-13 19:51:29 ------------ SUPERANTISPYWARE Scan Log SUPERAntiSpyware Scan Log http://www.superantispyware.com Generated 09/13/2007 at 09:26 PM Application Version : 3.9.1008 Core Rules Database Version : 3306 Trace Rules Database Version: 1312 Scan type : Complete Scan Total Scan Time : 01:30:03 Memory items scanned : 410 Memory threats detected : 0 Registry items scanned : 3618 Registry threats detected : 0 File items scanned : 100562 File threats detected : 0

MoNsTeReNeRgY22 View Member Profile	Sep 14 2007, 07:20 PM Post #5
GeekU Junior Posts: 2,435 From: California OS: Windows XP Media Center Editon SP3	Well I only see one thing, and it is as follows. I see you have �Torrent installed on your system. While the program itself is legal, most of the files downloaded with it are not. Also, quite often the files can be infected with viruses, malware, and other undesirable applications. I highly recommend uninstalling �Torrent via Add or Remove Programs, but this program is optional for you if you choose to want to keep it. See HERE for details on P2P file sharing programs. Other than that, your log looks clean! Nice job! How is it running ? Please use the following suggestion to help prevent reinfection. Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)Now we need to make a new System Restore Point for your PC, please do the following Click Start, Settings, Control Panel Double-click the System icon Click the Performance tab, File System, Troubleshooting tab Check "Turn off System Restore" and click "Apply". Please give a moment as it will delete the old System Restore points Then uncheck "Turn off System Restore" which will create a new System Restore point Click OK I highly recommend downloading the following programs, to keep malware of your computer to begin with. The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again. SUPERAntiSpyware - A very powerful tool which searches and kills malware that infect your system. SpywareBlaster - Great prevention tool to keep malware from installing on your system. Tutorial on installing & using this product can be found HERE SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place. Tutorial on installing & using this product can be found HERE IE-SpyAd - Puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all. Tutorial on installing & using this product can be found HERE ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out malware that like to reside in the temp folders. AntiVirus Program An AntiVirus program is a must in today's digital world! I recommend avast! 4 Home Edition, AVG, or Anti-Vir. DO NOT install more than one antivirus program. They will conflict, and provide less protection, not more. Firewall A firewall is definitely a must have to protect your computer from hackers. I recommend Comodo, Zone Alarm, or Outpost. Tutorial on Firewalls can be found HERE Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there. You must stay on top of your updates at all times, for the above mentioned applications. It is vitally important to stay on top of your critical updates provided by microsoft. And finally a little How did I get infected in the first place?(by Tony Klein) Good luck and safe surfing

TaterState View Member Profile	Sep 15 2007, 10:13 AM Post #6
Member Posts: 26 From: Boise, ID OS: Windows XP	MoNsTeReNeRgY22, Thanks so much for helping with this issue. I deleted Torrent using Add or Remove after reviewing the file sharing sheet. I then ran Ad-Aware. which found viruses. On closer examination, they were in quarantine folders. From Add or Remove I deleted the programs uploaded during this suport cycle and there was an option to delete the quarantine folder and files. I selected yes. I rebooted and ran a full Ad-Aware scan. Clean!! I then cleaned the registry with a utility, deleted my restore points, and then created a new one. As you know, the difference is amazing. Currently, Ad-Aware will be run frequently, Avast 4 is running continuously, and the modem has a built-in firewall which is PW protected. I spent some time with the TaterTots reviewing some of the additional information you supplied. Again, thanks to you personally and the entire staff at G2G. fp in id

MoNsTeReNeRgY22 View Member Profile	Sep 15 2007, 10:32 AM Post #7
GeekU Junior Posts: 2,435 From: California OS: Windows XP Media Center Editon SP3	No Problem! Glad I could help!

MoNsTeReNeRgY22 View Member Profile	Sep 15 2007, 10:32 AM Post #8
GeekU Junior Posts: 2,435 From: California OS: Windows XP Media Center Editon SP3	Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.

« Next Oldest · Virus, Spyware and Trojan Removal · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Topic Title	Replies / Views	Topic Information
Virus, Spyware and Trojan Removal HELP! Problem with Malware and slow computer [RESOLVED] 12	15 / 814	18th June 2005 - 04:07 PM atome started - last by therock247uk
Virus, Spyware and Trojan Removal Problem with PSGuard and intell32.exe [RESOLVED]	7 / 7,026	31st July 2005 - 03:46 AM davewave started - last by Metallica
Virus, Spyware and Trojan Removal Problem With Vundo and others possibly [RESOLVED] 12	20 / 1,713	21st July 2007 - 06:01 AM m8edy started - last by Essexboy
Virus, Spyware and Trojan Removal Recurrence with Virtumonde and Win32.Small.azl, high rundll32.exe acti 123	31 / 1,726	10th January 2008 - 01:16 PM ahhoss started - last by Rorschach112