AnimeSuki Forums

Register Forum Rules FAQ Members List Social Groups Search Today's Posts Mark Forums Read

Go Back   AnimeSuki Forum > Support > Tech Support

Notices

Reply
 
Thread Tools
Old 2008-08-20, 08:16   Link #1
leonmagekyou
Junior Member
 
Join Date: Oct 2007
WIN32/Adware.Virtumonde and WIN32/PrivacyRemover.M64 Virus!!! HELP!!!

Hey everyone!!

I know I probably sound pretty desperate....(I am) I have just been infected with this virus >>WIN32/Adware.Virtumonde and WIN32/PrivacyRemover.M64 from downloading a program. (This is the last time I'll be doing this) I need some help with removing it.I am no computer expert. Can anyone offer their solutions to this problem?

THanks in advance...!!
leonmagekyou is offline   Reply With Quote
Old 2008-08-20, 12:17   Link #2
gabbytay
Banned
 
Join Date: Jul 2007
Age: 33
try downloading hijackthis and post the logs

Removal tool after you run this tool, (registry) check HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run

DELETE this from the entires
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\System \NoDispBackgroundPage and [same]\NoDispScrSvrPage (they are both set to 1. Delete both entries.
gabbytay is offline   Reply With Quote
Old 2008-08-24, 21:26   Link #3
leonmagekyou
Junior Member
 
Join Date: Oct 2007
Hey!! Sorry for the late reply.Here are the logs requested!!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:25:27, on 25/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\Owner\sccs.exe
C:\Documents and Settings\Owner\css.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\Owner\ppxcs.exe
C:\Program Files\Softwin\BitDefender8\bdnagent.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/yco...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - (no file)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: (no name) - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - (no file)
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Sccs] C:\Documents and Settings\Owner\sccs.exe
O4 - HKLM\..\Run: [Css] C:\Documents and Settings\Owner\css.exe
O4 - HKLM\..\Run: [ppxcs] C:\Documents and Settings\Owner\ppxcs.exe
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by115w.bay115.mail.live.com/m...s/MsnPUpld.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7CCBF5F1-66DB-4BB7-9A58-E650CCBCE8E5}: NameServer = 202.188.0.133 202.188.1.5
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Acpil50ps - VIA Technologies, Inc. - C:\WINDOWS\system32\drivers\fetnd5b.sys
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 7954 bytes
leonmagekyou is offline   Reply With Quote
Old 2008-08-24, 22:02   Link #4
xxmimixx
♥Sebastian's new wife♥
*Artist
 
 
Join Date: Aug 2006
Location: USA
Age: 31
Send a message via MSN to xxmimixx Send a message via Yahoo to xxmimixx
^ BTW, the Isass.exe file is a trojan because I have one on my computer as well ><.

Maybe there is a way to get rid of that one as well oO.
__________________
xxmimixx is offline   Reply With Quote
Old 2008-08-25, 00:10   Link #5
gabbytay
Banned
 
Join Date: Jul 2007
Age: 33
Quote:
Originally Posted by mimi_girl View Post
^ BTW, the Isass.exe file is a trojan because I have one on my computer as well ><.

Maybe there is a way to get rid of that one as well oO.
Isass is fine. its isass(lower case) that is trojan

sccs.exe - spyware
css.exe - Virus

Run hijackthis again then check box for following:

C:\Documents and Settings\Owner\sccs.exe
C:\Documents and Settings\Owner\css.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\Owner\ppxcs.exe

O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - (no file)
O3 - Toolbar: (no name) - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - (no file)
O4 - HKLM\..\Run: [Sccs] C:\Documents and Settings\Owner\sccs.exe
O4 - HKLM\..\Run: [Css] C:\Documents and Settings\Owner\css.exe
O4 - HKLM\..\Run: [ppxcs] C:\Documents and Settings\Owner\ppxcs.exe

after checking the boxes click fix checked they yes all the way. After reboot run anti-virus and etc. Then run hijackthis after running the scanners to check for more viruses just in case

Last edited by gabbytay; 2008-08-25 at 00:29.
gabbytay is offline   Reply With Quote
Old 2008-08-25, 04:50   Link #6
leonmagekyou
Junior Member
 
Join Date: Oct 2007
Hey again!!
I followed your instructions....Here's the logs for you to check again!! Thanks so much!! Restarted my computer and the annoying automatic redirection by mozilla firefox to a scam website has stopped. Again!! Thank you!!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:49:00, on 25/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Softwin\BitDefender8\bdnagent.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/yco...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by115w.bay115.mail.live.com/m...s/MsnPUpld.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7CCBF5F1-66DB-4BB7-9A58-E650CCBCE8E5}: NameServer = 202.188.0.133 202.188.1.5
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Acpil50ps - VIA Technologies, Inc. - C:\WINDOWS\system32\drivers\fetnd5b.sys
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 7438 bytes
leonmagekyou is offline   Reply With Quote
Old 2008-08-25, 10:55   Link #7
gabbytay
Banned
 
Join Date: Jul 2007
Age: 33
Remove this then its all good

O17 - HKLM\System\CCS\Services\Tcpip\..\{7CCBF5F1-66DB-4BB7-9A58-E650CCBCE8E5}: NameServer = 202.188.0.133 202.188.1.5

202.188.0.133, 202.188.1.5 Most likely the culprits IP
gabbytay is offline   Reply With Quote
Old 2008-08-25, 21:27   Link #8
xxmimixx
♥Sebastian's new wife♥
*Artist
 
 
Join Date: Aug 2006
Location: USA
Age: 31
Send a message via MSN to xxmimixx Send a message via Yahoo to xxmimixx
@gabbytay: Oh really? Well, now I know that my our computer is fine. It's just slow =)
__________________
xxmimixx is offline   Reply With Quote
Old 2008-08-26, 06:57   Link #9
leonmagekyou
Junior Member
 
Join Date: Oct 2007
OMG gabbytay!! Thank you so much again!! You have been a great help. Virus seems completely cleared.I wish I could learn how to read logfiles too!!
leonmagekyou is offline   Reply With Quote
Old 2008-08-26, 09:39   Link #10
SeijiSensei
AS Oji-kun
 
 
Join Date: Nov 2006
Age: 74
People reading this thread need to start running Windows without administrator privileges! Set up an account for yourself without admin privileges (Control Panel > Users) and use that exclusively. This problem arose because some malware rewrote your DNS resolver records. If you're not an admin, these kinds of hijackings become a lot more difficult.

Some mis-behaved software doesn't like running without admin privileges. Either log in as the Administrator to run just those programs, or use the "Run As" feature in Windows to run just those programs as Administrator.

You should never need to browse as anything other than an "ordinary" (unprivileged) user.

This is one of the biggest security holes in Windows, and one of the easiest to fix.
SeijiSensei is offline   Reply With Quote
Old 2008-09-03, 13:33   Link #11
SeijiSensei
AS Oji-kun
 
 
Join Date: Nov 2006
Age: 74
1) I'd suggest deleting the other thread you started. Ask a moderator to do it for you, if the software won't allow you to do it yourself. For that, I'd go to the first message in the other thread, then click the exclamation point button ("Report Post") and ask that the thread be deleted.

2) Cats suggested using spoiler tags to make your post more readable. Here's how

[spoiler=my hijack this log]
giant wall of text
[/spoiler]

Then the text will look like this:
Spoiler for my hijack this log:

If you're not comfortable typing the [] tags, you can accomplish the same thing by highlighting all the text you want to put in spoilers, then clicking the yellow caution sign button with the peeking girl in the editor.

After you've cleaned up this problem, read my comment above about not running with Administrator privileges.
SeijiSensei is offline   Reply With Quote
Old 2008-09-03, 14:25   Link #12
SFJenn
Junior Member
 
Join Date: Sep 2008
Question Virtualmonde hijackthis log

Spoiler for hijackthis log for vitualmonde:

Last edited by White Manju Bun; 2008-09-03 at 14:37.
SFJenn is offline   Reply With Quote
Old 2008-09-03, 14:27   Link #13
SFJenn
Junior Member
 
Join Date: Sep 2008
I have tried to delete the other thread and read your comment on admin priveledges. Is there some way to fix my problem I have shown above? I would greatly appreciate your help!
SFJenn is offline   Reply With Quote
Old 2008-09-04, 07:28   Link #14
demonix
Senior Member
 
 
Join Date: Jul 2006
Location: Hayes, Middx UK
Age: 44
Send a message via Yahoo to demonix
First you should start in safe mode run hijack this again and fix the following

O2 - BHO: agadoo browser optimizer - {0413b2a6-ccee-8a48-af7a-44e13614aa74} - C:\windows\system32\xnnsiqgefjytjwah.dll
O2 - BHO: {2250c470-6a3c-67cb-ec34-4f7fba08f861} - {168f80ab-f7f4-43ce-bc76-c3a6074c0522} - C:\windows\system32\rtehak.dll
O2 - BHO: (no name) - {443270C0-150C-4397-BB56-A9FA4938D763} - C:\windows\system32\byXQkhgD.dll
O2 - BHO: radbanner browser enhancer - {c4df71f7-4526-064e-faae-c95d5d56ef12} - C:\windows\system32\yvwytycumugif.dll
O2 - BHO: (no name) - {F73D5609-8DF2-4D19-BE50-ECA3CF87EEEE} - C:\windows\system32\urqPhfgd.dll
O4 - HKLM\..\Run: [{0F-F8-85-5D-DW}] C:\windows\system32\rnwnw64l.exe DWram03FF
O4 - HKLM\..\Run: [{27d66248-db37-177d-29bd-c62bf72849d3}] C:\windows\System32\Rundll32.exe "C:\windows\system32\yvwytycumugif.dll" DllStart
O4 - HKLM\..\Run: [lphcp6tj0e1an] C:\windows\system32\lphcp6tj0e1an.exe
O4 - HKLM\..\Run: [{137105cb-7a87-acf3-d2d4-c631de085c36}] C:\windows\System32\Rundll32.exe "C:\windows\system32\xnnsiqgefjytjwah.dll" DllStart
O4 - HKLM\..\Run: [ExploreUpdSched] C:\windows\system32\pcntntdl.exe DWram03FF
O4 - HKLM\..\Run: [runner1] C:\windows\faceback.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661 AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [6ca0f8f2] rundll32.exe "C:\windows\system32\widcdhyc.dll",b
O4 - Startup: Deewoo.lnk = C:\WINDOWS\SYSTEM32\pcntntdl.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\SYSTEM32\rnwnw64l.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearc...p=ZNxdm414YYUS
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} (WildTangent Active Launcher) - http://install.wildtangent.com/Activ...veLauncher.cab
O16 - DPF: {4E7BD74F-2B8D-469E-DEFA-EB76B1D5FA7D} - http://lovefreegames.aavalue.com/LFG...FG-toolbar.cab
O20 - Winlogon Notify: urqPhfgd - C:\windows\SYSTEM32\urqPhfgd.dll

Then go into the folders where the files are located and remove them (you might have to reboot back into safe mode to do this after you've done the fixing in hijack this) plus you should disable system restore as some malware will hide in there and constantly restore itself after you've removed it.
demonix is offline   Reply With Quote
Old 2008-10-01, 20:23   Link #15
anonymaus
Junior Member
 
Join Date: Oct 2008
Help needed!

I have the same virus! A windows warning on my desktop screen says:

Warning! Win32/Adware.Virtumonde
Detected on your computer

Warning! Win32/PrivacyRemover.M64
Detected on your computer

It has removed my ability to change Display settings in Control Panel.

These are my HijackThis scan results. Would someone please let me know the culprit files? Thank you! -anonymaus

Last edited by anonymaus; 2008-10-03 at 02:38.
anonymaus is offline   Reply With Quote
Old 2008-10-02, 07:43   Link #16
demonix
Senior Member
 
 
Join Date: Jul 2006
Location: Hayes, Middx UK
Age: 44
Send a message via Yahoo to demonix
After spending a bit of time sorting out that mess of a log I can list what needs dealing with......

O4 - HKLM\..\Run: [lphce1wj0e78c] C:\WINDOWS\System32\lphce1wj0e78c.exe
O4 - HKLM\..\Policies\Explorer\Run: [joaKLhAJ8D] C:\Documents and Settings\All Users.WINDOWS\Application Data\mlwbgfyv\mrqxcrud.exe
O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\SYSTEM32\WinCtrl32.dll

It also looks like you have a variant of the trojan downloader Win32.Mutant.yf so I'd also suggest doing a full anti-virus scan with the trial of windows live onecare (you'd only need to use the trial) plus make sure to disable system restore before you do ANYTHING since these nasties could be hiding in there and will respawn once their removed from the main system (also find the files on your computer after you've gotten all that sorted out and kill them in case the anti-virus scans don't)
demonix is offline   Reply With Quote
Old 2008-10-02, 10:01   Link #17
anonymaus
Junior Member
 
Join Date: Oct 2008
thank you demonix!
sorry my log is such a mess.
i'm going to follow your advice right now.
wish me luck.
anonymaus is offline   Reply With Quote
Old 2008-10-02, 10:31   Link #18
anonymaus
Junior Member
 
Join Date: Oct 2008
i checked the three items and fixed them in hijackthis, but win32.dll popped up again in reboot (w/ system restore disabled).

i tried to download windows one care but when i try to install it gives me the following error:

ocsetup.xe- Entry Point Not Found
The procedure entry point GetProcessId could not be located in the dynamic link library KERNEL32.dll.


the startup screen and control panel are still affected.

i found "WinCtrl32.dll" file in the system32 folder, but i can't delete it. it says it is being used by another program.

is the file "WinCtrl32" (DL_file) okay or is this part of the trojan?

thanks in advance for your help. <:3_)~~
anonymaus is offline   Reply With Quote
Old 2008-10-02, 11:02   Link #19
Phantom-Takaya
INTJ
*IT Support
 
Join Date: Feb 2007
Location: Alaska
Age: 40
Send a message via AIM to Phantom-Takaya Send a message via MSN to Phantom-Takaya Send a message via Yahoo to Phantom-Takaya
I'm assuming you're getting this:
http://1.bp.blogspot.com/_bVx0jDn51d...-h/warning.jpg

It's a malware. It's just like the Anti-Virus 2008. It'll embed onto your computer and make you believe you have a virus until you buy and "install" their program. Don't be fooled.

Download SmitFraudFix and make sure it's installed either onto your desktop or C drive so you don't have to go hunting for it.

Go to Safe Mode, and do the following exactly how it's written. Do not miss a step:

- Run SmitFraudFix. Select the option number 2, which is ‘Clean (safe mode recommended)’, and then press Enter to delete infect files.
- Once the Disk Cleanup program is complete, you will be prompted with the message ‘Registry cleaning - Do you want to clean the registry’. Answer Y (Yes) and hit Enter. Reboot your computer.
- SmitFraudFix will now check if wininet.dll is infected. SmitFraudFix will ask you whether to replace the infected file (if there’s any) ‘Replace infected file?’ Answer by typing Y (Yes) and hit Enter.
- Reboot your computer to complete the cleaning process. Make sure you go back into Safe Mode.
- Go to C:\Windows\Temp, click Edit, click Select All, press DELETE. (Hit yes, of course)
- Go to C:\Documents and Settings\[LISTED USER]\Local Settings\Temp, click Edit, click Select All, press DELETE. (Yes, again.)
- Uninstall Warning! win32/adware.virtumonde Program
Click on Start > Settings > Control Panel > Double-click on Add/Remove Programs. Search for and uninstall Warning! win32/adware.virtumonde if found.
- If your homepage has been changed, go to Start > Control Panel > Internet Options > click on the General > click Use Default under Home Page. Add the your desired default homepage, then click Apply > click OK. Open a new web browser to check that you have your desired default homepage.
- To remove Warning! win32/adware.virtumonde icons on your Desktop, drag and drop them to the Recycle Bin.
- Empty the Recycle Bin.

Search for and delete these files:

XP-Guard.lnk
XPGuardSetup.exe
XPGuard\XP-Guard Web Site.lnk
XPGuard\XP-Guard.lnk
XP-Guard Web Site.url
XP-Guard.exe

Delete these registry entries: (Go to Start Menu > Run > regedit. DO NOT delete or change anything other than these.)

414B0283-2228-4F26-8BB3-C2211FA99223
BC37F38C-D37C-46FC-AC8D-93ABBCE72947
FE06810E-CAFB-4F02-A65B-F35190236D02

After all thati;
- Restart your computer to normal mode. The problem should be gone.

I would heavily emphasize on either updating whatever internet security you have, or get a new one that's highly recommended as long as it's not Norton or McAfee. Spending the $80 is well worth it.
Phantom-Takaya is offline   Reply With Quote
Old 2008-10-03, 02:37   Link #20
anonymaus
Junior Member
 
Join Date: Oct 2008
Takaya san, I am grateful to you! It worked!

Yes, that is the screen I was seeing on my desktop. Now I have control of my control panel again. The file "WinCtrl32.dll" is still not deleting but the symptoms of the malware are gone. I could not find the XP Guard files or registry entries listed but the initial run of SmitFraudFix took care of it.

Should I turn on System Restore again?

Do you recommend Symantec AntiVirus? Spybot Search & Destroy? Adaware?

Thanks.
<:3_)~~
anonymaus is offline   Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 11:10.


Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2024, vBulletin Solutions Inc.
We use Silk.