10 replies to this topic

[joe64bitxp]

Hello, I recently ran across this forum doing a search on the virtumonde virus.
I have 64-Bit XP and know some malware products may not work, but will try anyway. It seems that I can not get rid of it, as it keeps regenerating in my registry. I have read your instructions and will post after all is complete.

[joe64bitxp]

I also have the system in raid 0. I may have missed other info needed if so let me know.
And again.
Thank you in advance.
Your help is appreciated if you choose to.

[joe64bitxp]

Here are the logs if anyone interested.


Malwarebytes' Anti-Malware 1.31
Database version: 1526
Windows 5.2.3790 Service Pack 2

12/21/2008 11:34:25 AM
mbam-log-2008-12-21 (11-34-25).txt

Scan type: Quick Scan
Objects scanned: 43101
Time elapsed: 1 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0


;*******************************************************************************
********************************************************************************
*
*******************
ANALYSIS: 2008-12-21 12:52:12
PROTECTIONS: 1
MALWARE: 39
SUSPECTS: 1
;*******************************************************************************
********************************************************************************
*
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
================================================================================
=
===================
avast! antivirus 4.8.1296 [VPS 081221-0] 4.8.1296 Yes Yes
;===============================================================================
================================================================================
=
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
================================================================================
=
===================
00029434 spyware/virtumonde Spyware No 1 Yes No c:\windows\syswow64\appsetup.exe
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No E:\Documents and Settings\KENs\Cookies\kens@trafficmp[1].txt
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No F:\Documents and Settings\Administrator\Cookies\administrator@trafficmp[1].txt
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No F:\Documents and Settings\Administrator\Cookies\administrator@casalemedia[2].txt
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No E:\Documents and Settings\KENS.KEN\Cookies\kens@casalemedia[2].txt
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No E:\Documents and Settings\KENs\Cookies\kens@casalemedia[2].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No E:\Documents and Settings\KENS.KEN\Cookies\kens@doubleclick[2].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No F:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No E:\Documents and Settings\KENs\Cookies\kens@doubleclick[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No E:\Documents and Settings\KENs\Cookies\kens@atdmt[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No E:\Documents and Settings\KENs\Cookies\kens@atdmt[3].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No E:\Documents and Settings\KENs\Cookies\kens@atdmt[4].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No E:\Documents and Settings\KENS.KEN\Cookies\kens@atdmt[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No F:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No E:\Documents and Settings\KENs\Cookies\kens@fastclick[2].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No F:\Documents and Settings\Administrator\Cookies\administrator@fastclick[1].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No E:\Documents and Settings\KENs\Cookies\kens@fastclick[1].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No F:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[2].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No E:\Documents and Settings\KENs\Cookies\kens@tribalfusion[2].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No E:\Documents and Settings\KENS.KEN\Cookies\kens@tribalfusion[1].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No E:\Documents and Settings\KENs\Cookies\kens@tribalfusion[1].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No E:\Documents and Settings\KENs\Cookies\kens@tribalfusion[3].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No F:\Documents and Settings\Administrator\Cookies\administrator@mediaplex[1].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No E:\Documents and Settings\KENs\Cookies\kens@mediaplex[1].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No E:\Documents and Settings\KENS.KEN\Cookies\kens@mediaplex[1].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No E:\Documents and Settings\KENs\Cookies\kens@mediaplex[2].txt
00147824 Cookie/Clickbank TrackingCookie No 0 Yes No E:\Documents and Settings\KENs\Cookies\kens@clickbank[1].txt
00147824 Cookie/Clickbank TrackingCookie No 0 Yes No E:\Documents and Settings\KENS.KEN\Cookies\kens@clickbank[1].txt
00149104 Cookie/Date TrackingCookie No 0 Yes No E:\Documents and Settings\KENS.KEN\Cookies\kens@date[1].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@com[1].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No E:\Documents and Settings\KENs\Cookies\kens@com[1].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No E:\Documents and Settings\KENS.KEN\Cookies\kens@com[2].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No E:\Documents and Settings\KENs\Cookies\kens@com[2].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No F:\Documents and Settings\Administrator\Cookies\administrator@com[1].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No E:\Documents and Settings\KENs\Cookies\kens@com[3].txt
00167647 Cookie/Yadro TrackingCookie No 0 Yes No F:\Documents and Settings\Administrator\Cookies\administrator@yadro[2].txt
00167704 Cookie/Xiti TrackingCookie No 0 Yes No E:\Documents and Settings\KENs\Cookies\kens@xiti[1].txt
00167704 Cookie/Xiti TrackingCookie No 0 Yes No F:\Documents and Settings\Administrator\Cookies\administrator@xiti[1].txt
00167704 Cookie/Xiti TrackingCookie No 0 Yes No E:\Documents and Settings\KENS.KEN\Cookies\kens@xiti[1].txt
00167744 Cookie/GoStats TrackingCookie No 0 Yes No F:\Documents and Settings\Administrator\Cookies\administrator@gostats[2].txt
00167749 Cookie/Toplist TrackingCookie No 0 Yes No E:\Documents and Settings\KENs\Cookies\kens@toplist[1].txt
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No E:\Documents and Settings\KENs\Cookies\kens@statcounter[1].txt
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No F:\Documents and Settings\Administrator\Cookies\administrator@statcounter[2].txt
00167795 Cookie/Cd Freaks TrackingCookie No 0 Yes No F:\Documents and Settings\Administrator\Cookies\administrator@club.cdfreaks[2].txt
00168048 Cookie/Overture TrackingCookie No 0 Yes No F:\Documents and Settings\Administrator\Cookies\administrator@perf.overture[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No E:\Documents and Settings\KENs\Cookies\kens@ad.yieldmanager[2].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No E:\Documents and Settings\KENs\Cookies\kens@ad.yieldmanager[4].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No E:\Documents and Settings\KENs\Cookies\kens@ad.yieldmanager[3].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No F:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No E:\Documents and Settings\KENS.KEN\Cookies\kens@ad.yieldmanager[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[2].txt
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No E:\Documents and Settings\KENS.KEN\Cookies\kens@burstnet[1].txt
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No F:\Documents and Settings\Administrator\Cookies\administrator@burstnet[1].txt
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No E:\Documents and Settings\KENs\Cookies\kens@burstnet[1].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No F:\Documents and Settings\Administrator\Cookies\administrator@serving-sys[2].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No E:\Documents and Settings\KENs\Cookies\kens@serving-sys[1].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No E:\Documents and Settings\KENS.KEN\Cookies\kens@serving-sys[2].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No E:\Documents and Settings\KENS.KEN\Cookies\kens@bs.serving-sys[2].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No E:\Documents and Settings\KENs\Cookies\kens@bs.serving-sys[3].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No F:\Documents and Settings\Administrator\Cookies\administrator@bs.serving-sys[1].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No E:\Documents and Settings\KENs\Cookies\kens@bs.serving-sys[2].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No E:\Documents and Settings\KENs\Cookies\kens@bs.serving-sys[1].txt
00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No F:\Documents and Settings\Administrator\Cookies\administrator@www.burstbeacon[2].txt
00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No E:\Documents and Settings\KENS.KEN\Cookies\kens@www.burstbeacon[1].txt
00168105 Cookie/Cd Freaks TrackingCookie No 0 Yes No F:\Documents and Settings\Administrator\Cookies\administrator@cdfreaks[2].txt
00168109 Cookie/Adtech TrackingCookie No 0 Yes No F:\Documents and Settings\Administrator\Cookies\administrator@adtech[1].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No F:\Documents and Settings\Administrator\Cookies\administrator@advertising[2].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No E:\Documents and Settings\KENS.KEN\Cookies\kens@advertising[2].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No E:\Documents and Settings\KENs\Cookies\kens@advertising[1].txt
00169287 Cookie/Adrevolver TrackingCookie No 0 Yes No F:\Documents and Settings\Administrator\Cookies\administrator@adrevolver[2].txt
00169287 Cookie/Adrevolver TrackingCookie No 0 Yes No E:\Documents and Settings\KENs\Cookies\kens@adrevolver[1].txt
00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No E:\Documents and Settings\KENS.KEN\Cookies\kens@statse.webtrendslive[2].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No E:\Documents and Settings\KENs\Cookies\kens@ads.pointroll[2].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No F:\Documents and Settings\Administrator\Cookies\administrator@ads.pointroll[2].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No E:\Documents and Settings\KENS.KEN\Cookies\kens@ads.pointroll[2].txt
00170554 Cookie/Overture TrackingCookie No 0 Yes No E:\Documents and Settings\KENS.KEN\Cookies\kens@overture[2].txt
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No F:\Documents and Settings\Administrator\Cookies\administrator@realmedia[2].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No E:\Documents and Settings\KENs\Cookies\kens@questionmarket[3].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No E:\Documents and Settings\KENS.KEN\Cookies\kens@questionmarket[2].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No E:\Documents and Settings\KENs\Cookies\kens@questionmarket[2].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No E:\Documents and Settings\KENs\Cookies\kens@questionmarket[4].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No F:\Documents and Settings\Administrator\Cookies\administrator@questionmarket[1].txt
00172221 Cookie/Zedo TrackingCookie No 0 Yes No E:\Documents and Settings\KENS.KEN\Cookies\kens@zedo[2].txt
00172221 Cookie/Zedo TrackingCookie No 0 Yes No E:\Documents and Settings\KENs\Cookies\kens@zedo[1].txt
00173520 Cookie/Bluestreak TrackingCookie No 0 Yes No F:\Documents and Settings\Administrator\Cookies\administrator@bluestreak[1].txt
00173520 Cookie/Bluestreak TrackingCookie No 0 Yes No E:\Documents and Settings\KENS.KEN\Cookies\kens@bluestreak[2].txt
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No F:\Documents and Settings\Administrator\Cookies\administrator@adrevolver[1].txt
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No E:\Documents and Settings\KENs\Cookies\kens@adrevolver[2].txt
00217608 Cookie/Hitbox TrackingCookie No 0 Yes No E:\Documents and Settings\KENs\Cookies\kens@ehg-micron.hitbox[2].txt
00262020 Cookie/Atwola TrackingCookie No 0 Yes No E:\Documents and Settings\KENs\Cookies\kens@atwola[1].txt
00286734 Cookie/Adserver TrackingCookie No 0 Yes No E:\Documents and Settings\KENS.KEN\Cookies\kens@adserver.filefront[1].txt
00286734 Cookie/Adserver TrackingCookie No 0 Yes No F:\Documents and Settings\Administrator\Cookies\administrator@adserver.filefront[1].txt
01048936 Generic Malware Virus/Trojan No 0 Yes No E:\GameSpy Arcade\Services\_common\PortraitLoader.dll
;===============================================================================
================================================================================
=
===================
SUSPECTS
Sent Location
!@[C5
;===============================================================================
================================================================================
=
===================
No C:\Documents and Settings\Administrator\Desktop\Tools\usbmrs11.exe[umrs.exe]
!@[C5
;===============================================================================
================================================================================
=
===================
VULNERABILITIES
Id Severity Description
!@[C5
;===============================================================================
================================================================================
=
===================
;===============================================================================
================================================================================
=
===================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:52:58 PM, on 12/21/2008
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)
Boot mode: Normal

Running processes:
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
C:\Program Files (X86)\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\SysWOW64\PnkBstrA.exe
C:\Program Files (x86)\Spyware Terminator\sp_rsser.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files (X86)\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files (x86)\Schmads Inc\G15_TeamSpeak\G15_TeamSpeak.exe
C:\Program Files (x86)\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files (x86)\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files (x86)\ASUS\AI Direct Link\AsShare.exe
C:\Program Files\ASUS\Ai Suite\AiGear3\CpuPowerMonitor.exe
C:\Program Files (x86)\Razer\Copperhead\razerhid.exe
C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe
C:\Program Files (x86)\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files (x86)\Creative\Volume Panel\VolPanlu.exe
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files (x86)\Razer\Copperhead\razertra.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files (x86)\Razer\Copperhead\razerofa.exe
C:\WINDOWS\SysWOW64\CTXFISPI.EXE
C:\Program Files (x86)\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {d71fc4e0-6665-4091-bcbd-95f02ff55ec1} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Launch Direct Link] "C:\Program Files (x86)\ASUS\AI Direct Link\AsShare.exe"
O4 - HKLM\..\Run: [Launch As Cmd Runner] "C:\Program Files (x86)\ASUS\AI Direct Link\AsCmd.exe" -reg
O4 - HKLM\..\Run: [CPU Power Monitor] "C:\Program Files\ASUS\Ai Suite\AiGear3\CpuPowerMonitor.exe"
O4 - HKLM\..\Run: [Cpu Level Up help] C:\Program Files\ASUS\Ai Suite\CpuLevelUpHelp.exe
O4 - HKLM\..\Run: [Copperhead] "C:\Program Files (x86)\Razer\Copperhead\razerhid.exe"
O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe"
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files (x86)\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files (x86)\Creative\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [AsioThk32Reg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files (x86)\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files (x86)\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files (x86)\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files (x86)\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files (x86)\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files (x86)\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files (x86)\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files (x86)\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files (x86)\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files (x86)\ieSpell\iespell.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecu...s/as2stubie.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1204364433415
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemreq.../sysreqlab2.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...464/mcfscan.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\powirimu.dll c:\windows\system32\voyuvofe.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files (X86)\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe (file missing)
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\system32\nvsvc64.exe (file missing)
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files (x86)\Spyware Terminator\sp_rsser.exe
O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)

--
End of file - 10040 bytes

[AdvancedSetup]

STEP 01
[indent]Reconfigure Windows XP to show hidden files:
To enable the viewing of Hidden files follow these steps:

* Close all programs so that you are at your desktop.
* Double-click on the My Computer icon.
* Select the Tools menu and click Folder Options.
* After the new window appears select the View tab.
* Put a checkmark in the checkbox labeled Display the contents of system folders.
* Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
* Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
* Remove the checkmark from the checkbox labeled Hide protected operating system files.
* Press the Apply button and then the OK button and exit My Computer.
* Now your computer is configured to show all hidden files. [/indent]
STEP 02
[indent]Start HJT and do a Scan only and put a check mark on the following items
O20 - AppInit_DLLs: C:\WINDOWS\system32\powirimu.dll c:\windows\system32\voyuvofe.dll
Then click on "Fix checked"[/indent]
STEP 03
[indent]Upload the following files to the site for review.
Go here uploads.malwarebytes.org and browse and upload the following files if found.
[indent]

• C:\WINDOWS\system32\powirimu.dll
  
• c:\windows\system32\voyuvofe.dll

[/indent][/indent]
STEP 04
[indent]Start MBAM and go to the UPDATE tab and update the program and do a Quick Scan and fix anything found and reboot the computer.[/indent]
STEP 05
[indent]Start HJT and do a Scan and save log[/indent]
STEP 06
[indent]Post back the MBAM and HJT logs[/indent]

[joe64bitxp]

Hello AdvancedSetup,
Sorry for delay I didn't recieve E-mail.
Thank you very much for your help.
All steps were performed in order.
Step 3...... None were found. I also rearched folders with the search feature.
Step 4......Nothing to fix; Did reboot. Not sure if I had to.

Malwarebytes' Anti-Malware 1.31
Database version: 1542
Windows 5.2.3790 Service Pack 2

12/24/2008 2:55:04 PM
mbam-log-2008-12-24 (14-55-04).txt

Scan type: Quick Scan
Objects scanned: 43947
Time elapsed: 1 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:00:18 PM, on 12/24/2008
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)
Boot mode: Normal

Running processes:
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
C:\Program Files (X86)\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\SysWOW64\PnkBstrA.exe
C:\Program Files (x86)\Spyware Terminator\sp_rsser.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files (X86)\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files (x86)\Schmads Inc\G15_TeamSpeak\G15_TeamSpeak.exe
C:\Program Files (x86)\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files (x86)\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files (x86)\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files (x86)\ASUS\AI Direct Link\AsShare.exe
C:\Program Files\ASUS\Ai Suite\AiGear3\CpuPowerMonitor.exe
C:\Program Files (x86)\Razer\Copperhead\razerhid.exe
C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe
C:\Program Files (x86)\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files (x86)\Creative\Volume Panel\VolPanlu.exe
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files (x86)\Razer\Copperhead\razertra.exe
C:\Program Files (x86)\Razer\Copperhead\razerofa.exe
C:\WINDOWS\SysWOW64\CTXFISPI.EXE
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {d71fc4e0-6665-4091-bcbd-95f02ff55ec1} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Launch Direct Link] "C:\Program Files (x86)\ASUS\AI Direct Link\AsShare.exe"
O4 - HKLM\..\Run: [Launch As Cmd Runner] "C:\Program Files (x86)\ASUS\AI Direct Link\AsCmd.exe" -reg
O4 - HKLM\..\Run: [CPU Power Monitor] "C:\Program Files\ASUS\Ai Suite\AiGear3\CpuPowerMonitor.exe"
O4 - HKLM\..\Run: [Cpu Level Up help] C:\Program Files\ASUS\Ai Suite\CpuLevelUpHelp.exe
O4 - HKLM\..\Run: [Copperhead] "C:\Program Files (x86)\Razer\Copperhead\razerhid.exe"
O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe"
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files (x86)\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files (x86)\Creative\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [AsioThk32Reg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files (x86)\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files (x86)\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files (x86)\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files (x86)\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files (x86)\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files (x86)\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files (x86)\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files (x86)\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files (x86)\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files (x86)\ieSpell\iespell.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecu...s/as2stubie.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1204364433415
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemreq.../sysreqlab2.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...464/mcfscan.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files (X86)\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe (file missing)
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\system32\nvsvc64.exe (file missing)
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files (x86)\Spyware Terminator\sp_rsser.exe
O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)

--
End of file - 9898 bytes

Again, Thank You
Happy Holidays

[AdvancedSetup]

[indent]Please note the Holidays are approaching and I may be unavailable for a couple days or more.
Please be patient, I've not forgotten you and will resume assistance when I return[/indent]


How is the system running? Is there still any indication of Malware running on the system?

[joe64bitxp]

I'll fire it up and do some things on it.....Not yet fingers crossed.
I did notice in the HJ log of missing files, anything to be concerned about.
Should I run Reg Cleaner?
Thanx

[AdvancedSetup]

No, most Reg Cleaners are a total waste of time except in rare cases.

Run the system for a couple days while I'm away for Holiday and if you're still having issues post back and let me know.

Update MBAM again in a day or so and scan again as it is updated very often with new findings and fixes.

[AdvancedSetup]

Hi Joe,

If you still need help please post and let me know.

[joe64bitxp]

Thank you AdvancedSetup,
I believe it is good....Looks and feels clean.
Again thank you for the help and education.

[AdvancedSetup]

Well it's been a while and MBAM has had many updates since last you scanned.

Might want to run this update, scan and repair routine once more and let me review your logs just to be sure but it's up to you.

Malwarebytes' Anti-Malware

• Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  
• DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows
  
  • Update Malwarebytes' Anti-Malware
    
  • Select the Update tab
    
  • Click Update - (Don't forget to UPDATE!!)
• When the update is complete, select the Scanner tab
  
• Select Perform quick scan, then click Scan.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Be sure that everything is checked, and click Remove Selected.
  
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
    
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then RESTART the computer and AFTER the reboot run HJT Do a system scan and save a logfile
The post back NEW MBAM and HJT logs in that order please.