Author Topic: virtumonde infecting my computer (Read 17497 times)

sanmil0963 · « **on:** April 03, 2009, 04:41:45 AM »

I did all the steps as suggested, but forgot to save the Superanti scan. Hopefully, you will still be able to help with the other two. I have attached the other 2 scans with this post.

I tried to update MS securties, but can not update anything, even after following the MS suggestion on fixing the problem.

[attachment deleted by admin]

harry 48 · « **Reply #1 on:** April 03, 2009, 02:57:55 PM »

run sas again and post the log

sanmil0963 · « **Reply #2 on:** April 05, 2009, 03:05:14 PM »

Hi,
Here is the SAS log. Thanks for ya'lls help.

[attachment deleted by admin]

harry 48 · « **Reply #3 on:** April 05, 2009, 04:32:20 PM »

ok , i'm only trying to help an expert should be along to have a look at them for

you , harry

sanmil0963 · « **Reply #4 on:** April 10, 2009, 02:38:36 PM »

Your help is appreciated. What do I do now? This thing has really taken over my computer. I cant use Outlook and am having problems with IE.

evilfantasy · « **Reply #5 on:** April 10, 2009, 02:43:20 PM »

Everything in the MBAM scan says No action taken. Update MBAM and run it again letting it fix everything it finds. Post the log.

sanmil0963 · « **Reply #6 on:** April 10, 2009, 03:31:33 PM »

The new log is attached. Thank you

[attachment deleted by admin]

evilfantasy · « **Reply #7 on:** April 10, 2009, 03:40:20 PM »

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

sanmil0963 · « **Reply #8 on:** April 10, 2009, 04:18:29 PM »

I can't install either of these. It keeps telling me it can't be renamed.

evilfantasy · « **Reply #9 on:** April 10, 2009, 04:19:26 PM »

Have you already installed ComboFix?

sanmil0963 · « **Reply #10 on:** April 10, 2009, 04:37:47 PM »

Yes. The log is attached

[attachment deleted by admin]

evilfantasy · « **Reply #11 on:** April 10, 2009, 04:38:32 PM »

Delete that and download the new version and run a scan.

sanmil0963 · « **Reply #12 on:** April 10, 2009, 04:40:32 PM »

delete what? Combofix?

evilfantasy · « **Reply #13 on:** April 10, 2009, 06:50:20 PM »

Yes please.

sanmil0963 · « **Reply #14 on:** April 11, 2009, 05:55:22 AM »

is the one that you gave me the updated version?

evilfantasy · « **Reply #15 on:** April 11, 2009, 12:48:05 PM »

Yes just download it from the above link.

sanmil0963 · « **Reply #16 on:** April 11, 2009, 02:54:39 PM »

Thanks for the patience. Here is the log

[attachment deleted by admin]

evilfantasy · « **Reply #17 on:** April 11, 2009, 03:01:47 PM »

Download DDS by sUBs and save it to your desktop. Alternate DDS download link

Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

* XP users Double click on dds to run it.
* If your antivirus or firewall try to block DDS then please allow it to run.
* When finished DDS will open two (2) logs.

1) DDS.txt
2) Attach.txt

* Save both logs to your desktop.
* Please include the entire contents of both logs in your next reply.

Note: DDS will instruct you to post the Attach.txt log as an attachment.
Please just post it as you would any other log by copy and pasting it into the reply.

sanmil0963 · « **Reply #18 on:** April 11, 2009, 04:15:09 PM »

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-03-16.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 4/25/2007 4:43:44 PM
System Uptime: 4/11/2009 1:19:03 PM (5 hours ago)

Motherboard: Hewlett-Packard | | 0A60h
Processor: Intel(R) Core(TM)2 CPU 6400 @ 2.13GHz | XU1 PROCESSOR | 2128/1066mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 141 GiB total, 110.228 GiB free.
D: is FIXED (NTFS) - 8 GiB total, 6.356 GiB free.
E: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E96B-E325-11CE-BFC1-08002BE10318}
Description: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
Device ID: ACPI\PNP0303\4&DE53A73&0
Manufacturer: (Standard keyboards)
Name: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
PNP Device ID: ACPI\PNP0303\4&DE53A73&0
Service: i8042prt

==== System Restore Points ===================

RP463: 1/10/2009 5:14:26 PM - System Checkpoint
RP464: 1/11/2009 3:33:09 PM - Installed BlackBerry Desktop Software 4.3.
RP465: 1/11/2009 3:37:16 PM - Installed Roxio Media Manager
RP466: 1/13/2009 3:43:32 AM - Software Distribution Service 3.0
RP467: 1/14/2009 8:13:44 AM - System Checkpoint
RP468: 1/14/2009 4:51:00 PM - Software Distribution Service 3.0
RP469: 1/16/2009 7:53:52 AM - Shockwave Player
RP470: 1/16/2009 8:13:13 AM - Software Distribution Service 3.0
RP471: 1/17/2009 11:13:35 AM - System Checkpoint
RP472: 1/18/2009 1:17:32 PM - System Checkpoint
RP473: 1/19/2009 10:54:26 AM - Software Distribution Service 3.0
RP474: 1/20/2009 1:19:45 PM - System Checkpoint
RP475: 1/21/2009 2:35:39 PM - System Checkpoint
RP476: 1/23/2009 1:19:28 AM - Software Distribution Service 3.0
RP477: 1/24/2009 3:58:41 AM - System Checkpoint
RP478: 1/25/2009 4:34:16 PM - System Checkpoint
RP479: 1/26/2009 7:00:36 PM - System Checkpoint
RP480: 1/27/2009 5:49:27 AM - Software Distribution Service 3.0
RP481: 1/28/2009 1:18:42 PM - System Checkpoint
RP482: 1/30/2009 1:48:21 AM - Software Distribution Service 3.0
RP483: 1/31/2009 5:32:45 PM - System Checkpoint
RP484: 2/1/2009 6:05:17 PM - Windows Defender Checkpoint
RP485: 2/2/2009 6:08:01 PM - System Checkpoint
RP486: 2/3/2009 2:12:21 AM - Software Distribution Service 3.0
RP487: 2/4/2009 11:04:02 AM - System Checkpoint
RP488: 2/5/2009 2:18:23 PM - Software Distribution Service 3.0
RP489: 2/6/2009 9:16:38 PM - System Checkpoint
RP490: 2/8/2009 5:59:24 AM - System Checkpoint
RP491: 2/9/2009 11:25:46 AM - System Checkpoint
RP492: 2/9/2009 6:04:26 PM - Software Distribution Service 3.0
RP493: 2/10/2009 6:47:50 PM - System Checkpoint
RP494: 2/11/2009 3:00:21 AM - Software Distribution Service 3.0
RP495: 2/12/2009 8:56:30 AM - System Checkpoint
RP496: 2/13/2009 1:33:21 AM - Software Distribution Service 3.0
RP497: 2/13/2009 3:30:24 PM - Shockwave Player
RP498: 2/13/2009 3:57:11 PM - Shockwave Player
RP499: 2/15/2009 12:53:47 PM - System Checkpoint
RP500: 2/16/2009 2:04:01 PM - System Checkpoint
RP501: 2/17/2009 1:53:28 AM - Software Distribution Service 3.0
RP502: 2/18/2009 5:29:46 AM - System Checkpoint
RP503: 2/19/2009 6:27:14 AM - System Checkpoint
RP504: 2/19/2009 8:09:59 PM - Software Distribution Service 3.0
RP505: 2/20/2009 9:22:15 PM - System Checkpoint
RP506: 2/23/2009 7:00:26 AM - System Checkpoint
RP507: 2/24/2009 6:56:27 AM - Software Distribution Service 3.0
RP508: 2/25/2009 10:58:21 AM - System Checkpoint
RP509: 2/25/2009 6:58:04 PM - Software Distribution Service 3.0
RP510: 2/27/2009 6:10:13 AM - Software Distribution Service 3.0
RP511: 2/28/2009 6:48:39 AM - System Checkpoint
RP512: 2/28/2009 2:38:47 PM - Installed Lost Treasures of Alexandria
RP513: 3/2/2009 6:33:59 AM - System Checkpoint
RP514: 3/3/2009 6:07:38 AM - Software Distribution Service 3.0
RP515: 3/4/2009 6:59:40 AM - System Checkpoint
RP516: 3/5/2009 11:42:40 AM - System Checkpoint
RP517: 3/5/2009 12:13:44 PM - Software Distribution Service 3.0
RP518: 3/6/2009 3:00:15 AM - Software Distribution Service 3.0
RP519: 3/7/2009 8:35:56 AM - System Checkpoint
RP520: 3/8/2009 2:02:09 PM - System Checkpoint
RP521: 3/9/2009 2:52:13 PM - System Checkpoint
RP522: 3/10/2009 5:21:30 AM - Software Distribution Service 3.0
RP523: 3/11/2009 7:03:11 AM - System Checkpoint
RP524: 3/12/2009 4:48:52 AM - Software Distribution Service 3.0
RP525: 3/13/2009 7:05:40 AM - System Checkpoint
RP526: 3/13/2009 2:50:17 PM - Software Distribution Service 3.0
RP527: 3/14/2009 4:57:24 AM - Software Distribution Service 3.0
RP528: 3/15/2009 8:25:01 AM - System Checkpoint
RP529: 3/16/2009 2:54:26 PM - System Checkpoint
RP530: 3/17/2009 6:29:05 AM - Software Distribution Service 3.0
RP531: 3/18/2009 9:46:38 AM - System Checkpoint
RP532: 3/19/2009 11:05:24 AM - System Checkpoint
RP533: 3/20/2009 3:46:22 AM - Software Distribution Service 3.0
RP534: 3/21/2009 1:42:30 PM - System Checkpoint
RP535: 3/22/2009 2:40:21 PM - System Checkpoint
RP536: 3/24/2009 6:01:05 AM - Software Distribution Service 3.0
RP537: 3/25/2009 10:05:49 AM - System Checkpoint
RP538: 3/26/2009 10:00:04 AM - Software Distribution Service 3.0
RP539: 3/27/2009 4:43:19 PM - System Checkpoint
RP540: 3/28/2009 4:57:00 PM - System Checkpoint
RP541: 3/30/2009 8:46:58 AM - System Checkpoint
RP542: 3/30/2009 7:30:45 PM - Software Distribution Service 3.0
RP543: 3/31/2009 9:08:48 PM - System Checkpoint
RP544: 4/2/2009 9:37:41 AM - System Checkpoint
RP545: 4/3/2009 1:00:51 PM - Software Distribution Service 3.0
RP546: 4/4/2009 4:44:55 PM - System Checkpoint
RP547: 4/5/2009 5:05:33 PM - Removed Lost Treasures of Alexandria
RP548: 4/6/2009 5:43:27 AM - Removed iTunes
RP549: 4/6/2009 5:46:16 AM - Installed Java(TM) 6 Update 13
RP550: 4/10/2009 1:02:18 PM - System Checkpoint
RP551: 4/10/2009 6:30:17 PM - ComboFix created restore point
RP552: 4/10/2009 6:41:59 PM - Software Distribution Service 3.0
RP553: 4/11/2009 3:11:00 AM - Software Distribution Service 3.0

==== Installed Programs ======================

2007 Microsoft Office Suite Service Pack 1 (SP1)
5600
5600_Help
5600Trb
Accent on Interactivity 1.6
Adobe Flash Player 10 ActiveX
Adobe Reader 7.1.0
Adobe Shockwave Player
AiO_Scan
AiO_Scan_CDA
AiOSoftware
AiOSoftwareNPI
AutoUpdate
Barbie Girls
BlackBerry Desktop Software 4.3
Broadcom Management Programs
Broadcom TPM Driver Installer
BufferChm
C7100
c7100_Help
Cake Mania
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon G.726 WMP-Decoder
Canon MovieEdit Task for ZoomBrowser EX
Canon RAW Image Task for ZoomBrowser EX
Canon Utilities CameraWindow
Canon Utilities CameraWindow DC
Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
Canon Utilities EOS Utility
Canon Utilities MyCamera
Canon Utilities MyCamera DC
Canon Utilities PhotoStitch
Canon Utilities RemoteCapture DC
Canon Utilities RemoteCapture Task for ZoomBrowser EX
Canon Utilities ZoomBrowser EX
Canon ZoomBrowser EX Memory Card Utility
CCleaner (remove only)
CorelDRAW Design Collection - 2
CorelDRAW Design Collection - 3
CorelDRAW Graphics Suite X3
Coupon Printer for Windows
CP_CalendarTemplates1
cp_OnlineProjectsConfig
CP_Package_Basic1
CP_Panorama1Config
cp_PosterPrintConfig
Creating Keepsakes Scrapbook Designer
Critical Update for Windows Media Player 11 (KB959772)
CueTour
CustomerResearchQFolder
Desktop Doctor
Destinations
DeviceManagementQFolder
Diner Dash 2
Direct Show Ogg Vorbis Filter (remove only)
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
DocProc
DocProcQFolder
DocumentViewer
DocumentViewerQFolder
EN
eSupportQFolder
Fax
Fax_CDA
FontNav
FullDPAppQFolder
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
HP Backup and Recovery Manager
HP Customer Participation Program 7.0
HP Document Viewer 7.0
HP Help and Support
HP Image Zone Express
HP Imaging Device Functions 7.0
HP Photosmart Premier Software 6.5
HP Photosmart, Officejet and Deskjet 7.0.A
HP PSC & OfficeJet 5.3.B
HP Software Update
HP Solution Center 7.0
HP Update
HPPhotoSmartExpress
HPProductAssistant
HpSdpAppCoreApp
InstantShareDevices
InstantShareDevicesMFC
Intel(R) Graphics Media Accelerator Driver
InterActual Player
InterVideo WinDVD
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 13
Kidzui
LiveReg (Symantec Corporation)
LiveUpdate 2.6 (Symantec Corporation)
Logitech MouseWare 9.76
Malwarebytes' Anti-Malware
MarketResearch
McAfee SecurityCenter
MGTEK dopisp
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft IntelliPoint 6.01
Microsoft IntelliType Pro 6.01
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Web Publishing Wizard 1.52
Move Networks Media Player for Internet Explorer
Mozilla Firefox (2.0.0.20)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
NewCopy
NewCopy_CDA
Nikon Message Center
OCR Software by I.R.I.S 7.0
OTOY
PanoStandAlone
PDF Complete
PhotoGallery
PictureProject
Pirate Poppers
ProductContext
ProductContextNPI
QuickTime
RandMap
Readme
Realtek High Definition Audio Driver
Rhapsody Player Engine
Roxio Media Manager
Scan
ScannerCopy
SDMSSplash
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB958439)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB958437)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB956828)
Security Update for Microsoft Office Word 2007 (KB956358)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Shockwave
SkinsHP1
SlideShow
Software Setup
SolutionCenter
Sonic_PrimoSDK
SpongeBob Diner Dash
Spybot - Search & Destroy
Status
SUPERAntiSpyware Free Edition
Toolbox
TrayApp
Uninstall Dual Mode Camera
Unload
Update for Microsoft Office Outlook 2007 (KB952142)
Update for Office 2007 (KB946691)
Update for Outlook 2007 Junk Email Filter (kb962871)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update Manager
VeohTV BETA
WebFldrs XP
WebReg
Wedding Dash
Windows Defender
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Live installer
Windows Live Mail
Windows Live Messenger
Windows Live OneCare Family Safety
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Writer
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
Yahoo! Browser Services
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger

==== Event Viewer Messages From Past Week ========

4/4/2009 10:29:41 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
4/4/2009 5:11:03 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 30 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
4/4/2009 5:00:02 AM, error: Schedule [7901] - The At6.job command failed to start due to the following error: %%2147942402
4/4/2009 5:00:01 AM, error: Schedule [7901] - The At30.job command failed to start due to the following error: %%2147942402
4/4/2009 11:00:02 AM, error: Schedule [7901] - The At36.job command failed to start due to the following error: %%2147942402
4/4/2009 4:00:01 PM, error: Schedule [7901] - The At17.job command failed to start due to the following error: %%2147942402
4/4/2009 4:00:02 PM, error: Schedule [7901] - The At41.job command failed to start due to the following error: %%2147942402
4/4/2009 5:00:01 PM, error: Schedule [7901] - The At18.job command failed to start due to the following error: %%2147942402
4/4/2009 5:00:02 PM, error: Schedule [7901] - The At42.job command failed to start due to the following error: %%2147942402
4/4/2009 7:00:01 PM, error: Schedule [7901] - The At20.job command failed to start due to the following error: %%2147942402
4/4/2009 7:00:02 PM, error: Schedule [7901] - The At44.job command failed to start due to the following error: %%2147942402
4/4/2009 10:00:01 PM, error: Schedule [7901] - The At23.job command failed to start due to the following error: %%2147942402
4/4/2009 10:00:02 PM, error: Schedule [7901] - The At47.job command failed to start due to the following error: %%2147942402
4/5/2009 9:00:01 AM, error: Schedule [7901] - The At10.job command failed to start due to the following error: %%2147942402
4/5/2009 9:00:02 AM, error: Schedule [7901] - The At34.job command failed to start due to the following error: %%2147942402
4/5/2009 10:00:01 AM, error: Schedule [7901] - The At11.job command failed to start due to the following error: %%2147942402
4/5/2009 10:00:02 AM, error: Schedule [7901] - The At35.job command failed to start due to the following error: %%2147942402
4/5/2009 11:00:01 AM, error: Schedule [7901] - The At12.job command failed to start due to the following error: %%2147942402
4/5/2009 1:00:01 PM, error: Schedule [7901] - The At14.job command failed to start due to the following error: %%2147942402
4/5/2009 1:00:02 PM, error: Schedule [7901] - The At38.job command failed to start due to the following error: %%2147942402
4/5/2009 2:00:01 PM, error: Schedule [7901] - The At15.job command failed to start due to the following error: %%2147942402
4/5/2009 2:00:02 PM, error: Schedule [7901] - The At39.job command failed to start due to the following error: %%2147942402
4/5/2009 3:00:01 PM, error: Schedule [7901] - The At16.job command failed to start due to the following error: %%2147942402
4/5/2009 3:00:02 PM, error: Schedule [7901] - The At40.job command failed to start due to the following error: %%2147942402
4/5/2009 5:04:47 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
4/5/2009 6:00:01 PM, error: Schedule [7901] - The At19.job command failed to start due to the following error: %%2147942402
4/5/2009 6:00:02 PM, error: Schedule [7901] - The At43.job command failed to start due to the following error: %%2147942402
4/6/2009 4:00:01 AM, error: Schedule [7901] - The At29.job command failed to start due to the following error: %%2147942402
4/6/2009 4:00:02 AM, error: Schedule [7901] - The At5.job command failed to start due to the following error: %%2147942402
4/6/2009 6:00:01 AM, error: Schedule [7901] - The At31.job command failed to start due to the following error: %%2147942402
4/6/2009 6:00:02 AM, error: Schedule [7901] - The At7.job command failed to start due to the following error: %%2147942402
4/6/2009 7:00:01 AM, error: Schedule [7901] - The At32.job command failed to start due to the following error: %%2147942402
4/6/2009 7:00:02 AM, error: Schedule [7901] - The At8.job command failed to start due to the following error: %%2147942402
4/6/2009 8:00:01 AM, error: Schedule [7901] - The At33.job command failed to start due to the following error: %%2147942402
4/6/2009 8:00:02 AM, error: Schedule [7901] - The At9.job command failed to start due to the following error: %%2147942402
4/6/2009 12:00:01 PM, error: Schedule [7901] - The At13.job command failed to start due to the following error: %%2147942402
4/6/2009 12:00:02 PM, error: Schedule [7901] - The At37.job command failed to start due to the following error: %%2147942402

==== End Of File ===========================

[attachment deleted by admin]

evilfantasy · « **Reply #19 on:** April 11, 2009, 04:38:06 PM »

Disable Spybot's TeaTimer

While TeaTimer is an excellent tool for the prevention of spyware, it can also interfere with these fixes. Please disable TeaTimer for now until you are clean.

1. Right click Spybot in the System Tray (looks like a calendar with a padlock symbol). Choose Exit Spybot S&D Resident
2. Run Spybot S&D
3. Go to the Mode menu, and make sure Advanced Mode is selected.
4. On the left hand side, choose Tools > Resident
uncheck Resident TeaTimer and OK any prompt and Restart your computer.

Note: If TeaTimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

If TeaTimer will not turn off then uninstall Spybot until we are done cleaning.

----------

Go to Add or Remove Programs and uninstall:

AutoUpdate
J2SE Runtime Environment 5.0 Update 6
LiveReg (Symantec Corporation)
LiveUpdate 2.6 (Symantec Corporation)
MarketResearch

.
----------

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

DDS::
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - No File
TB: {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - No File
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

Folder::
c:\docume~1\admini~1\applic~1\licenses
c:\docume~1\admini~1\applic~1\PCMM2009
c:\program files\PC MightyMax 2009

File::
c:\windows\Tasks\At1.job
c:\windows\system32\XDevH2E1.exe
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At25.job
c:\windows\Tasks\At26.job
c:\windows\system32\k542TykF.exe
c:\windows\Tasks\At27.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At48.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

RegLockDel::
[-HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}\InprocServer32]

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

sanmil0963 · « **Reply #20 on:** April 11, 2009, 05:07:06 PM »

I don't see the calendar with the padlock. The teatimer is off. Do I go ahead with the scan?

evilfantasy · « **Reply #21 on:** April 11, 2009, 05:10:13 PM »

Please do this.

Go to Start > Run and type notepad.exe then click OK

Copy and paste the below into Notepad and save as fixme.reg to Your Desktop

Code: [Select]

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]

Locate fixme.reg on your Desktop and double-click it. Answer Yes when prompted to merge with the Registry.

Make sure that you tell me if you receive a success message about adding the above to the registry. If you do not get a success message, it did not work.

Delete the fixme.reg from the Desktop.

Now continue on.

sanmil0963 · « **Reply #22 on:** April 11, 2009, 05:19:19 PM »

I had a success.

Do I start running spybot now?

sanmil0963 · « **Reply #23 on:** April 11, 2009, 05:52:37 PM »

Here the Combofix log

[attachment deleted by admin]

evilfantasy · « **Reply #24 on:** April 11, 2009, 05:59:51 PM »

That's the same log as before.

Follow the instructions from here > http://www.computerhope.com/forum/index.php/topic,80538.msg535464.html#msg535464

sanmil0963 · « **Reply #25 on:** April 11, 2009, 06:01:23 PM »

No. I just ran that one after doing the steps that you provided me and here is the MBAM

[attachment deleted by admin]

evilfantasy · « **Reply #26 on:** April 11, 2009, 06:13:52 PM »

OK I still need the new ComboFix log from the instructions in this post > > http://www.computerhope.com/forum/index.php/topic,80538.msg535464.html#msg535464

sanmil0963 · « **Reply #27 on:** April 11, 2009, 06:24:27 PM »

I'm trying to run it again, but it keeps detecting my McAfee. I have tripled checked and McAfee has been disabled.

evilfantasy · « **Reply #28 on:** April 11, 2009, 06:26:07 PM »

Just keep going and ignore the warning.

sanmil0963 · « **Reply #29 on:** April 11, 2009, 06:40:09 PM »

Here it is. Thank you

[attachment deleted by admin]

evilfantasy · « **Reply #30 on:** April 11, 2009, 06:44:13 PM »

Click START then RUN
Now type Combofix /u in the runbox
Make sure there's a space between Combofix and /u
Then hit Enter.

The above procedure will:
Delete the following:
ComboFix and its associated files and folders.
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Set a new, clean Restore Point.

sanmil0963 · « **Reply #31 on:** April 11, 2009, 06:52:05 PM »

Now when I restart my computer I keep getting a messages "Windows Genuine Advantage Notification" Should I worry about that and how do I remove it off my startup?

evilfantasy · « **Reply #32 on:** April 11, 2009, 07:04:57 PM »

This should take care of that.

Download the OTMoveIt3 by OldTimer

Note: If you are running on Vista, right-click on OTMoveIt3.exe and choose Run As Administrator.

* Save it to your Desktop.
* Double-click OTMoveIt3.exe to run it.
* Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)

Code: [Select]

:Processes
explorer.exe

:files
c:\windows\Tasks\WGASetup.job
c:\windows\system32\KB905474\wgasetup.exe

:Commands
[emptytemp]
[start explorer]

* Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
* Click the red Moveit! button.
* Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes.

The notification should be gone now.

Anything else going wrong?

sanmil0963 · « **Reply #33 on:** April 11, 2009, 07:11:34 PM »

I just ran spybot again and it is still detecting adware. Will this clear up?

evilfantasy · « **Reply #34 on:** April 11, 2009, 07:14:55 PM »

Where is it saying it is finding the adware?

sanmil0963 · « **Reply #35 on:** April 11, 2009, 07:19:30 PM »

I didn't pay any attention. It was 7 problems, so I just hit fixed.

evilfantasy · « **Reply #36 on:** April 11, 2009, 07:25:34 PM »

It might just be cookies which are harmless.

1. Double click OTMoveIt3.exe to launch it.
Vista users right click and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
5. Once complete exit out of OTMoveIt3

----------

Use the Secunia Software Inspector to check for out of date software.

Click Start Now
Check the box next to Enable thorough system inspection.
Click Start
Allow the scan to finish and scroll down to see if any updates are needed.
Update anything listed.

.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

sanmil0963 · « **Reply #37 on:** April 15, 2009, 03:27:44 PM »

Thank you for all the help. My computer is clean.

evilfantasy · « **Reply #38 on:** April 15, 2009, 03:44:52 PM »

Your welcome.

Safe surfing...

sanmil0963 · « **Reply #39 on:** April 16, 2009, 05:46:44 PM »

IT'S BACK

In addition, it has put an Administration password on my computer and now I am locked out. Please help.

evilfantasy · « **Reply #40 on:** April 16, 2009, 05:48:23 PM »

I don't know how to help with that other than reformat and reinstall.

sanmil0963 · « **Reply #41 on:** April 16, 2009, 05:51:40 PM »

Does this means I am going to lose everything?

I kinda thought that. That's why I pulled out the cd's

sanmil0963 · « **Reply #42 on:** April 16, 2009, 05:56:41 PM »

Is Mozy any good? Is it safe?

evilfantasy · « **Reply #43 on:** April 16, 2009, 05:58:14 PM »

Are you blocked from logging on due to the Admin password?

sanmil0963 · « **Reply #44 on:** April 16, 2009, 06:03:15 PM »

Yes. I never set a password and hitting enter doesn't work, nor does trying to bypass it through safemode.

evilfantasy · « **Reply #45 on:** April 16, 2009, 06:06:27 PM »

Without being able to log on then you will have a hard time trying to reset a password. Unless you are familiar with Linux then you might be able to get into Windows that way and reset or crack it but I'm not sure it would work or not. never done it myself.

See here for the UBCD -> http://www.ubcd4win.com/ (free)

sanmil0963 · « **Reply #46 on:** April 16, 2009, 06:16:05 PM »

I'm not very familiar with Linux. How does the site u gave me work? I can't download it to the computer, because I can't get in and I can't find how to order the CD.

evilfantasy · « **Reply #47 on:** April 16, 2009, 06:20:08 PM »

You would have to burn it to a disk with another PC and then boot the other locked PC with it in the CD tray.

See here Extracting, setting up, and building UBCD4Win: http://www.ubcd4win.com/howto.htm

If you have any questions I suggest asking in the BSD, Linux, and Unix forum. I'm not skilled with Linux... $:-\$

sanmil0963 · « **Reply #48 on:** April 16, 2009, 06:46:06 PM »

I'm getting tired and frustrated, nothing is making any sense to me right now. I think I am going to leave this until tomorrow and come back a little refresher. Thanks for all your help and patience. I will be back again tomorrow.

evilfantasy · « **Reply #49 on:** April 16, 2009, 06:49:27 PM »

No problem. If something comes to me I will post it.

sanmil0963 · « **Reply #50 on:** April 18, 2009, 12:53:24 AM »

Hi,

I just you would like to know that I am back in my system now. What I did was restarted my computer. While it was rebooting, I hit F11. I did a backup of my files from there (hopefully it worked) and restored the manufacture settings. I am now in the process of restoring all my files.

If you like, I will let you know how it went.

Thanks again for all the help.

sanmil0963 · « **Reply #51 on:** April 18, 2009, 07:21:37 AM »

All my backup files where saved with a .stc extention. How do I retrieve the information?

sanmil0963 · « **Reply #52 on:** April 18, 2009, 05:27:13 PM »

Thank you. Thank you, Thank you.
I have my files restored and I am back up and running.

Thank you thank you thank you.

Did I thank you?

evilfantasy · « **Reply #53 on:** April 18, 2009, 05:47:58 PM »

Your welcome

Computer Hope Forum

News:

Author Topic: virtumonde infecting my computer (Read 17497 times)

sanmil0963

harry 48

sanmil0963

harry 48

sanmil0963

evilfantasy

sanmil0963

evilfantasy

sanmil0963

evilfantasy

sanmil0963

evilfantasy

sanmil0963

evilfantasy

sanmil0963

evilfantasy

sanmil0963

evilfantasy

sanmil0963

evilfantasy

sanmil0963

evilfantasy

sanmil0963

sanmil0963

evilfantasy

sanmil0963

evilfantasy

sanmil0963

evilfantasy

sanmil0963

evilfantasy

sanmil0963

evilfantasy

sanmil0963

evilfantasy

sanmil0963

evilfantasy

sanmil0963

evilfantasy

sanmil0963

evilfantasy

sanmil0963

sanmil0963

evilfantasy

sanmil0963

evilfantasy

sanmil0963

evilfantasy

sanmil0963

evilfantasy

sanmil0963

sanmil0963

sanmil0963

evilfantasy