Hi I got the virus; Win32/adware.Virtumonde program stuck in the systemfile; C:\Windows\system32\rqRLcAPj.dll NOD32 can´t delete it and I couldn´t fix it whit Combofix either. But I´m not sure I can handle Combofix so I maybe did it wrong.

Can someone help me?

This is the log after scanning whith Combofix.

ComboFix 08-06-20.4 - Administratör 2008-06-24 1:01:48.4 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1053.18.347 [GMT 2:00]
Running from: C:\Documents and Settings\Administratör\Skrivbord\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administratör\Skrivbord\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-05-23 to 2008-06-23 )))))))))))))))))))))))))))))))
.

2008-06-22 15:57 . 2008-06-14 20:01 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-22 12:08 . 2008-06-22 12:08 <KAT> d-------- C:\WINDOWS\system32\config\systemprofile\Lokala instõllningar
2008-06-22 12:08 . 2008-06-22 12:08 <KAT> d-------- C:\Documents and Settings\NetworkService\Lokala instõllningar
2008-06-22 12:08 . 2008-06-22 12:08 <KAT> d-------- C:\Documents and Settings\Administrat÷r
2008-06-21 17:58 . 2008-06-21 17:58 <KAT> d-------- C:\Program\Lavasoft
2008-06-21 17:57 . 2008-06-21 17:57 <KAT> d-------- C:\Program\Delade filer\Wise Installation Wizard
2008-06-21 08:57 . 2008-06-21 08:56 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys
2008-06-21 08:57 . 2008-06-21 08:56 298,104 --a------ C:\WINDOWS\system32\imon.dll
2008-06-21 08:57 . 2008-06-21 08:56 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys
2008-06-21 08:43 . 2008-06-21 08:49 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\System Doctor Free
2008-06-21 08:43 . 2008-06-21 08:43 <KAT> dr------- C:\Documents and Settings\All Users\Application Data\SalesMon
2008-06-20 18:34 . 2008-06-20 18:34 0 --a------ C:\WINDOWS\BMf70a4d55.xml
2008-06-20 06:16 . 2008-06-20 06:16 24,576 --------- C:\WINDOWS\system32\rqRLcAPj.dll
2008-06-06 12:40 . 2008-06-06 12:40 <KAT> d-------- C:\Program\uTorrent

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-22 06:18 --------- d-----w C:\Program\ESET
2008-06-21 15:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-20 13:20 --------- d-----w C:\Documents and Settings\Administratör\Application Data\uTorrent
2008-06-19 05:19 --------- d-----w C:\Documents and Settings\Administratör\Application Data\AdobeUM
2008-06-14 18:01 272,128 ------w C:\Windows\system32\drivers\bthport.sys
2008-05-16 09:58 12,632 ----a-w C:\Windows\system32\lsdelete.exe
2008-05-08 12:28 202,752 ----a-w C:\Windows\system32\drivers\rmcast.sys
2008-05-08 12:28 202,752 ------w C:\Windows\system32\dllcache\rmcast.sys
2008-05-07 05:16 1,289,728 ----a-w C:\Windows\system32\quartz.dll
2008-05-07 05:16 1,289,728 ------w C:\Windows\system32\dllcache\quartz.dll
2008-04-29 09:20 15,648 ----a-w C:\Windows\system32\drivers\NSDriver.sys
2008-04-29 09:19 15,648 ----a-w C:\Windows\system32\drivers\Awrtrd.sys
2008-04-29 09:19 12,960 ----a-w C:\Windows\system32\drivers\Awrtpd.sys
2008-04-17 10:52 18,432 ------w C:\Windows\system32\dllcache\iedw.exe
2008-03-25 04:52 621,344 ----a-w C:\Windows\system32\mswstr10.dll
2008-03-25 04:52 621,344 ------w C:\Windows\system32\dllcache\mswstr10.dll
2008-03-25 04:52 162,592 ----a-w C:\Windows\system32\msjint40.dll
2008-03-25 04:52 162,592 ------w C:\Windows\system32\dllcache\msjint40.dll
2007-12-22 00:44 20,712 ----a-w C:\Documents and Settings\Administratör\Application Data\GDIPFONTCACHEV1.DAT
2006-11-02 13:15 1,077,258 ----a-w C:\Program\miranda-im-v0.5.1-unicode.exe
2006-11-02 00:17 1,355,912 ----a-w C:\Program\install_flash_player.exe
2006-11-01 22:58 5,708,152 ----a-w C:\Program\Firefox Setup 2.0.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AC519E4E-EDF0-48C7-8ADA-2A4A5B1C81C9}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\Windows\system32\ctfmon.exe" [2004-08-04 10:34 15360]
"MsnMsgr"="C:\Program\MSN Messenger\MsnMsgr.Exe" [2007-01-19 12:55 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 17:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"AtiPTA"="atiptaxx.exe" [2002-02-14 13:42 315392 C:\WINDOWS\system32\atiptaxx.exe]
"SynTPLpr"="C:\Program\Synaptics\SynTP\SynTPLpr.exe" [2002-04-25 18:15 126976]
"SynTPEnh"="C:\Program\Synaptics\SynTP\SynTPEnh.exe" [2002-04-25 18:14 540672]
"eabconfg.cpl"="C:\Program\Compaq\EAB\EabServr.exe" [2002-03-07 15:49 171665]
"Acrobat Assistant 7.0"="C:\Program\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 03:12 483328]
"iTunesHelper"="C:\Program\iTunes\iTunesHelper.exe" [2006-10-30 10:36 256576]
"TrustInstaller"="D:\Setup.exe" [ ]
"atwtusb"="atwtusb.exe" [2002-03-11 12:42 176128 C:\WINDOWS\system32\Atwtusb.exe]
"nod32kui"="C:\Program\Eset\nod32kui.exe" [2008-06-21 08:56 949376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\Windows\System32\CTFMON.EXE" [2004-08-04 10:34 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqRLcAPj]
rqRLcAPj.dll 2008-06-20 06:16 24576 C:\WINDOWS\system32\rqRLcAPj.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program\\Miranda IM\\miranda32.exe"=
"C:\\Program\\iTunes\\iTunes.exe"=
"C:\\Program\\Messenger\\msmsgs.exe"=
"C:\\Program\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program\\MSN Messenger\\livecall.exe"=
"C:\\Program\\Internet Explorer\\iexplore.exe"=
"C:\\Program\\uTorrent\\uTorrent.exe"=


.
Contents of the 'Scheduled Tasks' folder
"2008-04-15 15:34:00 C:\Windows\Tasks\AppleSoftwareUpdate.job"
- C:\Program\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-24 01:04:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\Windows\system32\winlogon.exe
-> C:\Windows\system32\rqRLcAPj.dll
.
Completion time: 2008-06-24 1:10:21
ComboFix-quarantined-files.txt 2008-06-23 23:10:07
ComboFix2.txt 2008-06-23 22:50:12
ComboFix3.txt 2008-06-22 11:04:23
ComboFix4.txt 2008-06-22 10:08:03

Pre-Run: 10,501,763,072 byte ledigt
Post-Run: 10,492,055,552 byte ledigt

108 --- E O F --- 2008-06-23 02:25:18



This is the Hijackthis log...


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:54:49, on 2008-06-24
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Program\Lavasoft\Ad-Aware\aawservice.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\spoolsv.exe
C:\Windows\system32\atiptaxx.exe
C:\Program\Synaptics\SynTP\SynTPLpr.exe
C:\Program\Synaptics\SynTP\SynTPEnh.exe
C:\Program\Compaq\EAB\EabServr.exe
C:\Program\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program\iTunes\iTunesHelper.exe
C:\Windows\system32\atwtusb.exe
C:\Program\Eset\nod32kui.exe
C:\Windows\system32\ctfmon.exe
C:\Program\MSN Messenger\MsnMsgr.Exe
C:\Windows\System32\Ati2evxx.exe
C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe
C:\Program\Eset\nod32krn.exe
C:\Windows\System32\svchost.exe
C:\Program\iPod\bin\iPodService.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\wuauclt.exe
C:\Program\internet explorer\iexplore.exe
C:\Program\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: (no name) - {AC519E4E-EDF0-48C7-8ADA-2A4A5B1C81C9} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TrustInstaller] D:\Setup.exe
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [nod32kui] "C:\Program\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\Windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\Windows\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\Windows\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1162406132333
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1162406120025
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.pixbox.se/aurigma/iu_4.5.4.0/ImageUploader4.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.pixbox.se/static/ImageUploader3.cab
O20 - Winlogon Notify: rqRLcAPj - C:\Windows\SYSTEM32\rqRLcAPj.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\Windows\System32\Ati2evxx.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program\Eset\nod32krn.exe

--
End of file - 6469 bytes

Hi

ComboFix is not general removal tool and it shouldn't be used without supervision!


Open notepad and copy/paste the text in the quotebox below into it:




Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.



Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
• Please post contents of that file & a fresh hjt log in your next reply.

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Thank You !