Results 1 to 5 of 5

Thread: Virtumonde Help

  1. 2007-10-10, 14:03 #1
    tgilmart
    tgilmart is offline
    Junior Member
    Join Date
    Oct 2007
    Posts
    2

    Default Virtumonde Help

    Spy bot Sd detected this malware many months ago but it wasn't until yesterday that it caused serious problems. Every time I opened the internet I got serveral popup and as quick as I closed them more would appear, also my desktop icons would disapear when firefox was closed. So I looked through your forum and carryed out a clean as described by rdsok.
    Cwshredder, ad-ware2007, rogue remover, spybot, avg anti spy and then avg antivirus.
    My system is back up working but as virtumonde is still there the problem will reoccur.
    I have pasted below the logfile from Hijack this and in a new thread Combo fix.

    I would be greatful if anyone can identify how to remove this malware.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:09:39, on 10/10/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Lenovo\Bluetooth Software\bin\btwdins.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Softex\OmniPass\Omniserv.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\PM Agent\WisFnCtrlSvc.exe
    C:\Program Files\Softex\OmniPass\OPXPApp.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\hkcmd.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
    C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\PC Connectivity Solution\NclBTHandler.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Skype\Plugin Manager\skypePM.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
    C:\Documents and Settings\tgilmartin\Desktop\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.lenovo.com/us/en/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Search - ?p=ZU
    O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\Lenovo\Bluetooth Software\btsendto_ie_ctx.htm
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [JAVA_IBM] Java (IBM)
    O14 - IERESET.INF: START_PAGE_URL=http://www.lenovo.com/us/en/
    O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/f...trol_en_US.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1163324586375
    O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://office.anutherapie.com/Remote/msrdp.cab
    O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = heatsolve.local
    O17 - HKLM\Software\..\Telephony: DomainName = heatsolve.local
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = heatsolve.local
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Lenovo\Bluetooth Software\bin\btwdins.exe
    O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: Softex OmniPass Service (omniserv) - Softex Inc. - C:\Program Files\Softex\OmniPass\Omniserv.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
    O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
    O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    O23 - Service: WisFnCtrlSvc - Wistron Corp. - C:\Program Files\PM Agent\WisFnCtrlSvc.exe

    --
    End of file - 9371 bytes
  2. 2007-10-10, 18:02 #2
    tashi
    tashi is offline
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,961

    Default

    Hello.

    I removed your second new topic, the following links to our forum sticky topics may be useful.

    "BEFORE you POST"(READ this Procedure before Requesting Assistance)

    Start with ONLY the Two Logs We Ask For in Our Sticky Topic, NOT CF etc

    Best regards.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016
  3. 2007-10-10, 18:48 #3
    tgilmart
    tgilmart is offline
    Junior Member
    Join Date
    Oct 2007
    Posts
    2

    Default Virtumonde help (Combolog)

    ComboFix 07-10-09.3 - tgilmartin 2007-10-10 12:11:09.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.368 [GMT 1:00]
    Running from: C:\Documents and Settings\tgilmartin\Desktop\ComboFix.exe
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\tgilmartin\Application Data\macromedia\Flash Player\#SharedObjects\VRMH94AP\www.broadcaster.com
    C:\Documents and Settings\tgilmartin\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
    C:\Documents and Settings\tgilmartin\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
    C:\Program Files\msmovies
    C:\WINDOWS\cookies.ini
    C:\WINDOWS\system32\aupdhioq.exe
    C:\WINDOWS\system32\chiodfry.exe
    C:\WINDOWS\system32\dtkbqusd.exe
    C:\WINDOWS\system32\fiajraoq.ini
    C:\WINDOWS\system32\gcdgfsmi.exe
    C:\WINDOWS\system32\gebyy.dll
    C:\WINDOWS\system32\hivnnurn.exe
    C:\WINDOWS\system32\lcuypecs.exe
    C:\WINDOWS\system32\lnklyrmt.dll
    C:\WINDOWS\system32\onnjbbut.ini
    C:\WINDOWS\system32\qdabimnd.exe
    C:\WINDOWS\system32\qoarjaif.dll
    C:\WINDOWS\system32\smrhyuww.dll
    C:\WINDOWS\system32\tikaiktx.dll
    C:\WINDOWS\system32\tubbjnno.dll
    C:\WINDOWS\system32\tutrljsp.exe
    C:\WINDOWS\system32\wjqswqar.exe
    C:\WINDOWS\system32\xgnwspgg.exe
    C:\WINDOWS\system32\xtkiakit.ini
    C:\WINDOWS\system32\xxyxyxx.dll
    C:\WINDOWS\system32\yybeg.bak1
    C:\WINDOWS\system32\yybeg.bak1
    C:\WINDOWS\system32\yybeg.bak2
    C:\WINDOWS\system32\yybeg.bak2
    C:\WINDOWS\system32\yybeg.ini
    C:\WINDOWS\system32\yybeg.ini

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


    -------\LEGACY_DOMAINSERVICE


    ((((((((((((((((((((((((( Files Created from 203.-03-28 to 203.0.5.00 )))))))))))))))))))))))))))))))
    .

    No new files created in this timespan

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-10-10 08:05 2,883,584 ---ha-w C:\Documents and Settings\Tomás\NTUSER.DAT
    2007-10-09 12:59 886 ---ha-w C:\Program Files\i_view32.ini
    2005-03-22 16:59 432,128 ----a-w C:\Program Files\i_view32.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{024E84C7-EF09-4D28-84B9-BA9D98A3504c}]
    C:\WINDOWS\system32\wrcywopj.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54D4FE74-634B-4BE9-BD35-C8C0719FE346}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-02-07 17:36]
    "AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-09-17 09:31]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
    "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25]
    "ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-17 16:15]
    "PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 15:10]
    "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-08-15 20:15]
    "ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-07-02 17:10]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24]

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
    "Nokia.PCSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "DisableRegistryTools"=0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "NoWelcomeScreen"=1 (0x1)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
    C:\Program Files\Softex\OmniPass\opxpgina.dll 2006-03-20 21:00 49152 C:\Program Files\Softex\OmniPass\OPXPGina.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qomklml]
    qomklml.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winjyg32]
    winjyg32.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
    backup=C:\WINDOWS\pss\Bluetooth.lnkCommon Startup
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\2chkdsk]
    rundll32.exe "C:\WINDOWS\system32\tubbjnno.dll",setvm

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
    "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
    ALCMTR.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BsMnt]
    C:\WINDOWS\BisonCam\BsMnt.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CmUsbSound]
    RunDll32 cmcnfgu.cpl,CMICtrlWnd

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cssauthe]
    "C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauthe.exe" silent

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DXDllRegExe]
    dxdllreg.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
    C:\WINDOWS\system32\igfxpers.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
    C:\WINDOWS\system32\igfxtray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
    c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
    "c:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    "C:\Program Files\iTunes\iTunesHelper.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jmrotsvu.exe]
    C:\Documents and Settings\All Users\Application Data\jmrotsvu.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsMovies]
    C:\Program Files\MsMovies\MsMovies.exe /auto

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    "C:\Program Files\Messenger\msmsgs.exe" /background

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar]
    rundll32 C:\PROGRA~1\MYWEBS~1\bar\2.bin\MWSBAR.DLL,S

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OmniPass]
    C:\Program Files\Softex\OmniPass\scureapp.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
    C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    "C:\Program Files\QuickTime\qttask.exe" -atboottime

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
    RTHDCPL.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SearchIndexer]
    rundll32.exe "C:\WINDOWS\system32\dgnhutbb.dll",sitypnow

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
    C:\WINDOWS\sm56hlpr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Manager]
    %SystemRoot%\system32\mobsync.exe /logon

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemOptimizer]
    rundll32.exe "C:\WINDOWS\system32\keteubbk.dll",forkonce

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TDxVGAUTIL]
    C:\WINDOWS\system32\TDxVGAUTIL.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "TermService"=3 (0x3)
    "lanmanserver"=2 (0x2)
    "TVT Scheduler"=2 (0x2)
    "TVT Backup Service"=2 (0x2)

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background

    R1 RCFOX;SonicWALL IPsec Driver;\??\C:\WINDOWS\system32\Drivers\RCFOX.sys
    R2 ibmfilter;ibmfilter;\??\C:\WINDOWS\system32\drivers\ibmfilter.sys
    R2 smi2;smi2;\??\C:\Program Files\SMI2\smi2.sys
    R2 WisFnCtrlSvc;WisFnCtrlSvc;C:\Program Files\PM Agent\WisFnCtrlSvc.exe
    R3 ADM851X;ADM851X USB To Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\ADM851X.SYS
    R3 ATSWPDRV;AuthenTec TruePrint USB Driver (AES2500);C:\WINDOWS\system32\DRIVERS\ATSwpDrv.sys
    R3 cmudau;C-Media USB Sound Interface;C:\WINDOWS\system32\drivers\cmudaxu.sys
    R3 rcvpn;SonicWALL VPN Adapter;C:\WINDOWS\system32\DRIVERS\rcvpn.sys
    R3 TdxMrMINI;TdxMrMINI;C:\WINDOWS\system32\DRIVERS\TdxMrMini.sys
    R3 TdxVGAMINI;TdxVGAMINI;C:\WINDOWS\system32\DRIVERS\TdxVgaMini.sys
    R3 TdxVGAUSB;TARGUS USB2.0 VGA DOCK DEVICE(USB);C:\WINDOWS\system32\drivers\TdxVGAUSB.sys
    R3 U2SP;OEM USB to Serial Converter Driver(Philips);C:\WINDOWS\system32\DRIVERS\u2s2kxp.sys
    S0 ANCSQ;ANCSQ;C:\WINDOWS\system32\drivers\ANCSQ.sys

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1f954b1e-9399-11db-9782-0013024c2b10}]
    AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
    Open(&0)\command - Recycled\ctfmon.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{64ebcc5a-f0bf-11db-983d-0016cedd4885}]
    AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
    Open(&0)\command - Recycled\ctfmon.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e35d7af2-024e-11dc-9865-0016cedd4885}]
    AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
    Open(&0)\command - Recycled\ctfmon.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fda9de10-cb4d-11db-97eb-0016cedd4885}]
    AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
    Open(&0)\command - Recycled\ctfmon.exe

    .
    Contents of the 'Scheduled Tasks' folder
    "2007-02-26 10:03:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
    "2007-10-08 16:14:24 C:\WINDOWS\Tasks\Lenovo Backup.job"
    "2007-10-10 11:18:33 C:\WINDOWS\Tasks\SDMsgUpdate (SD).job"
    .
    **************************************************************************

    catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-10-10 12:18:58
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2007-10-10 12:21:25 - machine was rebooted
    C:\ComboFix-quarantined-files.txt ... 2007-10-10 12:21
    .
    --- E O F ---
  4. 2007-10-19, 11:05 #4
    pskelley
    pskelley is offline
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
    "BEFORE you POST" (READ this Procedure before Requesting Assistance)
    http://forums.spybot.info/showthread.php?t=288
    All advice given is taken at your own risk.
    Please make sure you have read this information so we are on the same page.

    The Waiting Room
    http://forums.spybot.info/forumdisplay.php?f=37

    tashi posted directions for you, did you read them? If you still have issues, read and follow the directions and I will do what I can to help.
    I will need a new HJT log along with the Kaspersky scan results.

    Thanks
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006
  5. 2007-10-26, 08:13 #5
    tashi
    tashi is offline
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,961

    Default

    This topic has been archived.

    If you need it re-opened, please send me a private message (pm) and provide a link to the thread.

    Applies only to the original poster, anyone else with similar problems please start a new topic.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules