Results 1 to 2 of 2

Thread: help with virtumonde as well

  1. 2007-11-03, 22:40 #1
    kao_ord
    kao_ord is offline
    Junior Member
    Join Date
    Nov 2007
    Posts
    1

    Exclamation help with virtumonde as well

    Hi
    ran Spybot S&D multiple times virtumonde keeps coming back. help! I had tried to download combofix from other threads. didn't seem to help.

    log from last scan. pls let me know if you need more.

    --- Process list ---
    PID: 0 ( 0) [System]
    PID: 792 ( 4) \SystemRoot\System32\smss.exe
    PID: 856 ( 792) \??\C:\WINDOWS\system32\csrss.exe
    PID: 880 ( 792) \??\C:\WINDOWS\system32\winlogon.exe
    PID: 924 ( 880) C:\WINDOWS\system32\services.exe
    size: 108032
    MD5: C6CE6EEC82F187615D1002BB3BB50ED4
    PID: 936 ( 880) C:\WINDOWS\system32\lsass.exe
    size: 13312
    MD5: 84885F9B82F4D55C6146EBF6065D75D2
    PID: 1096 ( 924) C:\Program Files\SafeBoot\SBMGRNT.EXE
    size: 49212
    MD5: 63C86F5ABDC2482D74804B0E7AA089ED
    PID: 1244 ( 924) C:\WINDOWS\system32\svchost.exe
    size: 14336
    MD5: 8F078AE4ED187AAABC0A305146DE6716
    PID: 1312 ( 924) C:\WINDOWS\system32\svchost.exe
    size: 14336
    MD5: 8F078AE4ED187AAABC0A305146DE6716
    PID: 1456 ( 924) C:\WINDOWS\System32\svchost.exe
    size: 14336
    MD5: 8F078AE4ED187AAABC0A305146DE6716
    PID: 1592 ( 924) C:\WINDOWS\System32\svchost.exe
    size: 14336
    MD5: 8F078AE4ED187AAABC0A305146DE6716
    PID: 1688 ( 924) C:\WINDOWS\System32\svchost.exe
    size: 14336
    MD5: 8F078AE4ED187AAABC0A305146DE6716
    PID: 1892 ( 924) C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    size: 177776
    MD5: C70B0215DE5CFC5681D536506EDB42DD
    PID: 1996 ( 924) C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    size: 185968
    MD5: C8E9F9C289EEF55B97EE2C1D245B1AF3
    PID: 684 ( 924) C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    size: 574808
    MD5: 377F0FE06DCD6BB3669F3E0FC4DF2511
    PID: 1124 ( 924) C:\WINDOWS\system32\spoolsv.exe
    size: 57856
    MD5: DA81EC57ACD4CDC3D4C51CF3D409AF9F
    PID: 1184 ( 924) C:\WINDOWS\System32\SCardSvr.exe
    size: 95744
    MD5: 25D8DE134DF108E3DBC8D7D23B1AA58E
    PID: 1824 ( 924) C:\PROGRA~1\CA\SHARED~1\CAM\bin\cam.exe
    size: 147456
    MD5: BB12F5FD9C35AF5969C19E6C9D4075C9
    PID: 1864 (1564) C:\WINDOWS\Explorer.EXE
    size: 1032192
    MD5: A0732187050030AE399B241436565E64
    PID: 1944 ( 924) C:\WINDOWS\MS\SMS\CORE\BIN\CLISVCL.EXE
    size: 90480
    MD5: 8F4CA6B9A94002FE3A1348164CC45B74
    PID: 1936 ( 924) C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    size: 1409048
    MD5: 865148FB7C6BC7C083CF642D3959BF69
    PID: 2036 ( 924) C:\Program Files\Symantec AntiVirus\DefWatch.exe
    size: 20208
    MD5: 1BCFDAFF0E5CA8EFA32295C94BC864E9
    PID: 128 ( 924) c:\Program Files\ENDFORCE\AgentAPI.exe
    size: 2490368
    MD5: A4C2067EA45E9EDA6D53A4450EEDA29F
    PID: 220 ( 924) C:\WINDOWS\LogWatNT.exe
    size: 49152
    MD5: 41A74D6CAC31F76C77555B6C44516DB5
    PID: 232 ( 924) C:\WINDOWS\System32\tcpsvcs.exe
    size: 19456
    MD5: 32933B07FC16D9F778BEE12545FA1B1A
    PID: 252 ( 924) C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    size: 322120
    MD5: 11F714F85530A2BD134074DC30E99FCA
    PID: 476 ( 924) C:\WINDOWS\System32\svchost.exe
    size: 14336
    MD5: 8F078AE4ED187AAABC0A305146DE6716
    PID: 784 ( 924) C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    size: 1756912
    MD5: 85ECC034B4DEC0B3640C2D72509C03BE
    PID: 1488 ( 924) C:\WINDOWS\System32\wdfmgr.exe
    size: 38912
    MD5: C81B8635DEE0D3EF5F64B3DD643023A5
    PID: 1632 ( 924) C:\WINDOWS\System32\WLTRYSVC.EXE
    size: 18944
    MD5: 8E12ADCD26A2AC8006E52B74463E9DD1
    PID: 1648 (1632) C:\WINDOWS\System32\bcmwltry.exe
    size: 1200128
    MD5: 3118A7345A5C28E8D5C6BE7A90AEA0A6
    PID: 1660 ( 924) C:\WINDOWS\UMCSTUB.EXE
    size: 136704
    MD5: 1C613B3D9B87BD53A95BC62905FE8D76
    PID: 2072 ( 924) C:\Program Files\Canon\CAL\CALMAIN.exe
    size: 96341
    MD5: 5753532C476B83119D85AA43B1B10AB3
    PID: 2100 ( 924) c:\Program Files\CA\DSM\bin\caf.exe
    size: 194064
    MD5: F982A41001B7A4390890F34AD340100D
    PID: 2400 (2100) c:\Program Files\CA\DSM\Bin\cfsmsmd.exe
    size: 32784
    MD5: 86FA6153202ED6D03465BB33529FBC63
    PID: 3980 ( 924) C:\WINDOWS\System32\alg.exe
    size: 44544
    MD5: F1958FBF86D5C004CF19A5951A9514B7
    PID: 2792 (2100) c:\Program Files\CA\DSM\Bin\ccnfagent.exe
    size: 226832
    MD5: FDF29E9983A76190455D039F63CE6547
    PID: 2964 (2100) c:\Program Files\CA\DSM\Bin\cfnotsrvd.exe
    size: 206352
    MD5: 590BD9C8537E08913AF01C67D6865059
    PID: 3008 (2100) c:\Program Files\CA\DSM\Bin\ccsmagtd.exe
    size: 31232
    MD5: F0CA742B2E20B3EB181A4BE8FA87977D
    PID: 3284 (2100) c:\Program Files\CA\DSM\Bin\amswmagt.exe
    size: 153104
    MD5: A361DD68AE852B2763B0CC143A8E73AB
    PID: 3480 (2100) c:\Program Files\CA\DSM\PMAgent\capmuamagt.exe
    size: 32272
    MD5: D4C5A1B6B44A0EEF9211427F6E42ECE4
    PID: 3636 (2100) c:\Program Files\CA\DSM\Bin\cfftplugin.exe
    size: 62992
    MD5: 01AD20DB50B9C62A46BCE094D13F3BEA
    PID: 1868 (1864) C:\WINDOWS\System32\hkcmd.exe
    size: 77824
    MD5: 19D63CF10330B51FD42ABB1D4D39D0C4
    PID: 456 (1864) C:\WINDOWS\System32\igfxpers.exe
    size: 118784
    MD5: 697963452107C59BE69A67BEE54E3EAC
    PID: 2192 (1244) C:\WINDOWS\System32\igfxsrvc.exe
    size: 159744
    MD5: 93084839F7517112829F2A26F486E8CF
    PID: 2208 (1864) C:\WINDOWS\System32\WLTRAY.exe
    size: 1347584
    MD5: 234C29A211817B5C69C2E4C4C4F71750
    PID: 1800 (1864) C:\WINDOWS\stsystra.exe
    size: 397312
    MD5: 931E5E560D5F7BD2A22C8D32C24FE8F3
    PID: 2488 (1864) C:\Program Files\Apoint\Apoint.exe
    size: 176128
    MD5: BDF765B33972A95AE8B5C5262D5E1325
    PID: 2772 (1864) C:\Program Files\ENDFORCE\AgntTray.exe
    size: 1626112
    MD5: 326802CD647BCBE0C41B6423129434C7
    PID: 2816 (1864) C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    size: 49152
    MD5: FDD5D54D4EACCE42B260225863F9A0F0
    PID: 2828 (1864) C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    size: 122940
    MD5: CEFD0E35B35AFD9D1C2FEC9AF81AFDB8
    PID: 2876 (2824) C:\Program Files\Apoint\Apntex.exe
    size: 45056
    MD5: 4C737FE32049AF0547827C3EB49AC3C0
    PID: 2976 (2488) C:\Program Files\Apoint\HidFind.exe
    size: 45056
    MD5: DFCB0A7BCBC97922F2EE24FE11318C6C
    PID: 3208 (1864) C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    size: 81920
    MD5: 763DAB43BDAB27316DBF3373192823D7
    PID: 3184 (1864) C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    size: 57344
    MD5: D4F5FAA2FD2DC5923C82EE5808BEED7C
    PID: 3236 (1244) C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
    size: 65536
    MD5: E508B0095D4871A6DB4AB32B878501EE
    PID: 3256 (1864) C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
    size: 483328
    MD5: 78FF388FD58CE0BAE1F7C9670F5473C1
    PID: 3560 (1864) C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    size: 48752
    MD5: C9AB8AB4576EFD3B26A2D108B7F6AC01
    PID: 3700 (1864) C:\PROGRA~1\SYMANT~1\VPTray.exe
    size: 85744
    MD5: 0C66A89163A726B6DA0548D65E990363
    PID: 3832 (1864) C:\Program Files\Microsoft ActiveSync\wcescomm.exe
    size: 1207080
    MD5: 9F7129FFFF7BB008FEA0C11745F16553
    PID: 2252 (1244) C:\PROGRA~1\MICROS~3\rapimgr.exe
    size: 187176
    MD5: 9FE1E108E1BFCB789294CAC1D85A743B
    PID: 3500 (1864) C:\Program Files\Intellisync Mobile Suite\Client\ClientShell.exe
    size: 317032
    MD5: 45B2669D5B8AAA99D99747AB0B835D6F
    PID: 3312 (2836) C:\WINDOWS\system32\notepad.exe
    size: 69120
    MD5: 388B8FBC36A8558587AFC90FB23A3B99
    PID: 1972 (1864) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    size: 4393096
    MD5: 09CA174A605B480318731E691DC98539
    PID: 3912 (1972) C:\Program Files\Internet Explorer\IEXPLORE.EXE
    size: 93184
    MD5: E7484514C0464642BE7B4DC2689354C8
    PID: 4 ( 0) System


    --- Browser start & search pages list ---
    Spybot - Search & Destroy browser pages report, 11/03/2007 4:34:02 PM

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
    C:\WINDOWS\system32\blank.htm
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
    http://www.microsoft.com/isapi/redir...ie&ar=iesearch
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
    http://med.home.ge.com/
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
    %SystemRoot%\system32\blank.htm
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
    http://www.microsoft.com/isapi/redir...ie&ar=iesearch
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
    http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
    http://healthcare.home.ge.com
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
    http://www.microsoft.com/isapi/redir...ie&ar=iesearch
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
    http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
    http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
  2. 2007-11-03, 23:48 #2
    tashi
    tashi is offline
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,961

    Default

    Hello.

    Please see the stickied procedure for this forum: "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance)

    Copy/paste the HJT log and result of the on-line anti virus scan into a new topic, I will close this one as helpers look for zero response.

    Regards.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules