Results 1 to 4 of 4

Thread: Virtumonde won't go away

  1. #1
    Junior Member
    Join Date
    Jun 2008
    Posts
    19

    Default Virtumonde won't go away

    New member here, Spybot S&D keeps reporting Virtumonde but can't seem to clean it up. Windows Defender cannot either. This machine did not have a spyware checker prior to infection and in my attempts at googling for solutions I disabled system restore so there are no restore points (it has since been reenabled).

    I have read the "Do this first" section and performed all the steps listed. The indicated log files are presented below. Thanks so much for any help you can offer.

    The Kasperky log files:
    -------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER REPORT
    Sunday, June 01, 2008 8:27:33 AM
    Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
    Kaspersky Online Scanner version: 5.0.98.0
    Kaspersky Anti-Virus database last update: 1/06/2008
    Kaspersky Anti-Virus database records: 729780
    -------------------------------------------------------------------------------

    Scan Settings:
    Scan using the following antivirus database: standard
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - My Computer:
    C:\
    D:\
    E:\

    Scan Statistics:
    Total number of scanned objects: 43127
    Number of viruses found: 6
    Number of infected objects: 15
    Number of suspicious objects: 3
    Duration of the scan process: 00:56:07

    Infected Object Name / Virus Name / Last Action
    C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Dell\QuickSet\QSLLPSVCShare Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Memeo\AutoBackup\logs\MemeoBackup.exe.log-2008-6-1.log Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-05312008-191727.log Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Wave Systems Corp\AuthManager\AuthPkg.txt Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Wave Systems Corp\AuthManager\biolsp.txt Object is locked skipped
    C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\NTRU Cryptosystems\tcsd_log.txt Object is locked skipped
    C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\Susan Schumm\Application Data\Microsoft\Outlook\outlook.pst/uu) 1999 H2/Migrated cc:Mail Archives/99H1IN.cca/14 Jan 1999 21:32 to /o=Intel/ou=Americas01/cn=Workers/cn=Schumm/360ICF~1.DOC Infected: Virus.MSWord.Class.fm skipped
    C:\Documents and Settings\Susan Schumm\Application Data\Microsoft\Outlook\outlook.pst/uu) 1999 H2/Migrated cc:Mail Archives/98H2IN.cca/29 Oct 1998 00:41 to /o=Intel/ou=Americas01/cn=Workers/cn=Walker/epssup~1.xls Infected: Virus.MSExcel.Paix skipped
    C:\Documents and Settings\Susan Schumm\Application Data\Microsoft\Outlook\outlook.pst/uu) 1999 H2/Migrated cc:Mail Archives/98H2IN.cca/03 Nov 1998 02:52 to /o=Intel/ou=Americas01/cn=Workers/cn=Benner/interf~1.xls Infected: Virus.MSExcel.Paix skipped
    C:\Documents and Settings\Susan Schumm\Application Data\Microsoft\Outlook\outlook.pst/uu) 1999 H2/Migrated cc:Mail Archives/98H2IN.cca/10 Nov 1998 17:25 to /o=Intel/ou=Americas01/cn=Workers/cn=Schumm/epssup~1.xls Infected: Virus.MSExcel.Paix skipped
    C:\Documents and Settings\Susan Schumm\Application Data\Microsoft\Outlook\outlook.pst/uu) 1999 H2/Migrated cc:Mail Archives/98H2IN.cca/10 Dec 1998 00:10 to /o=Intel/ou=Americas01/cn=Workers/cn=Bernun/opsrev~1.zip/smmitops1210.ppt Infected: Virus.MSExcel.Paix skipped
    C:\Documents and Settings\Susan Schumm\Application Data\Microsoft\Outlook\outlook.pst/uu) 1999 H2/Migrated cc:Mail Archives/98H2IN.cca/10 Dec 1998 00:10 to /o=Intel/ou=Americas01/cn=Workers/cn=Bernun/opsrev~1.zip Infected: Virus.MSExcel.Paix skipped
    C:\Documents and Settings\Susan Schumm\Application Data\Microsoft\Outlook\outlook.pst MailMSMaill: infected - 6 skipped
    C:\Documents and Settings\Susan Schumm\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\Susan Schumm\Local Settings\Application Data\Microsoft\Outlook\r) 2005 Q1.pst/r) 2005 Q1/Q105in/29 Mar 2005 20:05 from Regions Bank Customer Service Center:Acco.html Infected: Trojan-Spy.HTML.Bankfraud.cm skipped
    C:\Documents and Settings\Susan Schumm\Local Settings\Application Data\Microsoft\Outlook\r) 2005 Q1.pst MailMSMaill: infected - 1 skipped
    C:\Documents and Settings\Susan Schumm\Local Settings\Application Data\Microsoft\Outlook\t) 2003 Q1.pst/t) 2003 Q1/Q103in/24 Feb 2003 16:00 from Schaefer, Ed:Re: WorstResortNameEver /midsong.exe Infected: Email-Worm.Win32.LovGate.c skipped
    C:\Documents and Settings\Susan Schumm\Local Settings\Application Data\Microsoft\Outlook\t) 2003 Q1.pst/t) 2003 Q1/Q103in/24 Feb 2003 16:01 from Schaefer, Ed:Re: Very punny /news_doc.exe Infected: Email-Worm.Win32.LovGate.c skipped
    C:\Documents and Settings\Susan Schumm\Local Settings\Application Data\Microsoft\Outlook\t) 2003 Q1.pst/t) 2003 Q1/Q103in/24 Feb 2003 16:01 from Schaefer, Ed:Re: RE: Talking Dog for Sale/humor.exe Infected: Email-Worm.Win32.LovGate.c skipped
    C:\Documents and Settings\Susan Schumm\Local Settings\Application Data\Microsoft\Outlook\t) 2003 Q1.pst/t) 2003 Q1/Q103in/24 Feb 2003 16:07 from Bringuel, Teresa:Re: EDW Materials Feb18t/docs.exe Infected: Email-Worm.Win32.LovGate.c skipped
    C:\Documents and Settings\Susan Schumm\Local Settings\Application Data\Microsoft\Outlook\t) 2003 Q1.pst MailMSMaill: infected - 4 skipped
    C:\Documents and Settings\Susan Schumm\Local Settings\Application Data\Microsoft\Outlook\t) 2003 Q3.pst/t) 2003 Q3/Q303in/24 Sep 2003 03:09 from inet mail system:notice.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
    C:\Documents and Settings\Susan Schumm\Local Settings\Application Data\Microsoft\Outlook\t) 2003 Q3.pst/t) 2003 Q3/Q303in/24 Sep 2003 03:09 from inet mail system:notice.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
    C:\Documents and Settings\Susan Schumm\Local Settings\Application Data\Microsoft\Outlook\t) 2003 Q3.pst MailMSMaill: suspicious - 2 skipped
    C:\Documents and Settings\Susan Schumm\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\Susan Schumm\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\Susan Schumm\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{5B7222D1-726C-4B52-9850-3FC082A30B32} Object is locked skipped
    C:\Documents and Settings\Susan Schumm\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\Susan Schumm\Local Settings\Temp\j22.exe Infected: Trojan-Downloader.Win32.Small.wmo skipped
    C:\Documents and Settings\Susan Schumm\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
    C:\Documents and Settings\Susan Schumm\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\Susan Schumm\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\Susan Schumm\ntuser.dat.LOG Object is locked skipped
    C:\scrumworks\bin\velocity.log Object is locked skipped
    C:\scrumworks\server\scrumworks\data\hypersonic\localDB.data Object is locked skipped
    C:\scrumworks\server\scrumworks\data\hypersonic\localDB.lck Object is locked skipped
    C:\scrumworks\server\scrumworks\data\hypersonic\localDB.log Object is locked skipped
    C:\scrumworks\server\scrumworks\data\hypersonic\scrumworks.lck Object is locked skipped
    C:\scrumworks\server\scrumworks\data\hypersonic\scrumworks.log Object is locked skipped
    C:\scrumworks\server\scrumworks\log\server.log Object is locked skipped
    C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\change.log Object is locked skipped
    C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
    C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{5E0B2098-33E7-4516-BC40-DE966D1FF333}.crmlog Object is locked skipped
    C:\WINDOWS\SchedLgU.Txt Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
    C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
    C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
    C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
    C:\WINDOWS\system32\config\default.LOG Object is locked skipped
    C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
    C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
    C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
    C:\WINDOWS\system32\config\SAM Object is locked skipped
    C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
    C:\WINDOWS\system32\config\software.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
    C:\WINDOWS\system32\config\system.LOG Object is locked skipped
    C:\WINDOWS\system32\MsDtc\MSDTC.LOG Object is locked skipped
    C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
    C:\WINDOWS\Temp\hsperfdata_SYSTEM\472 Object is locked skipped
    C:\WINDOWS\WindowsUpdate.log Object is locked skipped

    Scan process completed.

  2. #2
    Junior Member
    Join Date
    Jun 2008
    Posts
    19

    Default

    The HJT log file:
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:11:31 AM, on 6/1/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16640)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
    c:\scrumworks\bin\ScrumworksService.exe
    C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Apoint\Apoint.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\WINDOWS\stsystra.exe
    C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
    C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
    C:\WINDOWS\system32\WLTRAY.exe
    C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Apoint\ApMsgFwd.exe
    C:\Program Files\Apoint\HidFind.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Memeo\AutoBackup\MemeoBackup.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
    O2 - BHO: (no name) - {32341E7E-C319-46DE-91D0-E30BB1A3CABA} - C:\WINDOWS\system32\iifcBrpm.dll (file missing)
    O2 - BHO: {2d220e21-2799-18a8-4a04-63aa4ecc8383} - {3838cce4-aa36-40a4-8a81-997212e022d2} - C:\WINDOWS\system32\xxkisjja.dll
    O2 - BHO: (no name) - {47F2F71A-FBA3-49FF-9652-E7165613A4CD} - C:\WINDOWS\system32\byXQIYRJ.dll (file missing)
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [Document Manager] C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
    O4 - HKLM\..\Run: [SecureUpgrade] C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
    O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
    O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [40226483] rundll32.exe "C:\WINDOWS\system32\lrpsguck.dll",b
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [A00F1817E39D.exe] C:\DOCUME~1\SUSANS~1\LOCALS~1\Temp\_A00F1817E39D.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O4 - Startup: Memeo AutoBackup Launcher.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
    O20 - Winlogon Notify: iifcBrpm - iifcBrpm.dll (file missing)
    O20 - Winlogon Notify: __c0034634 - C:\WINDOWS\system32\__c0034634.dat (file missing)
    O20 - Winlogon Notify: __c007D54E - C:\WINDOWS\system32\__c007D54E.dat
    O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
    O23 - Service: ScrumWorks Pro Server 3.0.0 - Alexandria Software Consulting + Multiplan Consultants - c:\scrumworks\bin\ScrumworksService.exe
    O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
    O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
    O23 - Service: NTRU TSS v1.2.1.12 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
    O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

    --
    End of file - 8098 bytes
    Last edited by tashi; 2008-06-02 at 03:12. Reason: Mod: moved from new and undetected forum

  3. #3
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi

    1. Download combofix from any of these links and save it to Desktop:
    Link 1
    Link 2
    Link 3

    **Note: It is important that it is saved directly to your desktop**

    2. Double click combofix.exe & follow the prompts.
    3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log & a fresh hjt log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall

    Combofix should never take more that 20 minutes including the reboot if malware is detected.
    If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
    If that happened we want to know, and also what process you had to end.

    If you have problems with Combofix usage, see here
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  4. #4
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Due to inactivity, this thread will now be closed.

    Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

    If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •