Results 1 to 5 of 5

Thread: Help with Virtumonde.prx

  1. #1
    Junior Member
    Join Date
    Dec 2008
    Posts
    3

    Default Help with Virtumonde.prx

    Looks like I've picked up the dreaded virtumonde.prx
    I very much appreciate any help to remove it.

    Below is my HijackThis log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 7:17:16 AM, on 12/10/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16608)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\netdde.exe
    C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
    C:\WINDOWS\system32\clipsrv.exe
    C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
    C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
    C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\StacSV.exe
    C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\system32\CCM\CcmExec.exe
    C:\WINDOWS\SYSTEM32\WISPTIS.EXE
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\WINDOWS\system32\taskswitch.exe
    C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
    C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
    C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    C:\Program Files\McAfee\Common Framework\UdaterUI.exe
    C:\Program Files\McAfee\Common Framework\McTray.exe
    C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
    C:\Program Files\N-trig\N-trig Software Bundle\NtrigApplet.exe
    C:\Program Files\Apoint\HidFind.exe
    C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\WINDOWS\system32\WLTRAY.exe
    C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
    C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Microsoft Location Finder\LocationFinder.exe
    C:\Program Files\SetPoint\SetPoint.exe
    C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Downloads\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.slcc.edu/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

    http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

    http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

    http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

    http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet

    Explorer provided by SLCC
    O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program

    Files\TechSmith\SnagIt 9\SnagItBHO.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

    Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} -

    C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} -

    C:\WINDOWS\System32\DLA\DLASHX_W.DLL
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

    Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program

    Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: (no name) - {bb44d281-4a62-42a6-9b3b-55deb09b8932} -

    C:\WINDOWS\system32\mafaguzu.dll
    O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program

    Files\TechSmith\SnagIt 9\SnagItIEAddin.dll
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [TabletWizard] C:\WINDOWS\help\SplshWrp.exe
    O4 - HKLM\..\Run: [TabletTip] "C:\Program Files\Common Files\microsoft

    shared\ink\tabtip.exe" /resume
    O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader

    8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major

    Audio\WDM\stsystra.exe
    O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

    -startup
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe"

    /StartedFromRunKey
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE"

    /STANDALONE
    O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
    O4 - HKLM\..\Run: [NtrigApplet] C:\Program Files\N-trig\N-trig Software

    Bundle\NtrigApplet.exe
    O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
    O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
    O4 - HKLM\..\Run: [ChangeTPMAuth] C:\Program Files\Wave Systems

    Corp\Common\ChangeTPMAuth.exe /T:NTRU12
    O4 - HKLM\..\Run: [WavXMgr] C:\Program Files\Wave Systems Corp\Services

    Manager\Docmgr\bin\WavXDocMgr.exe
    O4 - HKLM\..\Run: [SecureUpgrade] C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
    O4 - HKLM\..\Run: [EmbassySecurityCheck] "C:\Program Files\Wave Systems Corp\EMBASSY

    Security Setup\EMBASSYSecurityCheck.exe"
    O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common

    Files\Logitech\khalshared\KHALMNPR.EXE"
    O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Snippet] "C:\Program Files\Microsoft Experience Pack\Snipping

    Tool\SnippingTool.exe" /i
    O4 - HKLM\..\Run: [CPM4b3fe1b1] Rundll32.exe "c:\windows\system32\dojiralo.dll",a
    O4 - HKLM\..\Run: [rejudoluni] Rundll32.exe "C:\WINDOWS\system32\safevayi.dll",s
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Microsoft Location Finder] "C:\Program Files\Microsoft Location

    Finder\LocationFinder.exe"
    O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'LOCAL

    SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [rejudoluni] Rundll32.exe "C:\WINDOWS\system32\safevayi.dll",s

    (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'NETWORK

    SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx

    nLite.inf,C,,4,N (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx

    nLite.inf,C,,4,N (User 'Default user')
    O4 - Global Startup: SetPoint.lnk = ?
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: E&xport to Microsoft Excel -

    res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

    Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

    C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

    C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -

    C:\WINDOWS\system32\shdocvw.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

    C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration -

    {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

    Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

    C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 -

    {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 -

    {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.SLCC.edu
    O15 - Trusted Zone: *.slcc.edu
    O15 - Trusted Zone: http://slcclive.wimba.com
    O15 - Trusted Zone: *.slcc.edu (HKLM)
    O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) -

    http://asp.mathxl.com/books/_Players...stallAsst2.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) -

    https://pson.webex.com/client/T26L10...ng/ieatgpc.cab
    O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupControlXP Class) -

    https://sslvpn.slcc.edu/dana-cached/...erSetupSP1.cab
    O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) -

    http://asp.mathxl.com/books/_Players/MathPlayer.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = SLCC.int
    O17 - HKLM\Software\..\Telephony: DomainName = SLCC.int
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = SLCC.int
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = SLCC.int
    O20 - AppInit_DLLs: c:\windows\system32\gavuzeyi.dll c:\windows\system32\vifuwopo.dll

    C:\WINDOWS\system32\wuruvivi.dll c:\windows\system32\sofokujo.dll

    c:\windows\system32\dojiralo.dll
    O20 - Winlogon Notify: gemsafe - C:\Program Files\Gemplus\GemSafe

    Libraries\BIN\WLEventNotify.dll
    O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} -

    c:\windows\system32\dojiralo.dll (file missing)
    O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} -

    c:\windows\system32\dojiralo.dll (file missing)
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program

    Files\Juniper Networks\Common Files\dsNcService.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program

    Files\McAfee\Common Framework\FrameworkService.exe
    O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan

    Enterprise\Mcshield.exe
    O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program

    Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
    O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems

    Corp\Secure Storage Manager\SecureStorageService.exe
    O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. -

    C:\WINDOWS\system32\StacSV.exe
    O23 - Service: NTRU TSS v1.2.1.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program

    Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
    O23 - Service: TdmService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Trusted

    Drive Manager\TdmService.exe
    O23 - Service: WaveEnrollmentService - Wave Systems Corp. - C:\Program Files\Wave Systems

    Corp\Authentication Manager\WaveEnrollmentService.exe
    O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner -

    C:\WINDOWS\System32\WLTRYSVC.EXE

    --
    End of file - 11774 bytes

  2. #2
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
    "BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
    All advice given is taken at your own risk.
    Please make sure you have read this information so we are on the same page.

    I apologize for the wait, volunteers are swamped at all forums with infected computers. If you have resolved your issues, please post to let me know so I can close this topic.

    The first thing you have to assure me this your personal computer, that it does not belong to the school, see this:
    http://forums.spybot.info/showpost.p...12&postcount=5
    O17 - HKLM\Software\..\Telephony: DomainName = SLCC.int
    http://www.slcc.edu/

    Note: When the infected computer in question is a company machine in the workplace, and you are an employee.

    The intention of this forum is not to replace a company's IT department, nor can we anticipate alterations or configurations that may have been made to a business machine, or how it will interact with the tools commonly used in the removal of malware.

    More than one machine could be at stake, possibly even the server. If sensitive material has been compromised by an infection, the company could be held liable.

    To prevent any possible loss or corruption of company information, please inform your IT department or Supervisor when a workplace computer has been infected, immediately.

    Thanks for your understanding.
    If this is your computer, and there are no issues of it being connected to institution networks or owned by the school, then we can proceed.

    http://forums.spybot.info/showthread.php?t=288 <<< make sure you have followed all of those instructions, including:

    C:\Downloads\HiJackThis.exe <<< instructions not followed, unsafe location. Follow the directions to place the HijackThis log where the directions say it should be:
    By default it will install to C:\Program Files\Trend Micro\HijackThis
    then post a new HijackThis log after reading these instructions carefully:
    Provide: The HJT log only.
    Note: In notepad under Format, uncheck "Word Wrap" Produce all HJT logs like this, single spaced.
    single-spaced - (of type or print) not having a blank space between lines.
    Thanks
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

  3. #3
    Junior Member
    Join Date
    Dec 2008
    Posts
    3

    Default

    This is my laptop (I wanted a tablet for my online math courses) but I access the college network when I take it on campus (I mostly run my online classes from home). The college agreed to put their stuff on it so I can access their network for my course, but when I contacted them about this problem and they would not even look at the machine. They told me the only thing they could do to help me was wipe out everything and start over. (Kind of like--you wanted your computer on our network and now you want help with it). I have a lot of math software I use that I'd have to re-install and configure so that was not a very pleasant option for me. They told me I was free to try to clean it up myself but if I wasn't successful to bring it in and they'd wipe everything off for me so I could start over. Was hoping to be able to resolve it on my own instead of having to do that. Please help. If you are still willing to help me here is the HJT log (done correctly):

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 6:34:29 PM, on 12/14/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16608)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\netdde.exe
    C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
    C:\WINDOWS\system32\clipsrv.exe
    C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
    C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
    C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\StacSV.exe
    C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\system32\CCM\CcmExec.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\WINDOWS\SYSTEM32\WISPTIS.EXE
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\WINDOWS\system32\taskswitch.exe
    C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
    C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
    C:\Program Files\McAfee\Common Framework\UdaterUI.exe
    C:\Program Files\McAfee\Common Framework\McTray.exe
    C:\Program Files\N-trig\N-trig Software Bundle\NtrigApplet.exe
    C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
    C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
    C:\WINDOWS\system32\WLTRAY.exe
    C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
    C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
    C:\Program Files\Apoint\HidFind.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\Program Files\Microsoft Location Finder\LocationFinder.exe
    C:\Program Files\SetPoint\SetPoint.exe
    C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Documents and Settings\shaider\Desktop\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.slcc.edu/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SLCC
    O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 9\SnagItBHO.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: (no name) - {bb44d281-4a62-42a6-9b3b-55deb09b8932} - C:\WINDOWS\system32\kuwakepe.dll
    O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 9\SnagItIEAddin.dll
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [TabletWizard] C:\WINDOWS\help\SplshWrp.exe
    O4 - HKLM\..\Run: [TabletTip] "C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" /resume
    O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
    O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
    O4 - HKLM\..\Run: [NtrigApplet] C:\Program Files\N-trig\N-trig Software Bundle\NtrigApplet.exe
    O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
    O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
    O4 - HKLM\..\Run: [ChangeTPMAuth] C:\Program Files\Wave Systems Corp\Common\ChangeTPMAuth.exe /T:NTRU12
    O4 - HKLM\..\Run: [WavXMgr] C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
    O4 - HKLM\..\Run: [SecureUpgrade] C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
    O4 - HKLM\..\Run: [EmbassySecurityCheck] "C:\Program Files\Wave Systems Corp\EMBASSY Security Setup\EMBASSYSecurityCheck.exe"
    O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
    O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Snippet] "C:\Program Files\Microsoft Experience Pack\Snipping Tool\SnippingTool.exe" /i
    O4 - HKLM\..\Run: [rejudoluni] Rundll32.exe "C:\WINDOWS\system32\rokesoza.dll",s
    O4 - HKLM\..\Run: [CPM4b3fe1b1] Rundll32.exe "c:\windows\system32\tosofove.dll",a
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Microsoft Location Finder] "C:\Program Files\Microsoft Location Finder\LocationFinder.exe"
    O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [rejudoluni] Rundll32.exe "C:\WINDOWS\system32\rokesoza.dll",s (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
    O4 - Global Startup: SetPoint.lnk = ?
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\system32\shdocvw.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.SLCC.edu
    O15 - Trusted Zone: *.slcc.edu
    O15 - Trusted Zone: http://slcclive.wimba.com
    O15 - Trusted Zone: *.slcc.edu (HKLM)
    O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players...stallAsst2.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://pson.webex.com/client/T26L10...ng/ieatgpc.cab
    O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupControlXP Class) - https://sslvpn.slcc.edu/dana-cached/...erSetupSP1.cab
    O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = SLCC.int
    O17 - HKLM\Software\..\Telephony: DomainName = SLCC.int
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = SLCC.int
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = SLCC.int
    O20 - AppInit_DLLs: c:\windows\system32\gavuzeyi.dll c:\windows\system32\vifuwopo.dll c:\windows\system32\sofokujo.dll c:\windows\system32\dojiralo.dll C:\WINDOWS\system32\moyedebi.dll c:\windows\system32\tosofove.dll
    O20 - Winlogon Notify: gemsafe - C:\Program Files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll
    O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\tosofove.dll
    O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\tosofove.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
    O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
    O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
    O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe
    O23 - Service: NTRU TSS v1.2.1.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
    O23 - Service: TdmService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
    O23 - Service: WaveEnrollmentService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Authentication Manager\WaveEnrollmentService.exe
    O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

    --
    End of file - 11774 bytes

  4. #4
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    Thanks for that feedback, I would be glad to do all I can to help. Just as long as you and the college is aware that there is always the chance of them getting infected if you plug into their network.

    I can not tell you how important it is to follow the directions exactly! I posted the location where the instructions would install HijackThis safely:
    By default it will install to C:\Program Files\Trend Micro\HijackThis
    and you are still running it from here?
    C:\Documents and Settings\shaider\Desktop\HiJackThis.exe

    Follow these directions before you proceed, HJT must be located properly in the next HJT log I look at:

    1) Download Trend Micro Hijack This™ to your Desktop
    http://download.bleepingcomputer.com...HJTInstall.exe
    Doubleclick the HJTInstall.exe to start it.
    By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.
    HijackThis will open after install. Press the Scan button below.
    This will start the scan and open a log. <<< close HJT until I am for the next HJT log.

    2) A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use

    Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    • See this Link for programs that need to be disabled and instruction on how to disable them.
    • Remember to re-enable them when we're done.

    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

    *If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

    Tutorial if needed
    http://www.bleepingcomputer.com/comb...o-use-combofix

    Thanks...Phil

    3) Post an uninstall list: Open Hijackthis.
    Click the "Open the Misc Tools" section Button.
    Click the "Open Uninstall Manager" Button.
    Click the "Save list..." Button.
    Save it to your desktop. Copy and paste the contents into your reply.
    (You may edit out Microsoft, Hotfixes, Security Update for Windows XP,
    Update for Windows XP and Windows XP Hotfix to shorten the list
    )
    Image: http://img.bleepingcomputer.com/tuto...nstall-man.jpg
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

  5. #5
    Junior Member
    Join Date
    Dec 2008
    Posts
    3

    Default

    An update--I VERY much appreciate your willingness to help me and the service you do for us. I mis-read the instructions earlier on where to put HJT but have it straight now (You'd think I'd be better since I am continually harping at my students to read problems carefully ).

    I may be out of luck after all since when going to temporarily disable the anti-virus (which the college installed as part of the deal of allowing my laptop on their network) I found they'd put a password on it to prevent disabling. I have contacted them about this but we can't contact them directly and have to process a help ticket so I'm still waiting for an answer back on that. They may have me over a barrel if they won't let me temporarily disable even though I won't be anywhere near their network until mid-January. Wanted to update you on the delay---I'll post again as soon as I hear back from them---thanks again for your expertise and willingness to help.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •