PDA

View Full Version : Virtumonde won't go away



kwschumm
2008-06-01, 19:21
New member here, Spybot S&D keeps reporting Virtumonde but can't seem to clean it up. Windows Defender cannot either. This machine did not have a spyware checker prior to infection and in my attempts at googling for solutions I disabled system restore so there are no restore points (it has since been reenabled).

I have read the "Do this first" section and performed all the steps listed. The indicated log files are presented below. Thanks so much for any help you can offer.

The Kasperky log files:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, June 01, 2008 8:27:33 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 1/06/2008
Kaspersky Anti-Virus database records: 729780
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 43127
Number of viruses found: 6
Number of infected objects: 15
Number of suspicious objects: 3
Duration of the scan process: 00:56:07

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Dell\QuickSet\QSLLPSVCShare Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Memeo\AutoBackup\logs\MemeoBackup.exe.log-2008-6-1.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-05312008-191727.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Wave Systems Corp\AuthManager\AuthPkg.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Wave Systems Corp\AuthManager\biolsp.txt Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\NTRU Cryptosystems\tcsd_log.txt Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Susan Schumm\Application Data\Microsoft\Outlook\outlook.pst/uu) 1999 H2/Migrated cc:Mail Archives/99H1IN.cca/14 Jan 1999 21:32 to /o=Intel/ou=Americas01/cn=Workers/cn=Schumm/360ICF~1.DOC Infected: Virus.MSWord.Class.fm skipped
C:\Documents and Settings\Susan Schumm\Application Data\Microsoft\Outlook\outlook.pst/uu) 1999 H2/Migrated cc:Mail Archives/98H2IN.cca/29 Oct 1998 00:41 to /o=Intel/ou=Americas01/cn=Workers/cn=Walker/epssup~1.xls Infected: Virus.MSExcel.Paix skipped
C:\Documents and Settings\Susan Schumm\Application Data\Microsoft\Outlook\outlook.pst/uu) 1999 H2/Migrated cc:Mail Archives/98H2IN.cca/03 Nov 1998 02:52 to /o=Intel/ou=Americas01/cn=Workers/cn=Benner/interf~1.xls Infected: Virus.MSExcel.Paix skipped
C:\Documents and Settings\Susan Schumm\Application Data\Microsoft\Outlook\outlook.pst/uu) 1999 H2/Migrated cc:Mail Archives/98H2IN.cca/10 Nov 1998 17:25 to /o=Intel/ou=Americas01/cn=Workers/cn=Schumm/epssup~1.xls Infected: Virus.MSExcel.Paix skipped
C:\Documents and Settings\Susan Schumm\Application Data\Microsoft\Outlook\outlook.pst/uu) 1999 H2/Migrated cc:Mail Archives/98H2IN.cca/10 Dec 1998 00:10 to /o=Intel/ou=Americas01/cn=Workers/cn=Bernun/opsrev~1.zip/smmitops1210.ppt Infected: Virus.MSExcel.Paix skipped
C:\Documents and Settings\Susan Schumm\Application Data\Microsoft\Outlook\outlook.pst/uu) 1999 H2/Migrated cc:Mail Archives/98H2IN.cca/10 Dec 1998 00:10 to /o=Intel/ou=Americas01/cn=Workers/cn=Bernun/opsrev~1.zip Infected: Virus.MSExcel.Paix skipped
C:\Documents and Settings\Susan Schumm\Application Data\Microsoft\Outlook\outlook.pst MailMSMaill: infected - 6 skipped
C:\Documents and Settings\Susan Schumm\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Susan Schumm\Local Settings\Application Data\Microsoft\Outlook\r) 2005 Q1.pst/r) 2005 Q1/Q105in/29 Mar 2005 20:05 from Regions Bank Customer Service Center:Acco.html Infected: Trojan-Spy.HTML.Bankfraud.cm skipped
C:\Documents and Settings\Susan Schumm\Local Settings\Application Data\Microsoft\Outlook\r) 2005 Q1.pst MailMSMaill: infected - 1 skipped
C:\Documents and Settings\Susan Schumm\Local Settings\Application Data\Microsoft\Outlook\t) 2003 Q1.pst/t) 2003 Q1/Q103in/24 Feb 2003 16:00 from Schaefer, Ed:Re: WorstResortNameEver /midsong.exe Infected: Email-Worm.Win32.LovGate.c skipped
C:\Documents and Settings\Susan Schumm\Local Settings\Application Data\Microsoft\Outlook\t) 2003 Q1.pst/t) 2003 Q1/Q103in/24 Feb 2003 16:01 from Schaefer, Ed:Re: Very punny /news_doc.exe Infected: Email-Worm.Win32.LovGate.c skipped
C:\Documents and Settings\Susan Schumm\Local Settings\Application Data\Microsoft\Outlook\t) 2003 Q1.pst/t) 2003 Q1/Q103in/24 Feb 2003 16:01 from Schaefer, Ed:Re: RE: Talking Dog for Sale/humor.exe Infected: Email-Worm.Win32.LovGate.c skipped
C:\Documents and Settings\Susan Schumm\Local Settings\Application Data\Microsoft\Outlook\t) 2003 Q1.pst/t) 2003 Q1/Q103in/24 Feb 2003 16:07 from Bringuel, Teresa:Re: EDW Materials Feb18t/docs.exe Infected: Email-Worm.Win32.LovGate.c skipped
C:\Documents and Settings\Susan Schumm\Local Settings\Application Data\Microsoft\Outlook\t) 2003 Q1.pst MailMSMaill: infected - 4 skipped
C:\Documents and Settings\Susan Schumm\Local Settings\Application Data\Microsoft\Outlook\t) 2003 Q3.pst/t) 2003 Q3/Q303in/24 Sep 2003 03:09 from inet mail system:notice.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Susan Schumm\Local Settings\Application Data\Microsoft\Outlook\t) 2003 Q3.pst/t) 2003 Q3/Q303in/24 Sep 2003 03:09 from inet mail system:notice.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Susan Schumm\Local Settings\Application Data\Microsoft\Outlook\t) 2003 Q3.pst MailMSMaill: suspicious - 2 skipped
C:\Documents and Settings\Susan Schumm\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Susan Schumm\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Susan Schumm\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{5B7222D1-726C-4B52-9850-3FC082A30B32} Object is locked skipped
C:\Documents and Settings\Susan Schumm\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Susan Schumm\Local Settings\Temp\j22.exe Infected: Trojan-Downloader.Win32.Small.wmo skipped
C:\Documents and Settings\Susan Schumm\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Susan Schumm\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Susan Schumm\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Susan Schumm\ntuser.dat.LOG Object is locked skipped
C:\scrumworks\bin\velocity.log Object is locked skipped
C:\scrumworks\server\scrumworks\data\hypersonic\localDB.data Object is locked skipped
C:\scrumworks\server\scrumworks\data\hypersonic\localDB.lck Object is locked skipped
C:\scrumworks\server\scrumworks\data\hypersonic\localDB.log Object is locked skipped
C:\scrumworks\server\scrumworks\data\hypersonic\scrumworks.lck Object is locked skipped
C:\scrumworks\server\scrumworks\data\hypersonic\scrumworks.log Object is locked skipped
C:\scrumworks\server\scrumworks\log\server.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{5E0B2098-33E7-4516-BC40-DE966D1FF333}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\MsDtc\MSDTC.LOG Object is locked skipped
C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\hsperfdata_SYSTEM\472 Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

kwschumm
2008-06-01, 19:23
The HJT log file:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:11:31 AM, on 6/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
c:\scrumworks\bin\ScrumworksService.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Memeo\AutoBackup\MemeoBackup.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: (no name) - {32341E7E-C319-46DE-91D0-E30BB1A3CABA} - C:\WINDOWS\system32\iifcBrpm.dll (file missing)
O2 - BHO: {2d220e21-2799-18a8-4a04-63aa4ecc8383} - {3838cce4-aa36-40a4-8a81-997212e022d2} - C:\WINDOWS\system32\xxkisjja.dll
O2 - BHO: (no name) - {47F2F71A-FBA3-49FF-9652-E7165613A4CD} - C:\WINDOWS\system32\byXQIYRJ.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Document Manager] C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
O4 - HKLM\..\Run: [SecureUpgrade] C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [40226483] rundll32.exe "C:\WINDOWS\system32\lrpsguck.dll",b
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [A00F1817E39D.exe] C:\DOCUME~1\SUSANS~1\LOCALS~1\Temp\_A00F1817E39D.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Memeo AutoBackup Launcher.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: iifcBrpm - iifcBrpm.dll (file missing)
O20 - Winlogon Notify: __c0034634 - C:\WINDOWS\system32\__c0034634.dat (file missing)
O20 - Winlogon Notify: __c007D54E - C:\WINDOWS\system32\__c007D54E.dat
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: ScrumWorks Pro Server 3.0.0 - Alexandria Software Consulting + Multiplan Consultants - c:\scrumworks\bin\ScrumworksService.exe
O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
O23 - Service: NTRU TSS v1.2.1.12 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 8098 bytes

Blade81
2008-06-02, 11:36
Hi

1. Download combofix from any of these links and save it to Desktop:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log & a fresh hjt log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

Blade81
2008-06-08, 14:05
Due to inactivity, this thread will now be closed.

Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.