Results 1 to 2 of 2

Thread: Analysis after attempt to remove Virtumonde.dll

  1. #1
    Junior Member
    Join Date
    Jul 2008
    Posts
    1

    Default Analysis after attempt to remove Virtumonde.dll

    Hi Expert Analyzers,

    Hope someone can give me feedback on my logs, before I do anything else on my laptop. So I've run the instructions to remove Virtumonde.dll. Note that ZoneAlarm now reports suspicious behavior: "Registry Editor is trying to uninstall a library that should be loaded any time an application is started" (Application: regedit.exe). Here are the respective ComboFix and HijackThis logs:

    ***** ComboFix *****

    ComboFix 08-07-17.4 - Administrator 2008-07-18 15:46:10.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2549 [GMT 2:00]
    Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\Administrator\Desktop\Vista Antivirus 2008.lnk
    C:\Program Files\PCHealthCenter
    C:\Program Files\PCHealthCenter\0.exe
    C:\Program Files\PCHealthCenter\0.gif
    C:\Program Files\PCHealthCenter\1.gif
    C:\Program Files\PCHealthCenter\2.gif
    C:\Program Files\PCHealthCenter\3.gif
    C:\Program Files\PCHealthCenter\5.exe
    C:\Program Files\PCHealthCenter\sex1.ico
    C:\Program Files\PCHealthCenter\sex2.ico
    C:\WINDOWS\Sys739.exe
    C:\WINDOWS\Sys73A.exe
    C:\WINDOWS\Sys73B.exe
    C:\WINDOWS\Sys73C.exe
    C:\WINDOWS\Sys73D.exe
    C:\WINDOWS\system32\ddcAsqrp.dll
    C:\WINDOWS\system32\eviybgam.ini
    C:\WINDOWS\system32\gwvnmc.dll
    C:\WINDOWS\system32\jnbqwoog.dll
    C:\WINDOWS\system32\magbyive.dll
    C:\WINDOWS\system32\mcrh.tmp
    C:\WINDOWS\system32\TwGNoUvw.ini
    C:\WINDOWS\system32\TwGNoUvw.ini2
    C:\WINDOWS\system32\urqPiheD.dll
    C:\WINDOWS\system32\vav.cpl
    C:\WINDOWS\system32\wvUoNGwT.dll
    C:\WINDOWS\system32\xxywWOgd.dll

    .
    ((((((((((((((((((((((((( Files Created from 2008-06-18 to 2008-07-18 )))))))))))))))))))))))))))))))
    .

    2008-07-18 12:26 . 2008-07-18 12:26 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
    2008-07-18 12:26 . 2008-07-18 13:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-07-18 11:51 . 2008-07-18 11:51 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\MailFrontier
    2008-07-18 11:44 . 2008-07-18 16:15 281,376 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
    2008-07-18 11:44 . 2008-07-18 16:15 4,820 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
    2008-07-18 11:35 . 2008-07-18 12:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
    2008-07-18 11:35 . 2008-07-18 13:25 4,212 --ah----- C:\WINDOWS\system32\zllictbl.dat
    2008-07-18 11:34 . 2008-07-09 09:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
    2008-07-18 11:33 . 2008-07-18 12:08 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
    2008-07-18 11:33 . 2008-07-18 11:33 <DIR> d-------- C:\Program Files\Zone Labs
    2008-07-18 11:33 . 2008-07-09 09:05 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
    2008-07-18 11:33 . 2008-07-18 16:16 355,091 --a------ C:\WINDOWS\system32\vsconfig.xml
    2008-07-18 11:32 . 2008-07-18 16:06 <DIR> d-------- C:\WINDOWS\Internet Logs
    2008-06-30 20:43 . 2008-06-30 20:43 <DIR> d-------- C:\Program Files\Virtual Earth 3D
    2008-06-20 14:26 . 2008-06-20 14:26 2,436 --a------ C:\bar.emf

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-07-18 14:17 --------- d-----w C:\Program Files\Symantec AntiVirus
    2008-07-18 08:38 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Skype
    2008-07-18 08:12 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Wave Systems Corp
    2008-07-18 06:34 --------- d-----w C:\Documents and Settings\Administrator\Application Data\skypePM
    2008-07-16 17:47 --------- d-----w C:\Program Files\Azureus
    2008-07-16 17:47 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Azureus
    2008-07-15 13:02 --------- d-----w C:\Program Files\NetBeans 6.1
    2008-07-01 15:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
    2008-06-17 12:40 --------- d-----w C:\Program Files\XML Marker
    2008-06-17 12:25 --------- d-----w C:\Program Files\XML Notepad
    2008-05-25 08:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
    2008-05-25 08:18 --------- d-----w C:\Documents and Settings\Administrator\Application Data\CyberLink
    2008-05-24 07:23 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Roxio
    2008-05-23 09:56 --------- d-----w C:\Program Files\The KMPlayer
    2008-02-12 11:00 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 12:09 460784]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-15 10:08 68856]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Apoint"="C:\Program Files\Apoint\Apoint.exe" [2007-04-15 19:39 159744]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" [2007-12-14 04:42 144784]
    "Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2007-07-20 16:55 1228800]
    "Document Manager"="C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [2007-01-30 16:32 102400]
    "SecureUpgrade"="C:\Program Files\Wave Systems Corp\SecureUpgrade.exe" [2007-01-22 12:53 212992]
    "Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2007-03-16 04:10 1392640]
    "KADxMain"="C:\WINDOWS\system32\KADxMain.exe" [2006-11-02 15:05 282624]
    "ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 17:50 221184]
    "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 17:50 81920]
    "RoxioDragToDisc"="C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 10:00 1116920]
    "PDVDDXSrv"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 18:23 118784]
    "GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 08:00 33648]
    "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 19:26 52896]
    "vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 20:33 125168]
    "ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 09:12 90112]
    "Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-02-12 12:30 29744]
    "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
    "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
    "ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 09:05 919016]
    "PMX Daemon"="ICO.EXE" [2007-03-08 12:58 49152 C:\WINDOWS\system32\ico.exe]
    "SigmatelSysTrayApp"="stsystra.exe" [2007-02-19 14:26 303104 C:\WINDOWS\stsystra.exe]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 06:00 15360]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-01-11 21:43:46 2150400]
    Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2007-09-18 22:06:54 50688]
    ScanPanel.lnk - C:\ScanPanel\ScnPanel.exe [2008-05-10 21:28:17 1748992]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Authentication Packages REG_MULTI_SZ msv1_0 wvauth

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\Program Files\\Java\\jre1.5.0_06\\bin\\java.exe"=
    "C:\\Program Files\\Java\\jdk1.6.0_04\\bin\\java.exe"=
    "C:\\Program Files\\Java\\jdk1.6.0_04\\jre\\bin\\java.exe"=
    "C:\\Program Files\\Azureus\\Azureus.exe"=
    "C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "C:\\Program Files\\iTunes\\iTunes.exe"=
    "C:\\Program Files\\Skype\\Phone\\Skype.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

    R0 atiide;atiide;C:\WINDOWS\system32\DRIVERS\atiide.sys [2007-04-15 20:31]
    R0 PBADRV;PBADRV;C:\WINDOWS\system32\DRIVERS\PBADRV.sys [2006-08-28 16:00]
    R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2006-08-11 11:35]
    R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe [2006-12-19 15:21]
    R2 Wave UCSPlus;Wave UCSPlus;C:\WINDOWS\system32\dllhost.exe [2004-08-04 06:00]
    S2 JavaQuickStarterService;Java Quick Starter;C:\Program Files\Java\jre6\bin\jqs.exe []
    S3 BCMTPM;BCMTPM;C:\WINDOWS\system32\DRIVERS\btpmw32.sys [2005-10-14 07:54]
    S3 DXEC01;DXEC01;C:\WINDOWS\system32\drivers\dxec01.sys [2006-11-02 13:32]
    S3 GoogleDesktopManager-010108-205858;Google Desktop Manager 5.7.801.1629;C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2008-02-12 12:30]
    S3 pmxmouse;PMXMOUSE;C:\WINDOWS\system32\DRIVERS\pmxmouse.sys [2006-04-24 10:57]
    S3 pmxusblf;PMXUSBLF;C:\WINDOWS\system32\DRIVERS\pmxusblf.sys [2006-04-24 10:59]
    S3 SecureStorageService;SecureStorageService;C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe [2007-01-29 22:59]
    S3 Tomcat5;Apache Tomcat;C:\Program Files\Apache Software Foundation\Tomcat 5.5\bin\tomcat5.exe [2008-01-28 22:40]
    .
    Contents of the 'Scheduled Tasks' folder
    "2008-07-07 16:18:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    .
    - - - - ORPHANS REMOVED - - - -

    HKLM-Run-Antivirus - C:\Program Files\VAV\vav.exe
    HKLM-Run-644c7703 - C:\WINDOWS\system32\magbyive.dll


    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-07-18 16:18:00
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    PROCESS: C:\WINDOWS\explorer.exe
    -> C:\WINDOWS\system32\DLAAPI_W.DLL
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\WINDOWS\system32\ati2evxx.exe
    C:\WINDOWS\system32\ati2evxx.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\WINDOWS\system32\WLTRYSVC.EXE
    C:\WINDOWS\system32\BCMWLTRY.EXE
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
    C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
    C:\Program Files\Symantec AntiVirus\SavRoam.exe
    C:\Program Files\SigmaTel\C-Major Audio\WDM\stacsv.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
    C:\WINDOWS\system32\msdtc.exe
    C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
    C:\Program Files\Apoint\ApMsgFwd.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Apoint\ApntEx.exe
    C:\Program Files\Apoint\hidfind.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosOBEX.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtProc.exe
    C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
    C:\WINDOWS\system32\imapi.exe
    .
    **************************************************************************
    .
    Completion time: 2008-07-18 16:28:28 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-07-18 14:28:12

    Pre-Run: 13,126,471,680 bytes free
    Post-Run: 13,100,957,696 bytes free

    206 --- E O F --- 2008-02-29 18:42:37




    ***** HijackThis *****

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 16:29:23, on 18/07/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16608)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
    C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
    C:\Program Files\Symantec AntiVirus\SavRoam.exe
    C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\system32\cmd.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\WINDOWS\system32\ICO.EXE
    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
    C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
    C:\WINDOWS\system32\WLTRAY.exe
    C:\WINDOWS\system32\KADxMain.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\WINDOWS\stsystra.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\DellSupport\DSAgnt.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
    C:\ScanPanel\ScnPanel.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\Apoint\ApMsgFwd.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\Program Files\Apoint\HidFind.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\ComboFix\NirCmd.cfexe
    C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.fortisbanking.be/portal/...et=menu-invest
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.132.20.1:8080
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (file missing)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [PMX Daemon] ICO.EXE
    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
    O4 - HKLM\..\Run: [Document Manager] C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
    O4 - HKLM\..\Run: [SecureUpgrade] C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
    O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
    O4 - HKLM\..\Run: [KADxMain] C:\WINDOWS\system32\KADxMain.exe
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Antivirus] C:\Program Files\VAV\vav.exe
    O4 - HKLM\..\Run: [644c7703] rundll32.exe "C:\WINDOWS\system32\magbyive.dll",b
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Bluetooth Manager.lnk = ?
    O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
    O4 - Global Startup: ScanPanel.lnk = C:\ScanPanel\ScnPanel.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll (file missing)
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1190636220843
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = devoteam.belgium
    O17 - HKLM\Software\..\Telephony: DomainName = devoteam.belgium
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = devoteam.belgium
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Bonjour-service (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
    O23 - Service: Google Desktop Manager 5.7.801.1629 (GoogleDesktopManager-010108-205858) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe (file missing)
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
    O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: NTRU TSS v1.2.1.12 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
    O23 - Service: Apache Tomcat (Tomcat5) - Apache Software Foundation - C:\Program Files\Apache Software Foundation\Tomcat 5.5\bin\tomcat5.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

    --
    End of file - 12787 bytes

    --------------------------------------

    Edit:
    before I do anything else on my laptop. So I've run the instructions to remove Virtumonde.dll.
    Do NOT run 'fixes' before helpers have analyzed the HJT log
    Last edited by tashi; 2008-07-19 at 19:11. Reason: Removed second new topic, Yesterday at 10:20: Mod: added link as FYI

  2. #2
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi

    Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

    Updating Java:
    • Download the latest version of Java Runtime Environment (JRE) 6 Update 7.
    • Scroll down to where it says
      The J2SE Runtime Environment (JRE) allows end-users to run Java applications.
    • Click the
      Download
      button to the right.
    • Select Windows on platform combobox and check the box that says:
      Accept License Agreement. Click continue.
    • The page will refresh.
    • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u7-windows-i586-p.exe to install the newest version.



    Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

    Double-click ATF Cleaner.exe to open it

    Under Main choose:
    Windows Temp
    Current User Temp
    All Users Temp
    Cookies
    Temporary Internet Files
    Prefetch
    Java Cache

    *The other boxes are optional*
    Then click the Empty Selected button.

    If you use Firefox:
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    If you use Opera:
    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    Click Exit on the Main menu to close the program.




    Please download Malwarebytes' Anti-Malware to your desktop.

    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform full scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    • Please post contents of that file & a fresh hjt log in your next reply.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •