Results 1 to 2 of 2

Thread: Virtumonde problems

  1. 2007-11-16, 19:29 #1
    waynesway
    waynesway is offline
    Junior Member
    Join Date
    Nov 2007
    Posts
    27

    Angry Virtumonde problems

    i cant get rid of Virtumonde, i ran spybot "says" it got rid of it, but its still on my machine. I ran VundoFix found nothing. I ran Hijackthis heres the log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 1:26:24 PM, on 16/11/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16544)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\AlienGUIse\wbload.exe
    C:\Program Files\Lavasoft\Ad-Aware

    2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device

    Support\bin\AppleMobileDeviceService.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\WINDOWS\system32\DVDRAMSV.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\XemiComputers\Active Desktop

    Calendar\ADC.exe
    C:\Program

    Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\WINDOWS\system32\tcpsvcs.exe
    C:\Program Files\Alcohol Soft\Alcohol

    120\StarWind\StarWindService.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Microsoft SQL

    Server\MSSQL.1\MSSQL\Binn\msftesql.exe
    C:\Program Files\Grisoft\AVG7\avgwb.dat
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\MSN Messenger\usnsvc.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Wayne\Local

    Settings\Temporary Internet

    Files\Content.IE5\VCRZJ1J5\VundoFix[1].exe
    C:\Program Files\Common Files\Microsoft Shared\Source

    Engine\OSE.EXE
    C:\Program Files\Trend Micro\HijackThis\BobSmit.exe
    C:\WINDOWS\explorer.exe

    R0 - HKCU\Software\Microsoft\Internet

    Explorer\Main,Start Page =

    http://www.gamespot.com/news/index.html?tag=nav-top;n

    ews&navclk=news
    R1 - HKLM\Software\Microsoft\Internet

    Explorer\Main,Default_Page_URL =

    http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet

    Explorer\Main,Default_Search_URL =

    http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet

    Explorer\Main,Search Page =

    http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet

    Explorer\Main,Start Page =

    http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: Adobe PDF Reader Link Helper -

    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

    Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) -

    {2C80EAD3-74CD-4700-83A4-AA878CD1C03C} -

    C:\WINDOWS\system32\rqrssqq.dll (file missing)
    O2 - BHO: (no name) -

    {53707962-6F74-2D53-2644-206D7942484F} -

    C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Groove GFS Browser Helper -

    {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -

    C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
    O2 - BHO: (no name) -

    {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper -

    {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program

    Files\Common Files\Microsoft Shared\Windows

    Live\WindowsLiveLogin.dll
    O2 - BHO: (no name) -

    {ECC96029-F6A2-4B85-93D4-B56F0D70AB98} -

    C:\WINDOWS\system32\ddccy.dll
    O4 - HKLM\..\Run: [AVG7_CC]

    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

    Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program

    Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

    C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program

    Files\Microsoft IntelliPoint\ipoint.exe"
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN

    Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Active Desktop Calendar]

    C:\Program Files\XemiComputers\Active Desktop

    Calendar\ADC.exe
    O4 - HKCU\..\Run: [WeatherEye] C:\Program

    Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
    O4 - HKCU\..\Run: [ctfmon.exe]

    C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run]

    C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User

    'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run]

    C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User

    'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run]

    C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User

    'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run]

    C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User

    'Default user')
    O4 - S-1-5-18 Startup: IEHOME.LNK = C:\Documents and

    Settings\Default User\Local Settings\Temp\iehome.bat

    (User 'SYSTEM')
    O4 - .DEFAULT Startup: IEHOME.LNK = C:\Documents and

    Settings\Default User\Local Settings\Temp\iehome.bat

    (User 'Default user')
    O4 - .DEFAULT User Startup: IEHOME.LNK = C:\Documents

    and Settings\Default User\Local

    Settings\Temp\iehome.bat (User 'Default user')
    O8 - Extra context menu item: E&xport to Microsoft

    Excel -

    res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O8 - Extra context menu item: Lookup on Merriam

    Webster - file://C:\Program Files\ieSpell\Merriam

    Webster.HTM
    O8 - Extra context menu item: Lookup on Wikipedia -

    file://C:\Program Files\ieSpell\wikipedia.HTM
    O9 - Extra button: (no name) -

    {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

    Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console -

    {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

    Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra button: Send to OneNote -

    {2670000A-7350-4f3c-8081-5663EE0C6C49} -

    C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote -

    {2670000A-7350-4f3c-8081-5663EE0C6C49} -

    C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research -

    {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

    C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) -

    {e2e2dd38-d088-4134-82b7-f2ba38496583} -

    C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -

    {e2e2dd38-d088-4134-82b7-f2ba38496583} -

    C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger -

    {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

    Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger -

    {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

    Files\Messenger\msmsgs.exe
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75}

    (CKAVWebScan Object) -

    http://www.kaspersky.com/kos/english/kavwebscan_unico

    de.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B}

    (CDownloadCtrl Object) -

    http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108

    .cab
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC}

    (Facebook Photo Uploader Control) -

    http://upload.facebook.com/controls/FacebookPhotoUplo

    ader.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5}

    (Symantec RuFSI Utility Class) -

    http://security.symantec.com/sscv6/SharedContent/comm

    on/bin/cabsa.cab
    O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A}

    (GameLauncher Control) -

    http://www.acclaim.com/cabs/acclaim_v4.cab
    O16 - DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF}

    (JInitiator 1.3.1.22) -

    http://wayneslaptop:8889/forms/jinitiator/jinit.exe
    O18 - Protocol: grooveLocalGWS -

    {88FED34C-F0CA-4636-A375-3CB6248B04CD} -

    C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
    O20 - Winlogon Notify: rqrssqq - rqrssqq.dll (file

    missing)
    O20 - Winlogon Notify: winmqx32 - winmqx32.dll (file

    missing)
    O23 - Service: Ad-Aware 2007 Service (aawservice) -

    Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware

    2007\aawservice.exe
    O23 - Service: Adobe LM Service - Adobe Systems -

    C:\Program Files\Common Files\Adobe Systems

    Shared\Service\Adobelmsvc.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. -

    C:\Program Files\Common Files\Apple\Mobile Device

    Support\bin\AppleMobileDeviceService.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) -

    GRISOFT, s.r.o. -

    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) -

    GRISOFT, s.r.o. -

    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT,

    s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA

    CORPORATION - C:\Program

    Files\TOSHIBA\ConfigFree\CFSvcs.exe
    O23 - Service: DVD-RAM_Service - Matsushita Electric

    Industrial Co., Ltd. -

    C:\WINDOWS\system32\DVDRAMSV.exe
    O23 - Service: Intel(R) PROSet/Wireless Event Log

    (EvtEng) - Intel Corporation - C:\Program

    Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: InstallDriver Table Manager (IDriverT)

    - Macrovision Corporation - C:\Program Files\Common

    Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program

    Files\iPod\bin\iPodService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc)

    - NVIDIA Corporation -

    C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: OracleDBConsoleoracle1 - Oracle

    Corporation -

    C:\oracle\product\10.2.0\db_1\bin\nmesrvc.exe
    O23 - Service: OracleOraDb10g_home1iSQL*Plus - Oracle

    - C:\oracle\product\10.2.0\db_1\bin\isqlplussvc.exe
    O23 - Service: OracleOraDb10g_home1TNSListener -

    Unknown owner -

    C:\oracle\product\10.2.0\db_1\BIN\TNSLSNR.exe
    O23 - Service: OracleServiceORACLE1 - Oracle

    Corporation -

    c:\oracle\product\10.2.0\db_1\bin\ORACLE.EXE
    O23 - Service: Pml Driver HPZ12 - HP -

    C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Intel(R) PROSet/Wireless Registry

    Service (RegSrvc) - Intel Corporation - C:\Program

    Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Intel(R) PROSet/Wireless Service

    (S24EventMonitor) - Intel Corporation - C:\Program

    Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: StarWind iSCSI Service

    (StarWindService) - Rocket Division Software -

    C:\Program Files\Alcohol Soft\Alcohol

    120\StarWind\StarWindService.exe

    --
    End of file - 9850 bytes
    Last edited by tashi; 2007-11-16 at 19:38. Reason: Moved from Spybot-S&D support, no HJT logs. ;-)
  2. 2007-11-16, 19:43 #2
    tashi
    tashi is offline
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,965

    Default

    Hello.

    Please follow the procedure in this link:
    "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance)

    Then start another topic in this Malware Removal Forum with the HJT log produced in the correct format.

    Note: In notepad under Format, uncheck "Word Wrap" Produce all HJT logs like this, single spaced.
    Then I will close this topic as helpers look for zero response.

    Best regards.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules