Jump to content

Virtumonde.prx


Recommended Posts

Good morning to all,

I am having a difficult time trying to remove Virtumonde.prx from my computer. I have updated my anti-virus and malwarebytes, and spybot s&d. When I run scans with AVG and Malwarebytes the scans end saying that no malicious files have been found, but when I scan the computer using Spybot S&D it finds the Virtumonde.prx file. I delete it and reboot and run the scan all over again and I get the same result from Spybot.

Below is the HijackThis log file for the experts to look over.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 6:58:26 AM, on 1/23/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

D:\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\system32\Rundll32.exe

C:\WINDOWS\system32\keyhook.exe

C:\Program Files\Launch Manager\QtZgAcer.EXE

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

D:\Unlocker\UnlockerAssistant.exe

C:\Program Files\QuickTime\qttask.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

D:\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://bellsouth.net/

R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {2d59aec5-f4b8-4350-9f8d-9d5c26b78b3d} - (no file)

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -

C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1

\SDHelper.dll

O2 - BHO: (no name) - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - (no file)

O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program

Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [siSPower] Rundll32.exe SiSPower.dll,ModeAgent

O4 - HKLM\..\Run: [siS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\QtZgAcer.EXE

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [Auto EPSON Stylus Photo R200 Series on EMMA] C:\WINDOWS\System32

\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P43 "Auto EPSON Stylus Photo R200 Series on EMMA"

/O12 "\\EMMA\Epson" /M "Stylus Photo R200"

O4 - HKLM\..\Run: [Auto EPSON Stylus Photo R200 Series on emilysroom] C:\WINDOWS\System32

\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P49 "Auto EPSON Stylus Photo R200 Series on

emilysroom" /O28 "\\EMILYSROOM\EpsonStylusR200" /M "Stylus Photo R200"

O4 - HKLM\..\Run: [unlockerAssistant] "D:\Unlocker\UnlockerAssistant.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [CPM313e2b3d] Rundll32.exe "c:\windows\system32\gidohanu.dll",a

O4 - HKLM\..\RunOnce: [OE_WMPWMFSDK_Install_4] C:\WINDOWS\system32\regsvr32 /s

"C:\WINDOWS\system32\wmvdmod.dll"

O4 - HKLM\..\RunOnce: [spybotDeletingA338] command /c del "c:\windows\system32

\mirupibe.dll_old"

O4 - HKLM\..\RunOnce: [spybotDeletingC692] cmd /c del "c:\windows\system32

\mirupibe.dll_old"

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-

Malware\mbamgui.exe /install /silent

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] D:\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\RunOnce: [spybotDeletingB6808] command /c del "c:\windows\system32

\mirupibe.dll_old"

O4 - HKCU\..\RunOnce: [spybotDeletingD8515] cmd /c del "c:\windows\system32

\mirupibe.dll_old"

O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2

\eBayTb.dll/RCSearch.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1

\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1

\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\SPYBOT~1

\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4

-A200-58CAB36FD2A2} - D:\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583}

- C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} -

http://o.aolcdn.com/pictures/ap/Resources/...ns.10.6.0.8.cab

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) -

http://photo.walgreens.com/WalgreensActivia.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program

Files\AVG\AVG8\avgpp.dll

O20 - AppInit_DLLs: vubquu.dll,c:\windows\system32\rahupeke.dll,c:\windows\system32

\diwunawo.dll,c:\windows\system32\mirupibe.dll,cquzcr.dll,avgrsstx.dll

O20 - Winlogon Notify: opnoMeed - opnoMeed.dll (file missing)

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\Lavasoft\Ad-

Aware\aawservice.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1

\AVG\AVG8\avgwdsvc.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program

Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation -

C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program

Files\Viewpoint\Common\ViewpointService.exe

Thank you in advance for all of your help in resolving this problem.

Thanks again,

Erick B

Link to post
Share on other sites

Hello.

Please read and follow the instructions provided here: Pre- HJT Post Instructions

When ready please post your logs here: Malware Removal - HijackThis Logs

Someone will be happy to assist you further with cleaning your system.

During this scan and cleanup process you should not install any other software unless requested to do so.

Please don't post your log in this topic or start another thread in this forum, but post them in the Malware Removal - HijackThis Logs forum linked to above. :)

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.