Virtumonde

jwood_013 · 01-16-2009, 10:05 AM

I have gotten the lovely Virtumonde virus. I have done all I could for the files that are being asked for. The virus has limited internet access on my PC and I am not able to run the GMER Rootkit Scanner. Adaware says there are 5 registry files associated with Virtumonde but I am not able to delete them through Adaware or manually. They point me in the direction of - c:\WINDOWS\system32\pmnoOFWN.dll - that I also cannot delete manually. I am doing all of this from a different pc as my pc will not let me go to this website. Is there anything anyone can do to help. Thanks. Here is my DDS.txt:

DDS (Ver_09-01-07.01) - NTFSx86
Run by jeffw at 21:51:29.92 on Thu 01/15/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.188 [GMT -6:00]

AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated)
AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\hgcheck.exe
C:\DOCUME~1\jeffw\LOCALS~1\Temp\winlogun.exe
C:\DOCUME~1\jeffw\LOCALS~1\Temp\winlogin.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\imapi.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\DOCUME~1\jeffw\LOCALS~1\Temp\csrssc.exe
G:\dds.com
C:\WINDOWS\System32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://mail.yahoo.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.com/search/ie.html
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
mSearchAssistant = hxxp://www.google.com/ie
BHO: {0f77f5cf-31f2-44d7-b4e9-ad10da495eba} - c:\windows\system32\qoMdDwVO.dll
BHO: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\pmnoOFWN.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"
uRun: [DelayShred] c:\progra~1\mcafee\mshr\shrcl.exe /p7 /q c:\docume~1\jeffw\locals~1\tempor~1\content.ie5\02jff7ng\index_~2.sh! c:\docume~1\jeffw\locals~1\tempor~1\content.ie5\tf6gy473\print_~1.sh! c:\docume~1\jeffw\locals~1\tempor~1\content.ie5\sgall5gs\activi~3.sh! c:\docume~1\jeffw\locals~1\tempor~1\content.ie5\sgall5gs\activi~2.sh! c:\docume~1\jeffw\locals~1\tempor~1\content.ie5\02jff7ng\a_ds_p~1.sh! c:\docume~1\jeffw\locals~1\tempor~1\content.ie5\1by8scbj\user_2~1.sh! c:\docume~1\jeffw\locals~1\tempor~1\content.ie5\sgall5gs\spacer~1.sh! c:\docume~1\jeffw\locals~1\tempor~1\content.ie5\1by8scbj\qi_1_~1.sh! c:\docume~1\jeffw\locals~1\tempor~1\content.ie5\1by8scbj\60eea3~1.sh! c:\docume~1\jeffw\locals~1\temp\tempor~1\content.ie5\k5opirix.sh! c:\docume~1\jeffw\locals~1\temp\tempor~1\content.ie5\ihwpq1av.sh! c:\docume~1\jeffw\locals~1\temp\tempor~1\content.ie5\ibs9mfy9.sh! c:\docume~1\jeffw\locals~1\temp\tempor~1\content.sh! c:\docume~1\jeffw\locals~1\temp\tempor~1.sh! c:\docume~1\jeffw\locals~1\tempor~1\content.ie5\4qblj75d\print_~1.sh! c:\docume~1\jeffw\locals~1\tempor~1\content.ie5\4qblj75d\index_~2.sh! c:\docume~1\jeffw\locals~1\tempor~1\content.ie5\eza33vg3\aceuac~1.sh! c:\docume~1\jeffw\locals~1\temp\tempor~1.sh!\content.sh!\k5opirix.sh! c:\docume~1\jeffw\locals~1\temp\tempor~1.sh!\content.sh!\ihwpq1av.sh! c:\docume~1\jeffw\locals~1\temp\tempor~1.sh!\content.sh!\ibs9mfy9.sh! c:\docume~1\jeffw\locals~1\temp\tempor~1.sh!\content.sh! c:\docume~1\jeffw\locals~1\tempor~1\content.ie5\szlv38ti\flashw~1.sh! c:\docume~1\jeffw\locals~1\tempor~1\content.ie5\7niaf6yi\log_5_~1.sh! c:\docume~1\jeffw\locals~1\tempor~1\content.ie5\d8wxfbee\log_1_~1.sh! c:\docume~1\jeffw\locals~1\tempor~1\content.ie5\vq39ryy5\site_m~2.sh! c:\docume~1\jeffw\locals~1\tempor~1\content.ie5\vq39ryy5\site_m~1.sh! c:\docume~1\jeffw\locals~1\tempor~1\content.ie5\6ce4tvv0\site_m~1.sh! c:\docume~1\jeffw\locals~1\tempor~1\content.ie5\gh07t26j\neutra~1.sh! c:\docume~1\jeffw\locals~1\tempor~1\content.ie5\gh07t26j\tab-to~1.sh! c:\docume~1\jeffw\locals~1\tempor~1\content.ie5\gh07t26j\TORREN~3.SH!
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [PeerGuardian] f:\program files\peerguardian2\pg2.exe
uRun: [jsg8jfgfdfhfhf] c:\docume~1\jeffw\locals~1\temp\winlogun.exe
uRun: [jsf8uiw3jnjgffght] c:\docume~1\jeffw\locals~1\temp\winlogin.exe
uRun: [tezrtsjhfr84iusjfo84f] c:\docume~1\jeffw\locals~1\temp\csrssc.exe
uRunOnce: [DelayShred] "c:\program files\mcafee\mshr\shrcl.exe" /p7 /q c:\docume~1\jeffw\locals~1\tempor~1\content.ie5\05a1jyo3\app_1_~1.sh! c:\docume~1\jeffw\locals~1\tempor~1\content.ie5\05a1jyo3\no_con~1.sh! c:\docume~1\jeffw\locals~1\tempor~1\content.ie5\i8zmse4y\dc_1_~1.sh! c:\docume~1\jeffw\locals~1\tempor~1\content.ie5\05a1jyo3\dw_pas~4.sh! c:\docume~1\jeffw\locals~1\tempor~1\content.ie5\nz32m22f\index_~1.sh! c:\docume~1\jeffw\locals~1\tempor~1\content.ie5\05a1jyo3\dwb8d5~1.sh! c:\docume~1\jeffw\locals~1\tempor~1\content.ie5\mura7eby\index_~1.sh! c:\docume~1\jeffw\locals~1\tempor~1\content.ie5\vdzag799\dw_pas~4.sh! c:\docume~1\jeffw\locals~1\tempor~1\content.ie5\vdzag799\dw_pas~1.sh! c:\docume~1\jeffw\locals~1\tempor~1\content.ie5\vdzag799\dc_2_~1.sh! c:\docume~1\jeffw\locals~1\tempor~1\content.ie5\uu6hdf7x\dw_pas~2.sh! c:\docume~1\jeffw\locals~1\tempor~1\content.ie5\vdzag799\app_2_~1.sh! c:\docume~1\jeffw\locals~1\tempor~1\content.ie5\fz3vrz6z\no_con~1.sh! c:\docume~1\jeffw\locals~1\tempor~1\content.ie5\w80x03vi\app_1_~1.sh! c:\docume~1\jeffw\locals~1\tempor~1\content.ie5\w80x03vi\no_con~1.sh! c:\docume~1\jeffw\locals~1\tempor~1\content.ie5\twt0ukdg\dc_1_~1.sh! c:\docume~1\jeffw\locals~1\tempor~1\content.ie5\w80x03vi\DW_PAS~3.SH!
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe
mRun: [HP Software Update] "c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [hgcheck] c:\windows\system32\hgcheck.exe
mRun: [jsg8jfgfdfhfhf] c:\docume~1\jeffw\locals~1\temp\winlogun.exe
mRun: [jsf8uiw3jnjgffght] c:\docume~1\jeffw\locals~1\temp\winlogin.exe
mRun: [Lmabuzageyabeguy] rundll32.exe "c:\windows\Ptuvomizihawagu.dll",e
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mExplorerRun: [user32.dll] c:\program files\video access activex object\isamntr.exe
mExplorerRun: [rare] c:\program files\video access activex object\pmsnrr.exe
mExplorerRun: [xccinit] c:\windows\system32\inf\rundll33.exe c:\windows\xccdf16_090112a.dll xccd16
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Lookup on CD - f:\program files\ahd\ahd.htm
IE: {10F055B8-F443-4adf-948A-EC551E9DBCE4} - c:\documents and settings\jeffw\start menu\programs\ultimatebet\UltimateBet.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: pmnoOFWN - pmnoOFWN.dll
SSODL: didynamia - {8329660f-e248-4872-98cc-fb9c4fec7ba8} - No File
STS: {8329660f-e248-4872-98cc-fb9c4fec7ba8} - No File
STS: c:\windows\system32\hgfdge4unjdfdg.dll: {c5bf49a2-94f3-42bd-f434-3604812c8955} - c:\windows\system32\hgfdge4unjdfdg.dll
STS: c:\windows\system32\hsjefi8wunkmdf.dll: {c5af42a3-94f3-42bd-f634-3604832c897d} - c:\windows\system32\hsjefi8wunkmdf.dll
SEH: d - No File
SEH: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\pmnoOFWN.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\qoMdDwVO

============= SERVICES / DRIVERS ===============

R0 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2009-1-15 40840]
R1 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2009-1-15 66952]
R1 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2009-1-15 81288]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-11-23 201320]
R1 pctfw2;pctfw2;c:\windows\system32\drivers\pctfw2.sys [2009-1-15 160792]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-11-23 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-11-23 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-11-23 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-11-23 40488]
R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R4 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-3-20 359248]
R4 McShield;McAfee Real-time Scanner;c:\program files\mcafee\virusscan\Mcshield.exe [2007-11-23 144704]
R4 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-1-15 356920]
R4 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-1-15 1079176]
R4 SVKP;SVKP;c:\windows\system32\SVKP.sys [2008-1-25 2368]
S3 FNET_USB;Fluke Networks Scanner USB Interface Driver;c:\windows\system32\drivers\FNETUSB.sys [2006-12-16 13770]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-11-23 33832]

=============== Created Last 30 ================

2009-01-15 21:01 160,792 a------- c:\windows\system32\drivers\pctfw2.sys
2009-01-15 21:01 40,840 a------- c:\windows\system32\drivers\ikfilesec.sys
2009-01-15 21:01 29,576 a------- c:\windows\system32\drivers\kcom.sys
2009-01-15 21:01 <DIR> --d----- c:\program files\common files\PC Tools
2009-01-15 21:01 81,288 a------- c:\windows\system32\drivers\iksyssec.sys
2009-01-15 21:01 66,952 a------- c:\windows\system32\drivers\iksysflt.sys
2009-01-15 21:01 <DIR> --d----- c:\program files\Spyware Doctor
2009-01-15 21:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-01-15 18:50 20,176 a---h--- c:\windows\system32\mlfcache.dat
2009-01-15 18:21 164 a------- C:\install.dat
2009-01-15 12:28 <DIR> --d----- c:\program files\s?stem32
2009-01-15 12:28 <DIR> --d----- c:\windows\system32\?icrosoft.NET
2009-01-15 12:27 213,760 a------- c:\windows\system32\oins.exe
2009-01-15 12:27 41,984 a------- c:\windows\system32\YGWUninstaller.exe
2009-01-15 12:27 389,120 a------- c:\windows\system32\tmpxccacj0.exe
2009-01-15 12:26 76 a------- c:\windows\system32\xcchit32.ini
2009-01-15 12:24 1,375,225 ---sh--- c:\windows\system32\apagylns.ini
2009-01-15 12:24 40,960 a------- c:\windows\system32\lytqotrh.dll
2009-01-15 12:23 15,520 a--sh--- c:\windows\system32\OVwDdMoq.ini2
2009-01-15 12:23 15,520 a--sh--- c:\windows\system32\OVwDdMoq.ini
2009-01-15 12:23 236,032 a------- c:\windows\system32\qoMdDwVO.dll
2009-01-15 12:15 10,896 a------- c:\windows\system32\work.ini
2009-01-15 12:15 41,984 a------- c:\windows\Ptuvomizihawagu.dll
2009-01-15 12:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\CrucialSoft Ltd
2009-01-15 12:15 46,592 a------- c:\windows\system32\byXNfdaX.dll
2009-01-15 12:15 87,020 a------- c:\windows\system32\drivers\caa8945c.sys
2009-01-15 12:15 38,400 a------- c:\windows\system32\pmnoOFWN.dll
2009-01-15 12:14 2 a------- C:\875120410
2009-01-15 12:14 313,329 a------- c:\windows\system32\hguest.exe
2009-01-15 12:14 251,392 a------- c:\windows\xccdf32_090112a.dll
2009-01-15 12:14 36,352 a------- c:\windows\xccdf16_090112a.dll
2009-01-15 12:14 <DIR> --d----- c:\windows\system32\inf
2009-01-15 12:14 107,732 a------- c:\windows\system32\hgcheck.exe
2009-01-15 12:14 227 a------- c:\windows\system32\hgset.ini
2009-01-15 12:14 15,000 a------- c:\windows\system32\hgfdge4unjdfdg.dll
2009-01-15 12:14 15,000 a------- c:\windows\system32\hsjefi8wunkmdf.dll
2009-01-11 22:36 544,768 a------- c:\windows\system32\msvcr71d.dll
2009-01-11 22:36 344,064 a------- c:\windows\system32\msvcr70.dll
2009-01-11 22:36 719,872 a------- c:\windows\system32\devil.dll
2009-01-11 22:36 314,368 a------- c:\windows\system32\avisynth.dll
2009-01-03 16:25 <DIR> --d----- c:\program files\Bonjour

==================== Find3M ====================

2008-12-14 12:08 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-12 11:18 87,336 a------- c:\windows\system32\dns-sd.exe
2008-12-12 11:11 61,440 a------- c:\windows\system32\dnssd.dll
2008-12-11 04:57 333,952 -------- c:\windows\system32\drivers\srv.sys
2008-10-23 06:36 286,720 a------- c:\windows\system32\gdi32.dll
2006-09-03 14:49 19,968 a------- c:\docume~1\jeffw\applic~1\GDIPFONTCACHEV1.DAT
2001-11-22 22:08 712,704 -------- c:\windows\inf\other\AUDIO3D.DLL
2008-09-08 17:08 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090820080909\index.dat

============= FINISH: 21:53:41.14 ===============

tetonbob · 01-17-2009, 01:31 PM

Hello, jwood_013 and Welcome to TSF.

As stated in our pre-posting sticky topic...

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help

Quote:

If you have more than one antivirus software installed, leave only ONE and uninstall the others

While this may seem like greater protection, it can cause problems including slowdowns, system hangs or even crashes. This can happen if both AntiVirus applications attempt to access the same file at the same time. This may cause the applications to interfere with each other, or cause the system to lock up. It can also be a drain on system resources, making a machine run slower than it should.

I see you have more than one Anti-Virus program installed,

Quote:

AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated)
AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*.

Choose one to keep and uninstall the other.

Any antivirus program must be removed via add/remove program.
For any program that doesn't have an add/remove entry, you will have to do this:

re-install the program -> reboot -> uninstall

-----------------------------------------------------------------------

Once you've done that....

Let's try to get a GMER log.

Open notepad and copy/paste the text in the quotebox below into it:

Quote:

@echo off
copy /y gmer.exe omer.exe
start omer

Save this as run.bat Choose to "Save type as - All Files" next to gmer.exe
It should look like this:

Double click on run.bat & allow it to run

Then, use these settings to produce a log.

If asked to allow gmer.sys driver to load, please consent .
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

Click the image to enlarge it
In the right panel, you will see several boxes that have been checked. Uncheck the following ...
- Sections
- IAT/EAT
- Drives/Partition other than Systemdrive (typically C:\)
- Show All (don't miss this one)
Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
Save it where you can easily find it, such as your desktop, and attach it in reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

jwood_013 · 01-17-2009, 05:44 PM

Hopefully this is better. I was able to run gmer.exe and have removed everything i think i need to. I re-ran all reports

DDS (Ver_09-01-07.01) - NTFSx86
Run by jeffw at 18:32:05.32 on Sat 01/17/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.207 [GMT -6:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\hgcheck.exe
C:\DOCUME~1\jeffw\LOCALS~1\Temp\winlogin.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\taskmgr.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Documents and Settings\jeffw\Desktop\dds.com
C:\WINDOWS\System32\imapi.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://mail.yahoo.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.com/search/ie.html
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
mSearchAssistant = hxxp://www.google.com/ie
BHO: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\pmnoOFWN.dll
BHO: {97f91728-b2ef-4dfc-af48-ccd21fec6ec4} - c:\windows\system32\ramuzovi.dll
BHO: {d031d991-12f3-48a7-a33a-28cc7011f225} - c:\windows\system32\qoMdDwVO.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"
uRun: [DelayShred] c:\progra~1\mcafee\mshr\shrcl.exe /p7 /q c:\docume~1\jeffw\locals~1\tempor~1\content.ie5\02jff7ng\index_~2.sh! c:\docume~1\jeffw\locals~1\tempor~1\content.ie5\tf6gy473\print_~1.sh! c:\docume~1\jeffw\locals~1\tempor~1\content.ie5\sgall5gs\activi~3.sh! c:\docume~1\jeffw\locals~1\tempor~1\content.ie5\sgall5gs\activi~2.sh! c:\docume~1\jeffw\locals~1\tempor~1\content.ie5\02jff7ng\a_ds_p~1.sh! c:\docume~1\jeffw\locals~1\tempor~1\content.ie5\1by8scbj\user_2~1.sh! c:\docume~1\jeffw\locals~1\tempor~1\content.ie5\sgall5gs\spacer~1.sh! c:\docume~1\jeffw\locals~1\tempor~1\content.ie5\1by8scbj\qi_1_~1.sh! c:\docume~1\jeffw\locals~1\tempor~1\content.ie5\1by8scbj\60eea3~1.sh! c:\docume~1\jeffw\locals~1\temp\tempor~1\content.ie5\k5opirix.sh! c:\docume~1\jeffw\locals~1\temp\tempor~1\content.ie5\ihwpq1av.sh! c:\docume~1\jeffw\locals~1\temp\tempor~1\content.ie5\ibs9mfy9.sh! c:\docume~1\jeffw\locals~1\temp\tempor~1\content.sh! c:\docume~1\jeffw\locals~1\temp\tempor~1.sh! c:\docume~1\jeffw\locals~1\tempor~1\content.ie5\4qblj75d\print_~1.sh! c:\docume~1\jeffw\locals~1\tempor~1\content.ie5\4qblj75d\index_~2.sh! c:\docume~1\jeffw\locals~1\tempor~1\content.ie5\eza33vg3\aceuac~1.sh! c:\docume~1\jeffw\locals~1\temp\tempor~1.sh!\content.sh!\k5opirix.sh! c:\docume~1\jeffw\locals~1\temp\tempor~1.sh!\content.sh!\ihwpq1av.sh! c:\docume~1\jeffw\locals~1\temp\tempor~1.sh!\content.sh!\ibs9mfy9.sh! c:\docume~1\jeffw\locals~1\temp\tempor~1.sh!\content.sh! c:\docume~1\jeffw\locals~1\tempor~1\content.ie5\szlv38ti\flashw~1.sh! c:\docume~1\jeffw\locals~1\tempor~1\content.ie5\7niaf6yi\log_5_~1.sh! c:\docume~1\jeffw\locals~1\tempor~1\content.ie5\d8wxfbee\log_1_~1.sh! c:\docume~1\jeffw\locals~1\tempor~1\content.ie5\vq39ryy5\site_m~2.sh! c:\docume~1\jeffw\locals~1\tempor~1\content.ie5\vq39ryy5\site_m~1.sh! c:\docume~1\jeffw\locals~1\tempor~1\content.ie5\6ce4tvv0\site_m~1.sh! c:\docume~1\jeffw\locals~1\tempor~1\content.ie5\gh07t26j\neutra~1.sh! c:\docume~1\jeffw\locals~1\tempor~1\content.ie5\gh07t26j\tab-to~1.sh! c:\docume~1\jeffw\locals~1\tempor~1\content.ie5\gh07t26j\TORREN~3.SH!
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [PeerGuardian] f:\program files\peerguardian2\pg2.exe
uRun: [jsg8jfgfdfhfhf] c:\docume~1\jeffw\locals~1\temp\winlogun.exe
uRun: [jsf8uiw3jnjgffght] c:\docume~1\jeffw\locals~1\temp\winlogin.exe
uRun: [tezrtsjhfr84iusjfo84f] c:\docume~1\jeffw\locals~1\temp\csrssc.exe
uRunOnce: [DelayShred] "c:\program files\mcafee\mshr\shrcl.exe" /p7 /q c:\docume~1\jeffw\locals~1\tempor~1\content.ie5\05a1jyo3\app_1_~1.sh! c:\docume~1\jeffw\locals~1\tempor~1\content.ie5\05a1jyo3\no_con~1.sh! c:\docume~1\jeffw\locals~1\tempor~1\content.ie5\i8zmse4y\dc_1_~1.sh! c:\docume~1\jeffw\locals~1\tempor~1\content.ie5\05a1jyo3\dw_pas~4.sh! c:\docume~1\jeffw\locals~1\tempor~1\content.ie5\nz32m22f\index_~1.sh! c:\docume~1\jeffw\locals~1\tempor~1\content.ie5\05a1jyo3\dwb8d5~1.sh! c:\docume~1\jeffw\locals~1\tempor~1\content.ie5\mura7eby\index_~1.sh! c:\docume~1\jeffw\locals~1\tempor~1\content.ie5\vdzag799\dw_pas~4.sh! c:\docume~1\jeffw\locals~1\tempor~1\content.ie5\vdzag799\dw_pas~1.sh! c:\docume~1\jeffw\locals~1\tempor~1\content.ie5\vdzag799\dc_2_~1.sh! c:\docume~1\jeffw\locals~1\tempor~1\content.ie5\uu6hdf7x\dw_pas~2.sh! c:\docume~1\jeffw\locals~1\tempor~1\content.ie5\vdzag799\app_2_~1.sh! c:\docume~1\jeffw\locals~1\tempor~1\content.ie5\fz3vrz6z\no_con~1.sh! c:\docume~1\jeffw\locals~1\tempor~1\content.ie5\w80x03vi\app_1_~1.sh! c:\docume~1\jeffw\locals~1\tempor~1\content.ie5\w80x03vi\no_con~1.sh! c:\docume~1\jeffw\locals~1\tempor~1\content.ie5\twt0ukdg\dc_1_~1.sh! c:\docume~1\jeffw\locals~1\tempor~1\content.ie5\w80x03vi\DW_PAS~3.SH!
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe
mRun: [HP Software Update] "c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [hgcheck] c:\windows\system32\hgcheck.exe
mRun: [jsg8jfgfdfhfhf] c:\docume~1\jeffw\locals~1\temp\winlogun.exe
mRun: [jsf8uiw3jnjgffght] c:\docume~1\jeffw\locals~1\temp\winlogin.exe
mRun: [Lmabuzageyabeguy] rundll32.exe "c:\windows\Ptuvomizihawagu.dll",e
mRun: [tatuyureri] Rundll32.exe "c:\windows\system32\wonutego.dll",s
mExplorerRun: [user32.dll] c:\program files\video access activex object\isamntr.exe
mExplorerRun: [rare] c:\program files\video access activex object\pmsnrr.exe
mExplorerRun: [xccinit] c:\windows\system32\inf\rundll33.exe c:\windows\xccdf16_090112a.dll xccd16
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Lookup on CD - f:\program files\ahd\ahd.htm
IE: {10F055B8-F443-4adf-948A-EC551E9DBCE4} - c:\documents and settings\jeffw\start menu\programs\ultimatebet\UltimateBet.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: pmnoOFWN - pmnoOFWN.dll
AppInit_DLLs: c:\windows\system32\piyadayi.dll
SSODL: didynamia - {8329660f-e248-4872-98cc-fb9c4fec7ba8} - No File
STS: {8329660f-e248-4872-98cc-fb9c4fec7ba8} - No File
STS: c:\windows\system32\hgfdge4unjdfdg.dll: {c5bf49a2-94f3-42bd-f434-3604812c8955} - c:\windows\system32\hgfdge4unjdfdg.dll
STS: c:\windows\system32\hsjefi8wunkmdf.dll: {c5af42a3-94f3-42bd-f634-3604832c897d} - c:\windows\system32\hsjefi8wunkmdf.dll
SEH: d - No File
SEH: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\pmnoOFWN.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\qoMdDwVO
LSA: Notification Packages = scecli c:\windows\system32\piyadayi.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-11-23 201320]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-11-23 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-11-23 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-11-23 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-11-23 40488]
R4 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-3-20 359248]
R4 McShield;McAfee Real-time Scanner;c:\program files\mcafee\virusscan\Mcshield.exe [2007-11-23 144704]
R4 SVKP;SVKP;c:\windows\system32\SVKP.sys [2008-1-25 2368]
S3 FNET_USB;Fluke Networks Scanner USB Interface Driver;c:\windows\system32\drivers\FNETUSB.sys [2006-12-16 13770]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-11-23 33832]

=============== Created Last 30 ================

2009-01-15 18:50 20,176 a---h--- c:\windows\system32\mlfcache.dat
2009-01-15 18:21 164 a------- C:\install.dat
2009-01-15 12:28 <DIR> --d----- c:\program files\s?stem32
2009-01-15 12:28 <DIR> --d----- c:\windows\system32\?icrosoft.NET
2009-01-15 12:27 389,120 a------- c:\windows\system32\tmpxccacj0.exe
2009-01-15 12:26 76 a------- c:\windows\system32\xcchit32.ini
2009-01-15 12:24 1,375,225 ---sh--- c:\windows\system32\apagylns.ini
2009-01-15 12:24 40,960 a------- c:\windows\system32\lytqotrh.dll
2009-01-15 12:23 50,354 a--sh--- c:\windows\system32\OVwDdMoq.ini2
2009-01-15 12:23 50,354 a--sh--- c:\windows\system32\OVwDdMoq.ini
2009-01-15 12:23 236,032 a------- c:\windows\system32\qoMdDwVO.dll
2009-01-15 12:15 10,896 a------- c:\windows\system32\work.ini
2009-01-15 12:15 41,984 a------- c:\windows\Ptuvomizihawagu.dll
2009-01-15 12:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\CrucialSoft Ltd
2009-01-15 12:15 46,592 a------- c:\windows\system32\byXNfdaX.dll
2009-01-15 12:15 87,020 a------- c:\windows\system32\drivers\caa8945c.sys
2009-01-15 12:15 38,400 a------- c:\windows\system32\pmnoOFWN.dll
2009-01-15 12:14 2 a------- C:\875120410
2009-01-15 12:14 313,380 a------- c:\windows\system32\hguest.exe
2009-01-15 12:14 251,392 a------- c:\windows\xccdf32_090112a.dll
2009-01-15 12:14 36,352 a------- c:\windows\xccdf16_090112a.dll
2009-01-15 12:14 <DIR> --d----- c:\windows\system32\inf
2009-01-15 12:14 107,732 a------- c:\windows\system32\hgcheck.exe
2009-01-15 12:14 227 a------- c:\windows\system32\hgset.ini
2009-01-15 12:14 15,000 a------- c:\windows\system32\hgfdge4unjdfdg.dll
2009-01-15 12:14 15,000 a------- c:\windows\system32\hsjefi8wunkmdf.dll
2009-01-03 16:25 <DIR> --d----- c:\program files\Bonjour

==================== Find3M ====================

2008-12-14 12:08 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-12 11:18 87,336 a------- c:\windows\system32\dns-sd.exe
2008-12-12 11:11 61,440 a------- c:\windows\system32\dnssd.dll
2008-12-11 04:57 333,952 -------- c:\windows\system32\drivers\srv.sys
2008-10-23 06:36 286,720 a------- c:\windows\system32\gdi32.dll
2006-09-03 14:49 19,968 a------- c:\docume~1\jeffw\applic~1\GDIPFONTCACHEV1.DAT
2001-11-22 22:08 712,704 -------- c:\windows\inf\other\AUDIO3D.DLL
0000-00-00 00:00 63,740 a--sh--- c:\windows\system32\piyadayi.dll
0000-00-00 00:00 63,740 a--sh--- c:\windows\system32\ramuzovi.dll
0000-00-00 00:00 63,740 a--sh--- c:\windows\system32\wonutego.dll
2008-09-08 17:08 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090820080909\index.dat

============= FINISH: 18:34:41.04 ===============

tetonbob · 01-17-2009, 06:01 PM

Good job.

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

One thing you need to do differently from the instructions on the page. This is important! When you download ComboFix, you must rename it before it is saved. Everything else on the page, perform as instructed. Rename ComboFix.exe to ComFxx.exe

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery mode if needed. This allows us to help you in the case that your computer has a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

As part of installing the Recovery Console, ComboFix will begin to run. Follow the prompts to install the Recovery Console. Your desktop may disappear. This is normal. It will return.

Once the Recovery Console is installed using ComboFix, you should see a message that says:

The Recovery Console was successfully installed.

Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Post the log from ComboFix when you've accomplished that.

If you have any questions along the way, STOP and ask them before proceeding.

jwood_013 · 01-17-2009, 07:01 PM

Combofix says it has detected the presence of rootkit activity and asked me to write down about 10 file names and says it has to restart. Is this normal? Shall I proceed?

tetonbob · 01-17-2009, 07:10 PM

Yes, this is expected behavior for the type of infection you have. Please do make note of the files in the message box. Write them down on paper, please. No need to post them, just save it.

And then, yes...continue.

jwood_013 · 01-17-2009, 07:32 PM

ComboFix 09-01-17.03 - jeffw 2009-01-17 20:16:09.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.246 [GMT -6:00]
Running from: c:\documents and settings\jeffw\Desktop\ComFxx.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *enabled*
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\CrucialSoft Ltd
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\msas2009.exe
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\program files\sstem3~1
c:\windows\system32\apagylns.ini
c:\windows\system32\byXNfdaX.dll
c:\windows\system32\drivers\caa8945c.sys
c:\windows\system32\drivers\TDSSixsa.sys
c:\windows\system32\hgfdge4unjdfdg.dll
c:\windows\system32\hsjefi8wunkmdf.dll
c:\windows\system32\icroso~1.net
c:\windows\system32\icroso~1.net\?icrosoft.NET\
c:\windows\system32\inf\rundll33.exe
c:\windows\system32\inf\xccdfb16_090112.dll
c:\windows\system32\OVwDdMoq.ini
c:\windows\system32\OVwDdMoq.ini2
c:\windows\system32\piyadayi.dll
c:\windows\system32\pmnoOFWN.dll
c:\windows\system32\qoMdDwVO.dll
c:\windows\system32\ramuzovi.dll
c:\windows\system32\TDSScfum.log
c:\windows\system32\TDSSfxmp.dll
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSnrsr.dll
c:\windows\system32\TDSSofxh.dll
c:\windows\system32\TDSSosvd.dll
c:\windows\system32\TDSSpaxt.dat
c:\windows\system32\TDSSriqp.dll
c:\windows\system32\TDSSsbhc.log
c:\windows\system32\TDSSwitt.dll
c:\windows\system32\tmpxccacj0.exe
c:\windows\system32\wonutego.dll
c:\windows\system32\xcchit32.ini
c:\windows\Tasks\gcyzbpji.job
c:\windows\xccdf16_090112a.dll
c:\windows\xccdf32_090112a.dll

----- BITS: Possible infected sites -----

hxxp://cdn.game-server.cc
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_tdssserv.sys
-------\Legacy_tdssserv.sys
-------\Service_caa8945c

((((((((((((((((((((((((( Files Created from 2008-12-18 to 2009-01-18 )))))))))))))))))))))))))))))))
.

2009-01-15 21:01 . 2009-01-17 16:57 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-01-15 18:50 . 2009-01-15 18:50 20,176 --ah----- c:\windows\system32\mlfcache.dat
2009-01-15 18:21 . 2009-01-15 18:21 164 --a------ C:\install.dat
2009-01-15 15:49 . 2009-01-15 15:49 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Apple Computer
2009-01-15 14:38 . 2009-01-15 14:38 <DIR> d-------- c:\documents and settings\Administrator
2009-01-15 12:24 . 2009-01-15 12:24 40,960 --a------ c:\windows\system32\lytqotrh.dll
2009-01-15 12:15 . 2009-01-15 12:15 41,984 --a------ c:\windows\Ptuvomizihawagu.dll
2009-01-15 12:15 . 2009-01-15 12:15 10,896 --a------ c:\windows\system32\work.ini
2009-01-15 12:14 . 2009-01-17 20:17 <DIR> d-------- c:\windows\system32\inf
2009-01-15 12:14 . 2009-01-17 16:48 313,380 --a------ c:\windows\system32\hguest.exe
2009-01-15 12:14 . 2009-01-15 12:14 107,732 --a------ c:\windows\system32\hgcheck.exe
2009-01-15 12:14 . 2009-01-17 20:22 227 --a------ c:\windows\system32\hgset.ini
2009-01-15 12:14 . 2009-01-15 12:15 2 --a------ C:\875120410
2009-01-03 16:25 . 2009-01-03 16:25 <DIR> d-------- c:\program files\Bonjour

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-18 02:22 --------- d-----w c:\program files\DNA
2009-01-18 02:22 --------- d-----w c:\documents and settings\jeffw\Application Data\DNA
2009-01-17 23:03 --------- d-----w c:\program files\Lavasoft
2009-01-16 03:44 --------- d-----w c:\documents and settings\jeffw\Application Data\BitTorrent
2009-01-15 23:48 --------- d-----w c:\documents and settings\jeffw\Application Data\Apple Computer
2009-01-11 07:41 --------- d-----w c:\program files\Common Files\Adobe
2009-01-11 04:03 --------- d-----w c:\program files\Common Files\AVSMedia
2009-01-08 19:27 --------- d-----w c:\program files\UltimateBet
2008-12-14 18:08 --------- d-----w c:\program files\Java
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-11-29 22:25 --------- d-----w c:\program files\Safari
2008-11-26 01:44 --------- d-----w c:\program files\_uninstallation_info
2008-11-22 22:43 --------- d-----w c:\program files\iTunes
2008-11-22 22:43 --------- d-----w c:\program files\iPod
2008-11-22 22:43 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-22 22:41 --------- d-----w c:\program files\QuickTime
2008-11-22 22:40 --------- d-----w c:\program files\Common Files\Apple
2008-11-19 04:17 --------- d-----w c:\program files\Yahoo!
2008-11-19 04:16 --------- d-----w c:\program files\Common Files\Scanner
2006-09-03 20:49 19,968 ----a-w c:\documents and settings\jeffw\Application Data\GDIPFONTCACHEV1.DAT
2008-09-08 23:08 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090820080909\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-29 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2008-06-10 785520]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-19 342848]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"DelayShred"="c:\program files\mcafee\mshr\ShrCL.EXE" [2007-12-04 111904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-14 136600]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-02-18 49152]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-04-28 180269]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"hgcheck"="c:\windows\system32\hgcheck.exe" [2009-01-15 107732]
"Lmabuzageyabeguy"="c:\windows\Ptuvomizihawagu.dll" [2009-01-15 41984]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i263_32.drv
"msacm.g723"= g723.acm
"vidc.I263"= I263_32.drv
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R4 SVKP;SVKP;c:\windows\system32\SVKP.sys [2008-01-25 2368]
S3 FNET_USB;Fluke Networks Scanner USB Interface Driver;c:\windows\system32\drivers\FNETUSB.sys [2006-12-16 13770]
.
Contents of the 'Scheduled Tasks' folder

2009-01-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-01-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]

2009-01-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]
.
- - - - ORPHANS REMOVED - - - -

BHO-{1935ade3-173c-4d67-9992-975093708bfe} - c:\windows\system32\qoMdDwVO.dll
BHO-{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\pmnoOFWN.dll
BHO-{97f91728-b2ef-4dfc-af48-ccd21fec6ec4} - c:\windows\system32\ramuzovi.dll
HKCU-Run-PeerGuardian - f:\program files\PeerGuardian2\pg2.exe
HKLM-Run-Cmaudio - cmicnfg.cpl
HKLM-Explorer_Run-xccinit - c:\windows\system32\inf\rundll33.exe
SharedTaskScheduler-{8329660f-e248-4872-98cc-fb9c4fec7ba8} - (no file)
SharedTaskScheduler-{C5BF49A2-94F3-42BD-F434-3604812C8955} - c:\windows\system32\hgfdge4unjdfdg.dll
SharedTaskScheduler-{C5AF42A3-94F3-42BD-F634-3604832C897D} - c:\windows\system32\hsjefi8wunkmdf.dll
ShellExecuteHooks-d - (no file)
ShellExecuteHooks-{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - c:\windows\system32\pmnoOFWN.dll
SSODL-didynamia-{8329660f-e248-4872-98cc-fb9c4fec7ba8} - (no file)

.
------- Supplementary Scan -------
.
uStart Page = hxxp://mail.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Lookup on CD - f:\program files\AHD\ahd.htm
IE: {{10F055B8-F443-4adf-948A-EC551E9DBCE4} - c:\documents and settings\jeffw\Start Menu\Programs\UltimateBet\UltimateBet.lnk
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-17 20:23:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(688)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\windows\system32\rundll32.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\program files\McAfee\VirusScan\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\windows\system32\wdfmgr.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
c:\progra~1\McAfee\MSC\mcshell.exe
.
**************************************************************************
.
Completion time: 2009-01-17 20:27:11 - machine was rebooted [jeffw]
ComboFix-quarantined-files.txt 2009-01-18 02:26:44

Pre-Run: 28,558,266,368 bytes free
Post-Run: 28,962,963,456 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

Current=2 Default=2 Failed=4 LastKnownGood=1 Sets=1,2,3,4
232 --- E O F --- 2009-01-14 00:10:44

tetonbob · 01-17-2009, 07:51 PM

Good work.

I need more information on some files before we continue

Please go to: VirusTotal

On the page you'll find a "Browse" button.
Next to the browse button you'll see a box to enter text.
Please copy/paste the following:

c:\windows\system32\lytqotrh.dll
Then click the "Send File " button just below.
This will scan the file. Please be patient.
If you get a message saying File has already been analyzed: click Reanalyze file now
Once scanned, copy and paste the results in your next reply.
Please repeat for the following files:
- c:\windows\Ptuvomizihawagu.dll
  c:\windows\system32\hguest.exe
  c:\windows\system32\hgcheck.exe

jwood_013 · 01-17-2009, 08:10 PM

File lytqotrh.dll received on 01.18.2009 03:58:24 (CET)
Current status: finished
Result: 6/39 (15.39%)
Compact
Print results
Antivirus Version Last Update Result
a-squared 4.0.0.73 2009.01.18 -
AhnLab-V3 2009.1.15.0 2009.01.17 -
AntiVir 7.9.0.57 2009.01.17 HEUR/Malware
Authentium 5.1.0.4 2009.01.17 -
Avast 4.8.1281.0 2009.01.16 -
AVG 8.0.0.229 2009.01.17 -
BitDefender 7.2 2009.01.18 -
CAT-QuickHeal 10.00 2009.01.17 -
ClamAV 0.94.1 2009.01.17 -
Comodo 934 2009.01.17 -
DrWeb 4.44.0.09170 2009.01.18 DLOADER.Trojan
eSafe 7.0.17.0 2009.01.15 -
eTrust-Vet 31.6.6312 2009.01.17 -
F-Prot 4.4.4.56 2009.01.17 -
F-Secure 8.0.14470.0 2009.01.18 -
Fortinet 3.117.0.0 2009.01.15 -
GData 19 2009.01.18 -
Ikarus T3.1.1.45.0 2009.01.18 -
K7AntiVirus 7.10.594 2009.01.17 -
Kaspersky 7.0.0.125 2009.01.18 -
McAfee 5498 2009.01.17 -
McAfee+Artemis 5498 2009.01.17 Generic!Artemis
Microsoft 1.4205 2009.01.17 -
NOD32 3774 2009.01.17 -
Norman 5.93.01 2009.01.16 -
nProtect 2009.1.8.0 2009.01.16 -
Panda 9.5.1.2 2009.01.17 -
PCTools 4.4.2.0 2009.01.17 -
Prevx1 V2 2009.01.18 Cloaked Malware
Rising 21.12.52.00 2009.01.17 -
SecureWeb-Gateway 6.7.6 2009.01.17 Heuristic.Malware
Sophos 4.37.0 2009.01.17 -
Sunbelt 3.2.1835.2 2009.01.16 -
Symantec 10 2009.01.18 Downloader
TheHacker 6.3.1.5.222 2009.01.17 -
TrendMicro 8.700.0.1004 2009.01.16 -
VBA32 3.12.8.10 2009.01.17 -
ViRobot 2009.1.17.1563 2009.01.17 -
VirusBuster 4.5.11.0 2009.01.17 -
Additional information
File size: 40960 bytes
MD5...: 61437402efc31063443a5b6b948607f9
SHA1..: 8b6588d716ee8b26d7d958d10ad672a6b96407d0
SHA256: d134e77b8f9203d568b867aa1b04c4c4f6b31bc0c29b1c1e2d76e991dabaa3fb
SHA512: 92241620b4f411d6423b78eadc9da0e5fa388f71cf2bf4f276c82ce25e3f7543
b3c1f197f8b5911743f03bb945d889705fe5fe3ebea8b405b13fe222c71c9f6a
ssdeep: 768:pzbZr2zMLNtBvGiuqMiLQEBgm78EDZOHEDE71o:Nt2wNfvGiuqMiLQQgmTjD
41o
PEiD..: -
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x10001402
timedatestamp.....: 0x496b64bc (Mon Jan 12 15:41:48 2009)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x4fb4 0x5000 6.60 4d4a25b374c175db05adecfc464de4b4
.rdata 0x6000 0x1869 0x2000 4.05 7c4dd255c9538ff2e353bbe3144f7ff8
.data 0x8000 0x113c 0x1000 1.51 dadfc0937e6b623a639e0645601a898d
.reloc 0xa000 0xcd6 0x1000 3.51 6acbfb012a94b65cb5f655a4c06d1f29

( 4 imports )
> KERNEL32.dll: FreeLibrary, GetProcAddress, LoadLibraryA, lstrcpyA, GetTickCount, GetSystemTimeAsFileTime, CloseHandle, CreateProcessA, GetTempPathA, GetSystemDirectoryA, lstrcatA, GetSystemInfo, VirtualProtect, ExitProcess, GetCurrentThreadId, GetCommandLineA, GetVersionExA, QueryPerformanceCounter, GetCurrentProcessId, GetModuleFileNameA, GetModuleHandleA, TerminateProcess, GetCurrentProcess, TlsAlloc, SetLastError, GetLastError, TlsFree, TlsSetValue, TlsGetValue, HeapFree, HeapAlloc, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, DeleteCriticalSection, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, HeapDestroy, HeapCreate, VirtualFree, UnhandledExceptionFilter, WriteFile, RtlUnwind, InterlockedExchange, VirtualQuery, LeaveCriticalSection, EnterCriticalSection, GetACP, GetOEMCP, GetCPInfo, VirtualAlloc, HeapReAlloc, InitializeCriticalSection, HeapSize, GetLocaleInfoA, GetStringTypeA, MultiByteToWideChar, GetStringTypeW, LCMapStringA, LCMapStringW
> USER32.dll: GetCursorPos
> urlmon.dll: URLDownloadToFileA
> WININET.dll: InternetGetConnectedState

( 1 exports )
s
Prevx info: <a href='http://info.prevx.com/aboutprogramtext.asp?PX5=CFD93EA600F5DC98A04C00CFB82A750014EE8438' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=CFD93EA600F5DC98A04C00CFB82A750014EE8438</a>

File Ptuvomizihawagu.dll received on 01.18.2009 04:03:41 (CET)
Current status: finished
Result: 11/39 (28.21%)
Compact
Print results
Antivirus Version Last Update Result
a-squared 4.0.0.73 2009.01.18 Trojan-Dropper.Agent!IK
AhnLab-V3 2009.1.15.0 2009.01.17 -
AntiVir 7.9.0.57 2009.01.17 TR/Agent.ALUQ
Authentium 5.1.0.4 2009.01.17 -
Avast 4.8.1281.0 2009.01.16 -
AVG 8.0.0.229 2009.01.17 SHeur2.LFR
BitDefender 7.2 2009.01.18 Trojan.Agent.ALUQ
CAT-QuickHeal 10.00 2009.01.17 -
ClamAV 0.94.1 2009.01.17 -
Comodo 934 2009.01.17 -
DrWeb 4.44.0.09170 2009.01.18 -
eSafe 7.0.17.0 2009.01.15 -
eTrust-Vet 31.6.6312 2009.01.17 -
F-Prot 4.4.4.56 2009.01.17 W32/Hiloti.A.gen!Eldorado
F-Secure 8.0.14470.0 2009.01.18 -
Fortinet 3.117.0.0 2009.01.15 -
GData 19 2009.01.18 Trojan.Agent.ALUQ
Ikarus T3.1.1.45.0 2009.01.18 Trojan-Dropper.Agent
K7AntiVirus 7.10.594 2009.01.17 -
Kaspersky 7.0.0.125 2009.01.18 -
McAfee 5498 2009.01.17 -
McAfee+Artemis 5498 2009.01.17 -
Microsoft 1.4205 2009.01.17 -
NOD32 3774 2009.01.17 Win32/Cimag.D
Norman 5.93.01 2009.01.16 -
nProtect 2009.1.8.0 2009.01.16 -
Panda 9.5.1.2 2009.01.17 -
PCTools 4.4.2.0 2009.01.17 -
Prevx1 V2 2009.01.18 Malicious Software
Rising 21.12.52.00 2009.01.17 -
SecureWeb-Gateway 6.7.6 2009.01.17 Trojan.Agent.ALUQ
Sophos 4.37.0 2009.01.17 -
Sunbelt 3.2.1835.2 2009.01.16 -
Symantec 10 2009.01.18 Trojan.Vundo
TheHacker 6.3.1.5.222 2009.01.17 -
TrendMicro 8.700.0.1004 2009.01.16 -
VBA32 3.12.8.10 2009.01.17 -
ViRobot 2009.1.17.1563 2009.01.17 -
VirusBuster 4.5.11.0 2009.01.17 -
Additional information
File size: 41984 bytes
MD5...: ccef273ab8f0cab18991d35d0d139bac
SHA1..: 62e279b5ae4d65cf4c1753f14954e927c0bb734a
SHA256: fc47e042929744bcdc2aff7c519e027a4f9d5480e21e2aeac1b941e30c210024
SHA512: 1125372423501d840f3847b5d9f1027184d1294eeb17a03c42889beb9dda5b2a
e6806b606642dcac27d617e06be18f62f01ef6debda7e78b99ceeb8bad5fd22d
ssdeep: 768:+yaBfCiHkJdmSwEnBTs+Ree7SMEUk8Poj9bAVENSZQPG91CLl:Ca9xwa9Qe7
SfUk8PetA+rLLl
PEiD..: -
TrID..: File type identification
Win32 Dynamic Link Library (generic) (65.4%)
Generic Win/DOS Executable (17.2%)
DOS Executable Generic (17.2%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x10006b7c
timedatestamp.....: 0x489b20a6 (Thu Aug 07 16:19:50 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x8000 0x7400 7.55 c44e7bc98cd6b1a5bb27291202cdbd6d
.data 0x9000 0x2000 0x1a00 6.21 d551bea56bf679e5b12adf690e31e3cc
.rsrc 0xb000 0x1000 0x400 2.81 b8f96aa02be70966915b9cfcfaa96d43
.reloc 0xc000 0x1000 0x200 2.20 0fecba56eff0214593e83490d7403316

( 5 imports )
> KERNEL32.dll: FreeLibrary, GetDateFormatA, GetEnvironmentStringsA, HeapAlloc, HeapCreate, SetEvent, VirtualFree, WaitForMultipleObjects, lstrcatA
> msvcrt.dll: malloc, _XcptFilter, __p__commode, __set_app_type, _exit, srand, setlocale, vswprintf, free, fprintf, exit
> user32.dll: EmptyClipboard, GetDlgCtrlID, EndDialog, DestroyWindow
> OLEAUT32.dll: -, -, -, -, -, -, -
> SHLWAPI.dll: PathGetCharTypeA, SHDeleteValueA, StrChrA, SHDeleteKeyA, PathAppendA

( 0 exports )
Prevx info: <a href='http://info.prevx.com/aboutprogramtext.asp?PX5=CD15CC7300BD9F32A45E00AA6ACA3900C87628AD' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=CD15CC7300BD9F32A45E00AA6ACA3900C87628AD</a>

File hguest.exe received on 01.18.2009 04

47 (CET)
Current status: finished
Result: 10/39 (25.65%)
Compact
Print results
Antivirus Version Last Update Result
a-squared 4.0.0.73 2009.01.18 Backdoor.Win32.Hupigon!IK
AhnLab-V3 2009.1.15.0 2009.01.17 -
AntiVir 7.9.0.57 2009.01.17 TR/Crypt.XPACK.Gen
Authentium 5.1.0.4 2009.01.17 -
Avast 4.8.1281.0 2009.01.16 -
AVG 8.0.0.229 2009.01.17 Klone
BitDefender 7.2 2009.01.18 -
CAT-QuickHeal 10.00 2009.01.17 -
ClamAV 0.94.1 2009.01.17 -
Comodo 934 2009.01.17 -
DrWeb 4.44.0.09170 2009.01.18 -
eSafe 7.0.17.0 2009.01.15 -
eTrust-Vet 31.6.6312 2009.01.17 -
F-Prot 4.4.4.56 2009.01.17 -
F-Secure 8.0.14470.0 2009.01.18 -
Fortinet 3.117.0.0 2009.01.15 -
GData 19 2009.01.18 -
Ikarus T3.1.1.45.0 2009.01.18 Backdoor.Win32.Hupigon
K7AntiVirus 7.10.594 2009.01.17 -
Kaspersky 7.0.0.125 2009.01.18 Backdoor.Win32.Hupigon.fqhm
McAfee 5498 2009.01.17 -
McAfee+Artemis 5498 2009.01.17 Generic!Artemis
Microsoft 1.4205 2009.01.17 -
NOD32 3774 2009.01.17 -
Norman 5.93.01 2009.01.16 -
nProtect 2009.1.8.0 2009.01.16 -
Panda 9.5.1.2 2009.01.17 -
PCTools 4.4.2.0 2009.01.17 -
Prevx1 V2 2009.01.18 Malicious Software
Rising 21.12.52.00 2009.01.17 -
SecureWeb-Gateway 6.7.6 2009.01.17 Trojan.Crypt.XPACK.Gen
Sophos 4.37.0 2009.01.17 Mal/EncPk-EY
Sunbelt 3.2.1835.2 2009.01.16 -
Symantec 10 2009.01.18 -
TheHacker 6.3.1.5.222 2009.01.17 -
TrendMicro 8.700.0.1004 2009.01.16 -
VBA32 3.12.8.10 2009.01.17 Backdoor.Win32.Hupigon.fmuo
ViRobot 2009.1.17.1563 2009.01.17 -
VirusBuster 4.5.11.0 2009.01.17 -
Additional information
File size: 313380 bytes
MD5...: 3f9d3ca7be046f741635634118bae81c
SHA1..: f971d65dbb727c46c9b1b04278db645dad1c5a05
SHA256: c545b997d860ee83c84489788416a77f0c129fea475ec2bd08060e3b82a1119d
SHA512: 09e10e14af0fc2c753517a68b5d783f3a06dea29301d8cf1706eee0214f19743
319958d7849a6995563ec6e75de204ebbbef721261309d477a0c9467b6d1a9c7
ssdeep: 6144:o8oWw7zSN/FMf7VbvGFxWsfhMrFBoK20UlsVB8X:oJ7mN/KzyxWsJMrFBon
lsVB8X
PEiD..: -
TrID..: File type identification
Win32 EXE Yoda's Crypter (67.9%)
Win32 Executable Generic (21.8%)
Generic Win/DOS Executable (5.1%)
DOS Executable Generic (5.1%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x401000
timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992)
machinetype.......: 0x14c (I386)

( 2 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xbd000 0x200 0.35 a16677549ee6a487ed773995c6291fd0
.text 0xbe000 0x50064 0x4c424 7.92 97e878f0a1ca3800613c51a9d32e0821

( 1 imports )
> kernel32.dll: LoadLibraryA, GetProcAddress, VirtualAlloc, VirtualProtect, VirtualFree, GetModuleHandleA

( 0 exports )
Prevx info: <a href='http://info.prevx.com/aboutprogramtext.asp?PX5=2D8BA8D0246C35D5C8C1043B3C2E0700C14832EE' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=2D8BA8D0246C35D5C8C1043B3C2E0700C14832EE</a>

File hgcheck.exe received on 01.18.2009 04:09:06 (CET)
Current status: finished
Result: 16/39 (41.03%)
Compact
Print results
Antivirus Version Last Update Result
a-squared 4.0.0.73 2009.01.18 Trojan-Dropper.Agent!IK
AhnLab-V3 2009.1.15.0 2009.01.17 -
AntiVir 7.9.0.57 2009.01.17 TR/Crypt.XPACK.Gen
Authentium 5.1.0.4 2009.01.17 -
Avast 4.8.1281.0 2009.01.16 Win32:Rootkit-gen
AVG 8.0.0.229 2009.01.17 Klone
BitDefender 7.2 2009.01.18 -
CAT-QuickHeal 10.00 2009.01.17 (Suspicious) - DNAScan
ClamAV 0.94.1 2009.01.17 -
Comodo 934 2009.01.17 -
DrWeb 4.44.0.09170 2009.01.18 -
eSafe 7.0.17.0 2009.01.15 Suspicious File
eTrust-Vet 31.6.6312 2009.01.17 -
F-Prot 4.4.4.56 2009.01.17 -
F-Secure 8.0.14470.0 2009.01.18 -
Fortinet 3.117.0.0 2009.01.15 -
GData 19 2009.01.18 Win32:Rootkit-gen
Ikarus T3.1.1.45.0 2009.01.18 Trojan-Dropper.Agent
K7AntiVirus 7.10.594 2009.01.17 Trojan.Win32.Malware.1
Kaspersky 7.0.0.125 2009.01.18 Trojan-Dropper.Win32.Agent.aetb
McAfee 5498 2009.01.17 -
McAfee+Artemis 5498 2009.01.17 -
Microsoft 1.4205 2009.01.17 -
NOD32 3774 2009.01.17 Win32/Delf.NXH
Norman 5.93.01 2009.01.16 W32/Agent.KOHF
nProtect 2009.1.8.0 2009.01.16 -
Panda 9.5.1.2 2009.01.17 Generic Rootkit
PCTools 4.4.2.0 2009.01.17 -
Prevx1 V2 2009.01.18 Malicious Software
Rising 21.12.52.00 2009.01.17 -
SecureWeb-Gateway 6.7.6 2009.01.17 Trojan.Crypt.XPACK.Gen
Sophos 4.37.0 2009.01.17 Mal/EncPk-EY
Sunbelt 3.2.1835.2 2009.01.16 -
Symantec 10 2009.01.18 -
TheHacker 6.3.1.5.222 2009.01.17 -
TrendMicro 8.700.0.1004 2009.01.16 -
VBA32 3.12.8.10 2009.01.17 -
ViRobot 2009.1.17.1563 2009.01.17 -
VirusBuster 4.5.11.0 2009.01.17 -
Additional information
File size: 107732 bytes
MD5...: d5d51cd0f140969b18daf49eb8911874
SHA1..: 76e118e3c8f3bef763ed28449e482997b4a3a860
SHA256: 02c0b1190883273a120bdf44bd3ef41b9016732195c52f9f9cdb7d94e497e8d6
SHA512: 6613a81ca6764910a32250c4b3fed085b34e471d52006b09bde27083ef5aca9b
72cfe1a2bbf10a572c17a0ea5471e294eaec3c6e11eb33e2d52859686517270d
ssdeep: 3072:ktc5M9yWmTLv3V7MLoTGWLMSV7oSUq+O6SpkVWFFemDwl8:rMgWGfdAo5To
JqHx7gl8
PEiD..: -
TrID..: File type identification
Win32 EXE Yoda's Crypter (67.9%)
Win32 Executable Generic (21.8%)
Generic Win/DOS Executable (5.1%)
DOS Executable Generic (5.1%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x401000
timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992)
machinetype.......: 0x14c (I386)

( 2 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x45000 0x200 0.35 7854ce37c151f11f441f2ce683a6b496
.text 0x46000 0x1ddad 0x1a0d4 7.91 8d7b342a408eadcf5ae408bed79497ef

( 1 imports )
> kernel32.dll: LoadLibraryA, GetProcAddress, VirtualAlloc, VirtualProtect, VirtualFree, GetModuleHandleA

( 0 exports )
Prevx info: <a href='http://info.prevx.com/aboutprogramtext.asp?PX5=7EFF727CD4EC9641A4AA013B3C2E0700603CBC0C' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=7EFF727CD4EC9641A4AA013B3C2E0700603CBC0C</a>

tetonbob · 01-17-2009, 08:35 PM

Yuk...let's take out the trash.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.

Open notepad and copy/paste the text in the quotebox below into it:

Quote:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/335422-virtumonde.html#post1918459

File::
C:\875120410

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
"AntiVirusOverride"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000000
Collect::
C:\windows\system32\lytqotrh.dll
c:\windows\Ptuvomizihawagu.dll
c:\windows\system32\hguest.exe
c:\windows\system32\hgcheck.exe
c:\windows\system32\hgset.ini

Save this as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed.. With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK. Follow the prompts.
Ensure your AntiVirus and AntiSpyware applications are re-enabled.

---------------------------------------------------------------------------------------------

jwood_013 · 01-17-2009, 08:46 PM

ComboFix 09-01-17.03 - jeffw 2009-01-17 21:38:30.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.217 [GMT -6:00]
Running from: c:\documents and settings\jeffw\Desktop\ComFxx.exe
Command switches used :: c:\documents and settings\jeffw\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *enabled*
* Created a new restore point

FILE ::
C:\875120410
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\875120410
c:\windows\Ptuvomizihawagu.dll
c:\windows\system32\hgcheck.exe
c:\windows\system32\hgset.ini
c:\windows\system32\hguest.exe
c:\windows\system32\lytqotrh.dll

.
((((((((((((((((((((((((( Files Created from 2008-12-18 to 2009-01-18 )))))))))))))))))))))))))))))))
.

2009-01-17 20:34 . 2009-01-17 20:34 132,608 --a------ c:\windows\okaxoyiviyifani.dll
2009-01-15 21:01 . 2009-01-17 16:57 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-01-15 18:50 . 2009-01-15 18:50 20,176 --ah----- c:\windows\system32\mlfcache.dat
2009-01-15 18:21 . 2009-01-15 18:21 164 --a------ C:\install.dat
2009-01-15 15:49 . 2009-01-15 15:49 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Apple Computer
2009-01-15 14:38 . 2009-01-15 14:38 <DIR> d-------- c:\documents and settings\Administrator
2009-01-15 12:15 . 2009-01-15 12:15 10,896 --a------ c:\windows\system32\work.ini
2009-01-15 12:14 . 2009-01-17 20:17 <DIR> d-------- c:\windows\system32\inf
2009-01-03 16:25 . 2009-01-03 16:25 <DIR> d-------- c:\program files\Bonjour

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-18 03:32 --------- d-----w c:\documents and settings\jeffw\Application Data\DNA
2009-01-18 02:22 --------- d-----w c:\program files\DNA
2009-01-17 23:03 --------- d-----w c:\program files\Lavasoft
2009-01-16 03:44 --------- d-----w c:\documents and settings\jeffw\Application Data\BitTorrent
2009-01-15 23:48 --------- d-----w c:\documents and settings\jeffw\Application Data\Apple Computer
2009-01-11 07:41 --------- d-----w c:\program files\Common Files\Adobe
2009-01-11 04:03 --------- d-----w c:\program files\Common Files\AVSMedia
2009-01-08 19:27 --------- d-----w c:\program files\UltimateBet
2008-12-14 18:08 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-12-14 18:08 --------- d-----w c:\program files\Java
2008-12-12 17:18 87,336 ----a-w c:\windows\system32\dns-sd.exe
2008-12-12 17:11 61,440 ----a-w c:\windows\system32\dnssd.dll
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-11-29 22:25 --------- d-----w c:\program files\Safari
2008-11-26 01:44 --------- d-----w c:\program files\_uninstallation_info
2008-11-22 22:43 --------- d-----w c:\program files\iTunes
2008-11-22 22:43 --------- d-----w c:\program files\iPod
2008-11-22 22:43 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-22 22:41 --------- d-----w c:\program files\QuickTime
2008-11-22 22:40 --------- d-----w c:\program files\Common Files\Apple
2008-11-19 04:17 --------- d-----w c:\program files\Yahoo!
2008-11-19 04:16 --------- d-----w c:\program files\Common Files\Scanner
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2006-09-03 20:49 19,968 ----a-w c:\documents and settings\jeffw\Application Data\GDIPFONTCACHEV1.DAT
2001-11-23 04:08 712,704 ------w c:\windows\inf\OTHER\AUDIO3D.DLL
2008-09-08 23:08 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090820080909\index.dat
.

((((((((((((((((((((((((((((( snapshot@2009-01-17_20.25.32.04 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-01-18 01:42:22 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-01-18 03:15:07 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-01-18 01:42:22 32,768 ------w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-01-18 03:15:07 32,768 ------w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-01-16 03:45:05 52,764 ----a-w c:\windows\system32\perfc009.dat
+ 2009-01-18 02:26:58 52,764 ----a-w c:\windows\system32\perfc009.dat
- 2009-01-16 03:45:05 380,350 ----a-w c:\windows\system32\perfh009.dat
+ 2009-01-18 02:26:58 380,350 ----a-w c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-29 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2008-06-10 785520]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-19 342848]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"DelayShred"="c:\program files\mcafee\mshr\ShrCL.EXE" [2007-12-04 111904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-14 136600]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-02-18 49152]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-04-28 180269]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"Xmodenafid"="c:\windows\okaxoyiviyifani.dll" [2009-01-17 132608]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i263_32.drv
"msacm.g723"= g723.acm
"vidc.I263"= I263_32.drv
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R4 SVKP;SVKP;c:\windows\system32\SVKP.sys [2008-01-25 2368]
S3 FNET_USB;Fluke Networks Scanner USB Interface Driver;c:\windows\system32\drivers\FNETUSB.sys [2006-12-16 13770]
.
Contents of the 'Scheduled Tasks' folder

2009-01-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-01-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]

2009-01-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-hgcheck - c:\windows\system32\hgcheck.exe
HKLM-Run-Lmabuzageyabeguy - c:\windows\Ptuvomizihawagu.dll

.
------- Supplementary Scan -------
.
uStart Page = hxxp://mail.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Lookup on CD - f:\program files\AHD\ahd.htm
IE: {{10F055B8-F443-4adf-948A-EC551E9DBCE4} - c:\documents and settings\jeffw\Start Menu\Programs\UltimateBet\UltimateBet.lnk
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-17 21:40:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(688)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-01-17 21:41:59
ComboFix-quarantined-files.txt 2009-01-18 03:41:41

Pre-Run: 28,941,783,040 bytes free
Post-Run: 28,925,104,128 bytes free

Current=2 Default=2 Failed=4 LastKnownGood=1 Sets=1,2,3,4
162 --- E O F --- 2009-01-14 00:10:44

tetonbob · 01-17-2009, 08:59 PM

Hi -

If you're visiting the same sites as before the cleaning began, please don't. If you're not, we'll have to dig around a bit more. New infections don't generally come into the machine once we begin the cleaning.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.

For your McAfee, try this:

Double-click the taskbar icon to open the Security Center
Click Advanced Menu (lower left)
Click Configure (left)
Click Computer & Files (upper left)
VirusScan can be disabled on the right.

Open notepad and copy/paste the text in the quotebox below into it:

Quote:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/335422-virtumonde.html#post1918459

DirLook::
c:\windows\system32\inf

Collect::
c:\windows\okaxoyiviyifani.dll
c:\windows\system32\work.ini

Save this as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed.. With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK. Follow the prompts.
Ensure your AntiVirus and AntiSpyware applications are re-enabled.

---------------------------------------------------------------------------------------------

jwood_013 · 01-17-2009, 09:23 PM

I do apologize mcafee was set to turn on at restart
ComboFix 09-01-17.03 - jeffw 2009-01-17 22:09:01.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.290 [GMT -6:00]
Running from: c:\documents and settings\jeffw\Desktop\ComFxx.exe
Command switches used :: c:\documents and settings\jeffw\Desktop\CFScript.txt.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\okaxoyiviyifani.dll
c:\windows\system32\work.ini

.
((((((((((((((((((((((((( Files Created from 2008-12-18 to 2009-01-18 )))))))))))))))))))))))))))))))
.

2009-01-17 22:05 . 2009-01-17 22:05 755 --a------ c:\windows\system32\spupdsvc.inf
2009-01-17 22:03 . 2009-01-17 22:03 <DIR> d-------- c:\windows\LastGood
2009-01-17 22:03 . 2009-01-17 22:03 <DIR> d--h-c--- c:\windows\ie8
2009-01-15 21:01 . 2009-01-17 16:57 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-01-15 18:50 . 2009-01-15 18:50 20,176 --ah----- c:\windows\system32\mlfcache.dat
2009-01-15 18:21 . 2009-01-15 18:21 164 --a------ C:\install.dat
2009-01-15 15:49 . 2009-01-15 15:49 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Apple Computer
2009-01-15 14:38 . 2009-01-15 14:38 <DIR> d-------- c:\documents and settings\Administrator
2009-01-15 12:14 . 2009-01-17 20:17 <DIR> d-------- c:\windows\system32\inf
2009-01-03 16:25 . 2009-01-03 16:25 <DIR> d-------- c:\program files\Bonjour

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-18 04:02 --------- d-----w c:\documents and settings\jeffw\Application Data\DNA
2009-01-18 02:22 --------- d-----w c:\program files\DNA
2009-01-17 23:03 --------- d-----w c:\program files\Lavasoft
2009-01-16 03:44 --------- d-----w c:\documents and settings\jeffw\Application Data\BitTorrent
2009-01-15 23:48 --------- d-----w c:\documents and settings\jeffw\Application Data\Apple Computer
2009-01-11 07:41 --------- d-----w c:\program files\Common Files\Adobe
2009-01-11 04:03 --------- d-----w c:\program files\Common Files\AVSMedia
2009-01-08 19:27 --------- d-----w c:\program files\UltimateBet
2008-12-14 18:08 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-12-14 18:08 --------- d-----w c:\program files\Java
2008-12-12 17:18 87,336 ----a-w c:\windows\system32\dns-sd.exe
2008-12-12 17:11 61,440 ----a-w c:\windows\system32\dnssd.dll
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-11-29 22:25 --------- d-----w c:\program files\Safari
2008-11-26 01:44 --------- d-----w c:\program files\_uninstallation_info
2008-11-22 22:43 --------- d-----w c:\program files\iTunes
2008-11-22 22:43 --------- d-----w c:\program files\iPod
2008-11-22 22:43 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-22 22:41 --------- d-----w c:\program files\QuickTime
2008-11-22 22:40 --------- d-----w c:\program files\Common Files\Apple
2008-11-19 04:17 --------- d-----w c:\program files\Yahoo!
2008-11-19 04:16 --------- d-----w c:\program files\Common Files\Scanner
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-08-22 09:14 2,651,968 ----a-w c:\windows\inf\SETE3.tmp
2006-09-03 20:49 19,968 ----a-w c:\documents and settings\jeffw\Application Data\GDIPFONTCACHEV1.DAT
2001-11-23 04:08 712,704 ------w c:\windows\inf\OTHER\AUDIO3D.DLL
2008-09-08 23:08 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090820080909\index.dat
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of c:\windows\system32\inf ----

((((((((((((((((((((((((((((( snapshot@2009-01-17_20.25.32.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-11-07 08:26:44 71,680 -c--a-w c:\windows\ie8\admparse.dll
+ 2008-10-16 20:38:34 124,928 -c--a-w c:\windows\ie8\advpack.dll
+ 2008-04-14 00:11:51 35,328 -c--a-w c:\windows\ie8\corpol.dll
+ 2008-10-16 20:38:34 347,136 -c--a-w c:\windows\ie8\dxtmsft.dll
+ 2008-10-16 20:38:34 214,528 -c--a-w c:\windows\ie8\dxtrans.dll
+ 2006-10-17 16:44:36 60,416 -c--a-w c:\windows\ie8\hmmapi.dll
+ 2008-10-16 20:38:35 63,488 -c--a-w c:\windows\ie8\icardie.dll
+ 2008-10-16 13:11:09 70,656 -c--a-w c:\windows\ie8\ie4uinit.exe
+ 2008-10-16 20:38:35 153,088 -c--a-w c:\windows\ie8\ieakeng.dll
+ 2008-10-16 20:38:35 230,400 -c--a-w c:\windows\ie8\ieaksie.dll
+ 2008-10-15 07:04:53 161,792 -c--a-w c:\windows\ie8\ieakui.dll
+ 2007-04-17 09:28:12 2,455,488 -c--a-w c:\windows\ie8\ieapfltr.dat
+ 2008-10-16 20:38:35 383,488 -c--a-w c:\windows\ie8\ieapfltr.dll
+ 2008-10-16 20:38:35 384,512 -c--a-w c:\windows\ie8\iedkcs32.dll
+ 2008-04-14 00:11:54 81,920 -c--a-w c:\windows\ie8\ieencode.dll
+ 2008-10-16 20:38:37 6,066,176 -c--a-w c:\windows\ie8\ieframe.dll
+ 2006-11-08 02:03:36 191,488 -c--a-w c:\windows\ie8\iepeers.dll
+ 2008-10-16 20:38:37 44,544 -c--a-w c:\windows\ie8\iernonce.dll
+ 2008-10-16 20:38:37 267,776 -c--a-w c:\windows\ie8\iertutil.dll
+ 2006-11-07 08:26:42 55,296 -c--a-w c:\windows\ie8\iesetup.dll
+ 2006-11-08 02:03:36 180,736 -c--a-w c:\windows\ie8\ieui.dll
+ 2008-10-15 07

26 633,632 -c--a-w c:\windows\ie8\iexplore.exe
+ 2006-10-17 16:57:58 36,352 -c--a-w c:\windows\ie8\imgutil.dll
+ 2006-11-07 08:26:24 92,672 -c--a-w c:\windows\ie8\inseng.dll
+ 2008-05-09 10:53:39 512,000 -c--a-w c:\windows\ie8\jscript.dll
+ 2008-10-16 20:38:37 27,648 -c--a-w c:\windows\ie8\jsproxy.dll
+ 2006-10-17 17:05:10 40,960 -c--a-w c:\windows\ie8\licmgr10.dll
+ 2008-10-16 20:38:37 459,264 -c--a-w c:\windows\ie8\msfeeds.dll
+ 2008-10-16 20:38:37 52,224 -c--a-w c:\windows\ie8\msfeedsbs.dll
+ 2006-10-17 16:58:32 12,288 -c--a-w c:\windows\ie8\msfeedssync.exe
+ 2006-10-17 16:56:10 45,568 -c--a-w c:\windows\ie8\mshta.exe
+ 2008-12-13 06:40:02 3,593,216 -c--a-w c:\windows\ie8\mshtml.dll
+ 2008-10-16 20:38:38 477,696 -c--a-w c:\windows\ie8\mshtmled.dll
+ 2006-10-17 16:28:56 48,128 -c--a-w c:\windows\ie8\mshtmler.dll
+ 2006-11-08 02:03:36 156,160 -c--a-w c:\windows\ie8\msls31.dll
+ 2008-10-16 20:38:38 193,024 -c--a-w c:\windows\ie8\msrating.dll
+ 2008-10-16 20:38:39 671,232 -c--a-w c:\windows\ie8\mstime.dll
+ 2008-10-16 20:38:39 102,912 -c--a-w c:\windows\ie8\occache.dll
+ 2008-10-16 20:38:39 44,544 -c--a-w c:\windows\ie8\pngfilt.dll
+ 2006-09-06 21:43:16 213,216 -c--a-w c:\windows\ie8\spuninst.exe
+ 2008-08-22 09:21:04 49,736 -c--a-w c:\windows\ie8\spuninst\iecustom.dll
+ 2008-06-12 17:27:58 231,456 -c--a-w c:\windows\ie8\spuninst\spuninst.exe
+ 2008-06-12 17:28:00 382,496 -c--a-w c:\windows\ie8\spuninst\updspapi.dll
+ 2008-10-16 20:38:39 105,984 -c--a-w c:\windows\ie8\url.dll
+ 2008-10-16 20:38:39 1,160,192 -c--a-w c:\windows\ie8\urlmon.dll
+ 2008-05-09 10:53:40 430,080 -c--a-w c:\windows\ie8\vbscript.dll
+ 2007-07-12 23:31:54 765,952 -c--a-w c:\windows\ie8\vgx.dll
+ 2008-10-16 20:38:39 233,472 -c--a-w c:\windows\ie8\webcheck.dll
+ 2006-10-17 17:05:58 206,336 -c--a-w c:\windows\ie8\winfxdocobj.exe
+ 2008-10-16 20:38:40 826,368 -c--a-w c:\windows\ie8\wininet.dll
- 2009-01-18 01:42:22 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-01-18 03:46:14 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-01-18 01:42:22 32,768 ------w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-01-18 03:46:14 32,768 ------w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-06-12 17:27:52 1,022,976 -c----w c:\windows\system32\dllcache\browseui.dll
+ 2008-08-22 09:07:08 18,944 -c----w c:\windows\system32\dllcache\corpol.dll
+ 2008-06-12 17:27:52 1,497,088 -c----w c:\windows\system32\dllcache\shdocvw.dll
+ 2008-06-12 17:27:52 474,112 -c----w c:\windows\system32\dllcache\shlwapi.dll
+ 2008-06-12 17:27:56 134,144 -c----w c:\windows\system32\dllcache\sqmapi.dll
- 2006-06-29 13:05:44 26,112 ----a-w c:\windows\system32\idndl.dll
+ 2008-06-12 17:27:42 26,112 ----a-w c:\windows\system32\idndl.dll
- 2008-10-16 13:11:09 13,824 ----a-w c:\windows\system32\ieudinit.exe
+ 2008-08-22 09

24 36,864 ----a-w c:\windows\system32\ieudinit.exe
+ 2009-01-09 23:35:30 20,853,704 ----a-w c:\windows\system32\MRT.exe
+ 2008-08-05 23:55:38 265,720 ----a-w c:\windows\system32\msdbg2.dll
- 2006-06-28 22:59:26 24,576 ----a-w c:\windows\system32\nlsdl.dll
+ 2008-06-12 17:27:44 24,576 ----a-w c:\windows\system32\nlsdl.dll
- 2009-01-16 03:45:05 52,764 ----a-w c:\windows\system32\perfc009.dat
+ 2009-01-18 02:26:58 52,764 ----a-w c:\windows\system32\perfc009.dat
- 2009-01-16 03:45:05 380,350 ----a-w c:\windows\system32\perfh009.dat
+ 2009-01-18 02:26:58 380,350 ----a-w c:\windows\system32\perfh009.dat
+ 2008-08-22 09:05:00 48,640 ------w c:\windows\system32\PrivacIE.dll
- 2007-11-30 12:39:22 17,272 ----a-w c:\windows\system32\spmsg.dll
+ 2008-06-12 17:27:58 16,928 ------w c:\windows\system32\spmsg.dll
- 2007-08-11 01:46:18 26,488 ----a-w c:\windows\system32\spupdsvc.exe
+ 2008-06-12 17:27:58 26,144 ----a-w c:\windows\system32\spupdsvc.exe
- 2008-04-14 00:12:11 121,856 ----a-w c:\windows\system32\xmllite.dll
+ 2008-06-12 17:28:02 121,856 ----a-w c:\windows\system32\xmllite.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-29 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2008-06-10 785520]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-19 342848]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"DelayShred"="c:\program files\mcafee\mshr\ShrCL.EXE" [2007-12-04 111904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-14 136600]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-02-18 49152]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-04-28 180269]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i263_32.drv
"msacm.g723"= g723.acm
"vidc.I263"= I263_32.drv
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R4 SVKP;SVKP;c:\windows\system32\SVKP.sys [2008-01-25 2368]
S3 FNET_USB;Fluke Networks Scanner USB Interface Driver;c:\windows\system32\drivers\FNETUSB.sys [2006-12-16 13770]
S4 spupdsvc;Windows Service Pack Installer update service;c:\windows\system32\spupdsvc.exe [2005-09-07 26144]
.
Contents of the 'Scheduled Tasks' folder

2009-01-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-01-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]

2009-01-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Xmodenafid - c:\windows\okaxoyiviyifani.dll

.
------- Supplementary Scan -------
.
uStart Page = hxxp://mail.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Lookup on CD - f:\program files\AHD\ahd.htm
IE: {{10F055B8-F443-4adf-948A-EC551E9DBCE4} - c:\documents and settings\jeffw\Start Menu\Programs\UltimateBet\UltimateBet.lnk
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-17 22:10:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(688)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-01-17 22:12:36
ComboFix-quarantined-files.txt 2009-01-18 04:12:17
ComboFix2.txt 2009-01-18 03:42:00

Pre-Run: 28,636,499,968 bytes free
Post-Run: 28,650,389,504 bytes free

Current=2 Default=2 Failed=4 LastKnownGood=1 Sets=1,2,3,4
237 --- E O F --- 2009-01-14 00:10:44

tetonbob · 01-17-2009, 09:29 PM

Ok, looks like that went well, and nothing new came in...however...did you just install IE8? It's really not a good idea to make system changes I've not requested while we're working together. Additionally, IE8 is still Beta, and prone to Beta type issues. Leave it for now, but be advised.

---------------------------------------------------------------------------------------------

moving on....

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1

These are all outdated, and security risks by having them installed still. Unfortunately, Java does not uninstall these older versions when you update, nor tell you that you should. Going forward, Java will overwrite existing installs, so removing older versions should not be required after this.

Leave Java(TM) 6 Update 11 alone, as it is the most recent.

---------------------------------------------------------------------------------------------

Please download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

---------------------------------------------------------------------------------------------

Please perform this online scan to help look for remnants

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:

Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
Once the update is complete, click on Settings. Uncheck Mail databases.
Next, click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click View scan report at the bottom.
Click the Save Report As... button.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

---------------------------------------------------------------------------------------------

How is the machine behaving?

jwood_013 · 01-17-2009, 10:27 PM

Sorry for the wait. Having trouble with IE and Mcafee. Installed IE 7 but its not working properly. McAfee wont reinstall, it hangs on the reinstall screen.

jwood_013 · 01-17-2009, 10:40 PM

I did the ATF clean. Cant run Kapersky it says my java isnt up to date, but IE isnt loading properly.

tetonbob · 01-17-2009, 11:32 PM

Quote:

Originally Posted by jwood_013

Sorry for the wait. Having trouble with IE and Mcafee. Installed IE 7 but its not working properly. McAfee wont reinstall, it hangs on the reinstall screen.

Why was McAfee uninstalled? Have you been able to reinstall it?

jwood_013 · 01-17-2009, 11:39 PM

McAfee is not working. I cannot install it

tetonbob · 01-17-2009, 11:41 PM

That was a two part question...why did you uninstall it in the first place? I don't understand. It seemed to be fine.

jwood_013 · 01-17-2009, 11:44 PM

Mcafee was not working. After the last combo fix it wouldnt open. I re installed it with no success. I thought this was logical. I do apologize and will let you know of any issues.

01-17-2009, 06:01 PM	#4 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,618 OS: 2000 Pro; XP Pro; XP Home	Re: Virtumonde Good job. Please visit this webpage for instructions for downloading and running ComboFix: http://www.bleepingcomputer.com/comb...o-use-combofix One thing you need to do differently from the instructions on the page. This is important! When you download ComboFix, you must rename it before it is saved. Everything else on the page, perform as instructed. Rename ComboFix.exe to ComFxx.exe Please ensure you read this guide carefully and install the Recovery Console first. The Windows Recovery Console will allow you to boot up into a special recovery mode if needed. This allows us to help you in the case that your computer has a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time. As part of installing the Recovery Console, ComboFix will begin to run. Follow the prompts to install the Recovery Console. Your desktop may disappear. This is normal. It will return. Once the Recovery Console is installed using ComboFix, you should see a message that says: The Recovery Console was successfully installed. Please continue as follows: Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Click Yes to allow ComboFix to continue scanning for malware. When the tool is finished, it will produce a report for you. Post the log from ComboFix when you've accomplished that. If you have any questions along the way, STOP and ask them before proceeding. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

01-17-2009, 07:01 PM	#5 (permalink)
jwood_013 Registered User Join Date: Jan 2009 Posts: 35 OS: XP sp3	Re: Virtumonde Combofix says it has detected the presence of rootkit activity and asked me to write down about 10 file names and says it has to restart. Is this normal? Shall I proceed?

01-17-2009, 07:10 PM	#6 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,618 OS: 2000 Pro; XP Pro; XP Home	Re: Virtumonde Yes, this is expected behavior for the type of infection you have. Please do make note of the files in the message box. Write them down on paper, please. No need to post them, just save it. And then, yes...continue. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

01-17-2009, 07:32 PM	#7 (permalink)
jwood_013 Registered User Join Date: Jan 2009 Posts: 35 OS: XP sp3	Re: Virtumonde ComboFix 09-01-17.03 - jeffw 2009-01-17 20:16:09.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.246 [GMT -6:00] Running from: c:\documents and settings\jeffw\Desktop\ComFxx.exe AV: McAfee VirusScan On-access scanning disabled (Updated) FW: McAfee Personal Firewall enabled * Resident AV is active . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Application Data\CrucialSoft Ltd c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\msas2009.exe c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat c:\program files\sstem3~1 c:\windows\system32\apagylns.ini c:\windows\system32\byXNfdaX.dll c:\windows\system32\drivers\caa8945c.sys c:\windows\system32\drivers\TDSSixsa.sys c:\windows\system32\hgfdge4unjdfdg.dll c:\windows\system32\hsjefi8wunkmdf.dll c:\windows\system32\icroso~1.net c:\windows\system32\icroso~1.net\?icrosoft.NET\ c:\windows\system32\inf\rundll33.exe c:\windows\system32\inf\xccdfb16_090112.dll c:\windows\system32\OVwDdMoq.ini c:\windows\system32\OVwDdMoq.ini2 c:\windows\system32\piyadayi.dll c:\windows\system32\pmnoOFWN.dll c:\windows\system32\qoMdDwVO.dll c:\windows\system32\ramuzovi.dll c:\windows\system32\TDSScfum.log c:\windows\system32\TDSSfxmp.dll c:\windows\system32\TDSSnmxh.log c:\windows\system32\TDSSnrsr.dll c:\windows\system32\TDSSofxh.dll c:\windows\system32\TDSSosvd.dll c:\windows\system32\TDSSpaxt.dat c:\windows\system32\TDSSriqp.dll c:\windows\system32\TDSSsbhc.log c:\windows\system32\TDSSwitt.dll c:\windows\system32\tmpxccacj0.exe c:\windows\system32\wonutego.dll c:\windows\system32\xcchit32.ini c:\windows\Tasks\gcyzbpji.job c:\windows\xccdf16_090112a.dll c:\windows\xccdf32_090112a.dll ----- BITS: Possible infected sites ----- hxxp://cdn.game-server.cc . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_tdssserv.sys -------\Legacy_tdssserv.sys -------\Service_caa8945c ((((((((((((((((((((((((( Files Created from 2008-12-18 to 2009-01-18 ))))))))))))))))))))))))))))))) . 2009-01-15 21:01 . 2009-01-17 16:57 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP 2009-01-15 18:50 . 2009-01-15 18:50 20,176 --ah----- c:\windows\system32\mlfcache.dat 2009-01-15 18:21 . 2009-01-15 18:21 164 --a------ C:\install.dat 2009-01-15 15:49 . 2009-01-15 15:49 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Apple Computer 2009-01-15 14:38 . 2009-01-15 14:38 <DIR> d-------- c:\documents and settings\Administrator 2009-01-15 12:24 . 2009-01-15 12:24 40,960 --a------ c:\windows\system32\lytqotrh.dll 2009-01-15 12:15 . 2009-01-15 12:15 41,984 --a------ c:\windows\Ptuvomizihawagu.dll 2009-01-15 12:15 . 2009-01-15 12:15 10,896 --a------ c:\windows\system32\work.ini 2009-01-15 12:14 . 2009-01-17 20:17 <DIR> d-------- c:\windows\system32\inf 2009-01-15 12:14 . 2009-01-17 16:48 313,380 --a------ c:\windows\system32\hguest.exe 2009-01-15 12:14 . 2009-01-15 12:14 107,732 --a------ c:\windows\system32\hgcheck.exe 2009-01-15 12:14 . 2009-01-17 20:22 227 --a------ c:\windows\system32\hgset.ini 2009-01-15 12:14 . 2009-01-15 12:15 2 --a------ C:\875120410 2009-01-03 16:25 . 2009-01-03 16:25 <DIR> d-------- c:\program files\Bonjour . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-01-18 02:22 --------- d-----w c:\program files\DNA 2009-01-18 02:22 --------- d-----w c:\documents and settings\jeffw\Application Data\DNA 2009-01-17 23:03 --------- d-----w c:\program files\Lavasoft 2009-01-16 03:44 --------- d-----w c:\documents and settings\jeffw\Application Data\BitTorrent 2009-01-15 23:48 --------- d-----w c:\documents and settings\jeffw\Application Data\Apple Computer 2009-01-11 07:41 --------- d-----w c:\program files\Common Files\Adobe 2009-01-11 04:03 --------- d-----w c:\program files\Common Files\AVSMedia 2009-01-08 19:27 --------- d-----w c:\program files\UltimateBet 2008-12-14 18:08 --------- d-----w c:\program files\Java 2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys 2008-11-29 22:25 --------- d-----w c:\program files\Safari 2008-11-26 01:44 --------- d-----w c:\program files\_uninstallation_info 2008-11-22 22:43 --------- d-----w c:\program files\iTunes 2008-11-22 22:43 --------- d-----w c:\program files\iPod 2008-11-22 22:43 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} 2008-11-22 22:41 --------- d-----w c:\program files\QuickTime 2008-11-22 22:40 --------- d-----w c:\program files\Common Files\Apple 2008-11-19 04:17 --------- d-----w c:\program files\Yahoo! 2008-11-19 04:16 --------- d-----w c:\program files\Common Files\Scanner 2006-09-03 20:49 19,968 ----a-w c:\documents and settings\jeffw\Application Data\GDIPFONTCACHEV1.DAT 2008-09-08 23:08 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090820080909\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-29 68856] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] "DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2008-06-10 785520] "BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-19 342848] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] "DelayShred"="c:\program files\mcafee\mshr\ShrCL.EXE" [2007-12-04 111904] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-14 136600] "HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664] "HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032] "HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-02-18 49152] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-04-28 180269] "Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344] "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088] "hgcheck"="c:\windows\system32\hgcheck.exe" [2009-01-15 107732] "Lmabuzageyabeguy"="c:\windows\Ptuvomizihawagu.dll" [2009-01-15 41984] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696] Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.I420"= i263_32.drv "msacm.g723"= g723.acm "vidc.I263"= I263_32.drv "vidc.DIV3"= DivXc32.dll "vidc.DIV4"= DivXc32f.dll "msacm.divxa32"= DivXa32.acm [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 "AntiVirusOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\WINDOWS\\system32\\mmc.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= "c:\\Program Files\\DNA\\btdna.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 R4 SVKP;SVKP;c:\windows\system32\SVKP.sys [2008-01-25 2368] S3 FNET_USB;Fluke Networks Scanner USB Interface Driver;c:\windows\system32\drivers\FNETUSB.sys [2006-12-16 13770] . Contents of the 'Scheduled Tasks' folder 2009-01-10 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34] 2009-01-15 c:\windows\Tasks\McDefragTask.job - c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 12:32] 2009-01-01 c:\windows\Tasks\McQcTask.job - c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 12:32] . - - - - ORPHANS REMOVED - - - - BHO-{1935ade3-173c-4d67-9992-975093708bfe} - c:\windows\system32\qoMdDwVO.dll BHO-{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\pmnoOFWN.dll BHO-{97f91728-b2ef-4dfc-af48-ccd21fec6ec4} - c:\windows\system32\ramuzovi.dll HKCU-Run-PeerGuardian - f:\program files\PeerGuardian2\pg2.exe HKLM-Run-Cmaudio - cmicnfg.cpl HKLM-Explorer_Run-xccinit - c:\windows\system32\inf\rundll33.exe SharedTaskScheduler-{8329660f-e248-4872-98cc-fb9c4fec7ba8} - (no file) SharedTaskScheduler-{C5BF49A2-94F3-42BD-F434-3604812C8955} - c:\windows\system32\hgfdge4unjdfdg.dll SharedTaskScheduler-{C5AF42A3-94F3-42BD-F634-3604832C897D} - c:\windows\system32\hsjefi8wunkmdf.dll ShellExecuteHooks-d - (no file) ShellExecuteHooks-{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - c:\windows\system32\pmnoOFWN.dll SSODL-didynamia-{8329660f-e248-4872-98cc-fb9c4fec7ba8} - (no file) . ------- Supplementary Scan ------- . uStart Page = hxxp://mail.yahoo.com/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Settings,ProxyOverride = .local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 IE: Lookup on CD - f:\program files\AHD\ahd.htm IE: {{10F055B8-F443-4adf-948A-EC551E9DBCE4} - c:\documents and settings\jeffw\Start Menu\Programs\UltimateBet\UltimateBet.lnk . *********************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-01-17 20:23:29 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(688) c:\windows\system32\Ati2evxx.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\ati2evxx.exe c:\windows\system32\ati2evxx.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Java\jre6\bin\jqs.exe c:\progra~1\McAfee\MSC\mcmscsvc.exe c:\program files\Common Files\McAfee\MNA\McNASvc.exe c:\windows\system32\rundll32.exe c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe c:\program files\McAfee\VirusScan\Mcshield.exe c:\program files\McAfee\MPF\MpfSrv.exe c:\windows\system32\wdfmgr.exe c:\program files\iPod\bin\iPodService.exe c:\progra~1\McAfee\MSC\mcuimgr.exe c:\progra~1\McAfee\MSC\mcshell.exe . ************************************************************************ . Completion time: 2009-01-17 20:27:11 - machine was rebooted [jeffw] ComboFix-quarantined-files.txt 2009-01-18 02:26:44 Pre-Run: 28,558,266,368 bytes free Post-Run: 28,962,963,456 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn Current=2 Default=2 Failed=4 LastKnownGood=1 Sets=1,2,3,4 232 --- E O F --- 2009-01-14 00:10:44

01-17-2009, 07:51 PM	#8 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,618 OS: 2000 Pro; XP Pro; XP Home	Re: Virtumonde Good work. I need more information on some files before we continue Please go to: VirusTotal On the page you'll find a "Browse" button. Next to the browse button you'll see a box to enter text. Please copy/paste the following: c:\windows\system32\lytqotrh.dll Then click the "Send File " button just below. This will scan the file. Please be patient. If you get a message saying File has already been analyzed: click Reanalyze file now Once scanned, copy and paste the results in your next reply. Please repeat for the following files: c:\windows\Ptuvomizihawagu.dll c:\windows\system32\hguest.exe c:\windows\system32\hgcheck.exe __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

01-17-2009, 08:10 PM	#9 (permalink)
jwood_013 Registered User Join Date: Jan 2009 Posts: 35 OS: XP sp3	Re: Virtumonde File lytqotrh.dll received on 01.18.2009 03:58:24 (CET) Current status: finished Result: 6/39 (15.39%) Compact Print results Antivirus Version Last Update Result a-squared 4.0.0.73 2009.01.18 - AhnLab-V3 2009.1.15.0 2009.01.17 - AntiVir 7.9.0.57 2009.01.17 HEUR/Malware Authentium 5.1.0.4 2009.01.17 - Avast 4.8.1281.0 2009.01.16 - AVG 8.0.0.229 2009.01.17 - BitDefender 7.2 2009.01.18 - CAT-QuickHeal 10.00 2009.01.17 - ClamAV 0.94.1 2009.01.17 - Comodo 934 2009.01.17 - DrWeb 4.44.0.09170 2009.01.18 DLOADER.Trojan eSafe 7.0.17.0 2009.01.15 - eTrust-Vet 31.6.6312 2009.01.17 - F-Prot 4.4.4.56 2009.01.17 - F-Secure 8.0.14470.0 2009.01.18 - Fortinet 3.117.0.0 2009.01.15 - GData 19 2009.01.18 - Ikarus T3.1.1.45.0 2009.01.18 - K7AntiVirus 7.10.594 2009.01.17 - Kaspersky 7.0.0.125 2009.01.18 - McAfee 5498 2009.01.17 - McAfee+Artemis 5498 2009.01.17 Generic!Artemis Microsoft 1.4205 2009.01.17 - NOD32 3774 2009.01.17 - Norman 5.93.01 2009.01.16 - nProtect 2009.1.8.0 2009.01.16 - Panda 9.5.1.2 2009.01.17 - PCTools 4.4.2.0 2009.01.17 - Prevx1 V2 2009.01.18 Cloaked Malware Rising 21.12.52.00 2009.01.17 - SecureWeb-Gateway 6.7.6 2009.01.17 Heuristic.Malware Sophos 4.37.0 2009.01.17 - Sunbelt 3.2.1835.2 2009.01.16 - Symantec 10 2009.01.18 Downloader TheHacker 6.3.1.5.222 2009.01.17 - TrendMicro 8.700.0.1004 2009.01.16 - VBA32 3.12.8.10 2009.01.17 - ViRobot 2009.1.17.1563 2009.01.17 - VirusBuster 4.5.11.0 2009.01.17 - Additional information File size: 40960 bytes MD5...: 61437402efc31063443a5b6b948607f9 SHA1..: 8b6588d716ee8b26d7d958d10ad672a6b96407d0 SHA256: d134e77b8f9203d568b867aa1b04c4c4f6b31bc0c29b1c1e2d76e991dabaa3fb SHA512: 92241620b4f411d6423b78eadc9da0e5fa388f71cf2bf4f276c82ce25e3f7543 b3c1f197f8b5911743f03bb945d889705fe5fe3ebea8b405b13fe222c71c9f6a ssdeep: 768:pzbZr2zMLNtBvGiuqMiLQEBgm78EDZOHEDE71o:Nt2wNfvGiuqMiLQQgmTjD 41o PEiD..: - TrID..: File type identification Win32 Executable MS Visual C++ (generic) (65.2%) Win32 Executable Generic (14.7%) Win32 Dynamic Link Library (generic) (13.1%) Generic Win/DOS Executable (3.4%) DOS Executable Generic (3.4%) PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x10001402 timedatestamp.....: 0x496b64bc (Mon Jan 12 15:41:48 2009) machinetype.......: 0x14c (I386) ( 4 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0x4fb4 0x5000 6.60 4d4a25b374c175db05adecfc464de4b4 .rdata 0x6000 0x1869 0x2000 4.05 7c4dd255c9538ff2e353bbe3144f7ff8 .data 0x8000 0x113c 0x1000 1.51 dadfc0937e6b623a639e0645601a898d .reloc 0xa000 0xcd6 0x1000 3.51 6acbfb012a94b65cb5f655a4c06d1f29 ( 4 imports ) > KERNEL32.dll: FreeLibrary, GetProcAddress, LoadLibraryA, lstrcpyA, GetTickCount, GetSystemTimeAsFileTime, CloseHandle, CreateProcessA, GetTempPathA, GetSystemDirectoryA, lstrcatA, GetSystemInfo, VirtualProtect, ExitProcess, GetCurrentThreadId, GetCommandLineA, GetVersionExA, QueryPerformanceCounter, GetCurrentProcessId, GetModuleFileNameA, GetModuleHandleA, TerminateProcess, GetCurrentProcess, TlsAlloc, SetLastError, GetLastError, TlsFree, TlsSetValue, TlsGetValue, HeapFree, HeapAlloc, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, DeleteCriticalSection, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, HeapDestroy, HeapCreate, VirtualFree, UnhandledExceptionFilter, WriteFile, RtlUnwind, InterlockedExchange, VirtualQuery, LeaveCriticalSection, EnterCriticalSection, GetACP, GetOEMCP, GetCPInfo, VirtualAlloc, HeapReAlloc, InitializeCriticalSection, HeapSize, GetLocaleInfoA, GetStringTypeA, MultiByteToWideChar, GetStringTypeW, LCMapStringA, LCMapStringW > USER32.dll: GetCursorPos > urlmon.dll: URLDownloadToFileA > WININET.dll: InternetGetConnectedState ( 1 exports ) s Prevx info: <a href='http://info.prevx.com/aboutprogramtext.asp?PX5=CFD93EA600F5DC98A04C00CFB82A750014EE8438' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=CFD93EA600F5DC98A04C00CFB82A750014EE8438</a> File Ptuvomizihawagu.dll received on 01.18.2009 04:03:41 (CET) Current status: finished Result: 11/39 (28.21%) Compact Print results Antivirus Version Last Update Result a-squared 4.0.0.73 2009.01.18 Trojan-Dropper.Agent!IK AhnLab-V3 2009.1.15.0 2009.01.17 - AntiVir 7.9.0.57 2009.01.17 TR/Agent.ALUQ Authentium 5.1.0.4 2009.01.17 - Avast 4.8.1281.0 2009.01.16 - AVG 8.0.0.229 2009.01.17 SHeur2.LFR BitDefender 7.2 2009.01.18 Trojan.Agent.ALUQ CAT-QuickHeal 10.00 2009.01.17 - ClamAV 0.94.1 2009.01.17 - Comodo 934 2009.01.17 - DrWeb 4.44.0.09170 2009.01.18 - eSafe 7.0.17.0 2009.01.15 - eTrust-Vet 31.6.6312 2009.01.17 - F-Prot 4.4.4.56 2009.01.17 W32/Hiloti.A.gen!Eldorado F-Secure 8.0.14470.0 2009.01.18 - Fortinet 3.117.0.0 2009.01.15 - GData 19 2009.01.18 Trojan.Agent.ALUQ Ikarus T3.1.1.45.0 2009.01.18 Trojan-Dropper.Agent K7AntiVirus 7.10.594 2009.01.17 - Kaspersky 7.0.0.125 2009.01.18 - McAfee 5498 2009.01.17 - McAfee+Artemis 5498 2009.01.17 - Microsoft 1.4205 2009.01.17 - NOD32 3774 2009.01.17 Win32/Cimag.D Norman 5.93.01 2009.01.16 - nProtect 2009.1.8.0 2009.01.16 - Panda 9.5.1.2 2009.01.17 - PCTools 4.4.2.0 2009.01.17 - Prevx1 V2 2009.01.18 Malicious Software Rising 21.12.52.00 2009.01.17 - SecureWeb-Gateway 6.7.6 2009.01.17 Trojan.Agent.ALUQ Sophos 4.37.0 2009.01.17 - Sunbelt 3.2.1835.2 2009.01.16 - Symantec 10 2009.01.18 Trojan.Vundo TheHacker 6.3.1.5.222 2009.01.17 - TrendMicro 8.700.0.1004 2009.01.16 - VBA32 3.12.8.10 2009.01.17 - ViRobot 2009.1.17.1563 2009.01.17 - VirusBuster 4.5.11.0 2009.01.17 - Additional information File size: 41984 bytes MD5...: ccef273ab8f0cab18991d35d0d139bac SHA1..: 62e279b5ae4d65cf4c1753f14954e927c0bb734a SHA256: fc47e042929744bcdc2aff7c519e027a4f9d5480e21e2aeac1b941e30c210024 SHA512: 1125372423501d840f3847b5d9f1027184d1294eeb17a03c42889beb9dda5b2a e6806b606642dcac27d617e06be18f62f01ef6debda7e78b99ceeb8bad5fd22d ssdeep: 768:+yaBfCiHkJdmSwEnBTs+Ree7SMEUk8Poj9bAVENSZQPG91CLl:Ca9xwa9Qe7 SfUk8PetA+rLLl PEiD..: - TrID..: File type identification Win32 Dynamic Link Library (generic) (65.4%) Generic Win/DOS Executable (17.2%) DOS Executable Generic (17.2%) Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%) PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x10006b7c timedatestamp.....: 0x489b20a6 (Thu Aug 07 16:19:50 2008) machinetype.......: 0x14c (I386) ( 4 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0x8000 0x7400 7.55 c44e7bc98cd6b1a5bb27291202cdbd6d .data 0x9000 0x2000 0x1a00 6.21 d551bea56bf679e5b12adf690e31e3cc .rsrc 0xb000 0x1000 0x400 2.81 b8f96aa02be70966915b9cfcfaa96d43 .reloc 0xc000 0x1000 0x200 2.20 0fecba56eff0214593e83490d7403316 ( 5 imports ) > KERNEL32.dll: FreeLibrary, GetDateFormatA, GetEnvironmentStringsA, HeapAlloc, HeapCreate, SetEvent, VirtualFree, WaitForMultipleObjects, lstrcatA > msvcrt.dll: malloc, _XcptFilter, __p__commode, __set_app_type, _exit, srand, setlocale, vswprintf, free, fprintf, exit > user32.dll: EmptyClipboard, GetDlgCtrlID, EndDialog, DestroyWindow > OLEAUT32.dll: -, -, -, -, -, -, - > SHLWAPI.dll: PathGetCharTypeA, SHDeleteValueA, StrChrA, SHDeleteKeyA, PathAppendA ( 0 exports ) Prevx info: <a href='http://info.prevx.com/aboutprogramtext.asp?PX5=CD15CC7300BD9F32A45E00AA6ACA3900C87628AD' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=CD15CC7300BD9F32A45E00AA6ACA3900C87628AD</a> File hguest.exe received on 01.18.2009 0447 (CET) Current status: finished Result: 10/39 (25.65%) Compact Print results Antivirus Version Last Update Result a-squared 4.0.0.73 2009.01.18 Backdoor.Win32.Hupigon!IK AhnLab-V3 2009.1.15.0 2009.01.17 - AntiVir 7.9.0.57 2009.01.17 TR/Crypt.XPACK.Gen Authentium 5.1.0.4 2009.01.17 - Avast 4.8.1281.0 2009.01.16 - AVG 8.0.0.229 2009.01.17 Klone BitDefender 7.2 2009.01.18 - CAT-QuickHeal 10.00 2009.01.17 - ClamAV 0.94.1 2009.01.17 - Comodo 934 2009.01.17 - DrWeb 4.44.0.09170 2009.01.18 - eSafe 7.0.17.0 2009.01.15 - eTrust-Vet 31.6.6312 2009.01.17 - F-Prot 4.4.4.56 2009.01.17 - F-Secure 8.0.14470.0 2009.01.18 - Fortinet 3.117.0.0 2009.01.15 - GData 19 2009.01.18 - Ikarus T3.1.1.45.0 2009.01.18 Backdoor.Win32.Hupigon K7AntiVirus 7.10.594 2009.01.17 - Kaspersky 7.0.0.125 2009.01.18 Backdoor.Win32.Hupigon.fqhm McAfee 5498 2009.01.17 - McAfee+Artemis 5498 2009.01.17 Generic!Artemis Microsoft 1.4205 2009.01.17 - NOD32 3774 2009.01.17 - Norman 5.93.01 2009.01.16 - nProtect 2009.1.8.0 2009.01.16 - Panda 9.5.1.2 2009.01.17 - PCTools 4.4.2.0 2009.01.17 - Prevx1 V2 2009.01.18 Malicious Software Rising 21.12.52.00 2009.01.17 - SecureWeb-Gateway 6.7.6 2009.01.17 Trojan.Crypt.XPACK.Gen Sophos 4.37.0 2009.01.17 Mal/EncPk-EY Sunbelt 3.2.1835.2 2009.01.16 - Symantec 10 2009.01.18 - TheHacker 6.3.1.5.222 2009.01.17 - TrendMicro 8.700.0.1004 2009.01.16 - VBA32 3.12.8.10 2009.01.17 Backdoor.Win32.Hupigon.fmuo ViRobot 2009.1.17.1563 2009.01.17 - VirusBuster 4.5.11.0 2009.01.17 - Additional information File size: 313380 bytes MD5...: 3f9d3ca7be046f741635634118bae81c SHA1..: f971d65dbb727c46c9b1b04278db645dad1c5a05 SHA256: c545b997d860ee83c84489788416a77f0c129fea475ec2bd08060e3b82a1119d SHA512: 09e10e14af0fc2c753517a68b5d783f3a06dea29301d8cf1706eee0214f19743 319958d7849a6995563ec6e75de204ebbbef721261309d477a0c9467b6d1a9c7 ssdeep: 6144:o8oWw7zSN/FMf7VbvGFxWsfhMrFBoK20UlsVB8X:oJ7mN/KzyxWsJMrFBon lsVB8X PEiD..: - TrID..: File type identification Win32 EXE Yoda's Crypter (67.9%) Win32 Executable Generic (21.8%) Generic Win/DOS Executable (5.1%) DOS Executable Generic (5.1%) Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%) PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x401000 timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992) machinetype.......: 0x14c (I386) ( 2 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0xbd000 0x200 0.35 a16677549ee6a487ed773995c6291fd0 .text 0xbe000 0x50064 0x4c424 7.92 97e878f0a1ca3800613c51a9d32e0821 ( 1 imports ) > kernel32.dll: LoadLibraryA, GetProcAddress, VirtualAlloc, VirtualProtect, VirtualFree, GetModuleHandleA ( 0 exports ) Prevx info: <a href='http://info.prevx.com/aboutprogramtext.asp?PX5=2D8BA8D0246C35D5C8C1043B3C2E0700C14832EE' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=2D8BA8D0246C35D5C8C1043B3C2E0700C14832EE</a> File hgcheck.exe received on 01.18.2009 04:09:06 (CET) Current status: finished Result: 16/39 (41.03%) Compact Print results Antivirus Version Last Update Result a-squared 4.0.0.73 2009.01.18 Trojan-Dropper.Agent!IK AhnLab-V3 2009.1.15.0 2009.01.17 - AntiVir 7.9.0.57 2009.01.17 TR/Crypt.XPACK.Gen Authentium 5.1.0.4 2009.01.17 - Avast 4.8.1281.0 2009.01.16 Win32:Rootkit-gen AVG 8.0.0.229 2009.01.17 Klone BitDefender 7.2 2009.01.18 - CAT-QuickHeal 10.00 2009.01.17 (Suspicious) - DNAScan ClamAV 0.94.1 2009.01.17 - Comodo 934 2009.01.17 - DrWeb 4.44.0.09170 2009.01.18 - eSafe 7.0.17.0 2009.01.15 Suspicious File eTrust-Vet 31.6.6312 2009.01.17 - F-Prot 4.4.4.56 2009.01.17 - F-Secure 8.0.14470.0 2009.01.18 - Fortinet 3.117.0.0 2009.01.15 - GData 19 2009.01.18 Win32:Rootkit-gen Ikarus T3.1.1.45.0 2009.01.18 Trojan-Dropper.Agent K7AntiVirus 7.10.594 2009.01.17 Trojan.Win32.Malware.1 Kaspersky 7.0.0.125 2009.01.18 Trojan-Dropper.Win32.Agent.aetb McAfee 5498 2009.01.17 - McAfee+Artemis 5498 2009.01.17 - Microsoft 1.4205 2009.01.17 - NOD32 3774 2009.01.17 Win32/Delf.NXH Norman 5.93.01 2009.01.16 W32/Agent.KOHF nProtect 2009.1.8.0 2009.01.16 - Panda 9.5.1.2 2009.01.17 Generic Rootkit PCTools 4.4.2.0 2009.01.17 - Prevx1 V2 2009.01.18 Malicious Software Rising 21.12.52.00 2009.01.17 - SecureWeb-Gateway 6.7.6 2009.01.17 Trojan.Crypt.XPACK.Gen Sophos 4.37.0 2009.01.17 Mal/EncPk-EY Sunbelt 3.2.1835.2 2009.01.16 - Symantec 10 2009.01.18 - TheHacker 6.3.1.5.222 2009.01.17 - TrendMicro 8.700.0.1004 2009.01.16 - VBA32 3.12.8.10 2009.01.17 - ViRobot 2009.1.17.1563 2009.01.17 - VirusBuster 4.5.11.0 2009.01.17 - Additional information File size: 107732 bytes MD5...: d5d51cd0f140969b18daf49eb8911874 SHA1..: 76e118e3c8f3bef763ed28449e482997b4a3a860 SHA256: 02c0b1190883273a120bdf44bd3ef41b9016732195c52f9f9cdb7d94e497e8d6 SHA512: 6613a81ca6764910a32250c4b3fed085b34e471d52006b09bde27083ef5aca9b 72cfe1a2bbf10a572c17a0ea5471e294eaec3c6e11eb33e2d52859686517270d ssdeep: 3072:ktc5M9yWmTLv3V7MLoTGWLMSV7oSUq+O6SpkVWFFemDwl8:rMgWGfdAo5To JqHx7gl8 PEiD..: - TrID..: File type identification Win32 EXE Yoda's Crypter (67.9%) Win32 Executable Generic (21.8%) Generic Win/DOS Executable (5.1%) DOS Executable Generic (5.1%) Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%) PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x401000 timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992) machinetype.......: 0x14c (I386) ( 2 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0x45000 0x200 0.35 7854ce37c151f11f441f2ce683a6b496 .text 0x46000 0x1ddad 0x1a0d4 7.91 8d7b342a408eadcf5ae408bed79497ef ( 1 imports ) > kernel32.dll: LoadLibraryA, GetProcAddress, VirtualAlloc, VirtualProtect, VirtualFree, GetModuleHandleA ( 0 exports ) Prevx info: <a href='http://info.prevx.com/aboutprogramtext.asp?PX5=7EFF727CD4EC9641A4AA013B3C2E0700603CBC0C' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=7EFF727CD4EC9641A4AA013B3C2E0700603CBC0C</a>

01-17-2009, 08:46 PM	#11 (permalink)
jwood_013 Registered User Join Date: Jan 2009 Posts: 35 OS: XP sp3	Re: Virtumonde ComboFix 09-01-17.03 - jeffw 2009-01-17 21:38:30.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.217 [GMT -6:00] Running from: c:\documents and settings\jeffw\Desktop\ComFxx.exe Command switches used :: c:\documents and settings\jeffw\Desktop\CFScript.txt AV: McAfee VirusScan On-access scanning disabled (Updated) FW: McAfee Personal Firewall enabled * Created a new restore point FILE :: C:\875120410 . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\875120410 c:\windows\Ptuvomizihawagu.dll c:\windows\system32\hgcheck.exe c:\windows\system32\hgset.ini c:\windows\system32\hguest.exe c:\windows\system32\lytqotrh.dll . ((((((((((((((((((((((((( Files Created from 2008-12-18 to 2009-01-18 ))))))))))))))))))))))))))))))) . 2009-01-17 20:34 . 2009-01-17 20:34 132,608 --a------ c:\windows\okaxoyiviyifani.dll 2009-01-15 21:01 . 2009-01-17 16:57 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP 2009-01-15 18:50 . 2009-01-15 18:50 20,176 --ah----- c:\windows\system32\mlfcache.dat 2009-01-15 18:21 . 2009-01-15 18:21 164 --a------ C:\install.dat 2009-01-15 15:49 . 2009-01-15 15:49 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Apple Computer 2009-01-15 14:38 . 2009-01-15 14:38 <DIR> d-------- c:\documents and settings\Administrator 2009-01-15 12:15 . 2009-01-15 12:15 10,896 --a------ c:\windows\system32\work.ini 2009-01-15 12:14 . 2009-01-17 20:17 <DIR> d-------- c:\windows\system32\inf 2009-01-03 16:25 . 2009-01-03 16:25 <DIR> d-------- c:\program files\Bonjour . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-01-18 03:32 --------- d-----w c:\documents and settings\jeffw\Application Data\DNA 2009-01-18 02:22 --------- d-----w c:\program files\DNA 2009-01-17 23:03 --------- d-----w c:\program files\Lavasoft 2009-01-16 03:44 --------- d-----w c:\documents and settings\jeffw\Application Data\BitTorrent 2009-01-15 23:48 --------- d-----w c:\documents and settings\jeffw\Application Data\Apple Computer 2009-01-11 07:41 --------- d-----w c:\program files\Common Files\Adobe 2009-01-11 04:03 --------- d-----w c:\program files\Common Files\AVSMedia 2009-01-08 19:27 --------- d-----w c:\program files\UltimateBet 2008-12-14 18:08 410,984 ----a-w c:\windows\system32\deploytk.dll 2008-12-14 18:08 --------- d-----w c:\program files\Java 2008-12-12 17:18 87,336 ----a-w c:\windows\system32\dns-sd.exe 2008-12-12 17:11 61,440 ----a-w c:\windows\system32\dnssd.dll 2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys 2008-11-29 22:25 --------- d-----w c:\program files\Safari 2008-11-26 01:44 --------- d-----w c:\program files\_uninstallation_info 2008-11-22 22:43 --------- d-----w c:\program files\iTunes 2008-11-22 22:43 --------- d-----w c:\program files\iPod 2008-11-22 22:43 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} 2008-11-22 22:41 --------- d-----w c:\program files\QuickTime 2008-11-22 22:40 --------- d-----w c:\program files\Common Files\Apple 2008-11-19 04:17 --------- d-----w c:\program files\Yahoo! 2008-11-19 04:16 --------- d-----w c:\program files\Common Files\Scanner 2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll 2006-09-03 20:49 19,968 ----a-w c:\documents and settings\jeffw\Application Data\GDIPFONTCACHEV1.DAT 2001-11-23 04:08 712,704 ------w c:\windows\inf\OTHER\AUDIO3D.DLL 2008-09-08 23:08 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090820080909\index.dat . ((((((((((((((((((((((((((((( snapshot@2009-01-17_20.25.32.04 ))))))))))))))))))))))))))))))))))))))))) . - 2009-01-18 01:42:22 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat + 2009-01-18 03:15:07 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat - 2009-01-18 01:42:22 32,768 ------w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2009-01-18 03:15:07 32,768 ------w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat - 2009-01-16 03:45:05 52,764 ----a-w c:\windows\system32\perfc009.dat + 2009-01-18 02:26:58 52,764 ----a-w c:\windows\system32\perfc009.dat - 2009-01-16 03:45:05 380,350 ----a-w c:\windows\system32\perfh009.dat + 2009-01-18 02:26:58 380,350 ----a-w c:\windows\system32\perfh009.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-29 68856] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] "DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2008-06-10 785520] "BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-19 342848] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] "DelayShred"="c:\program files\mcafee\mshr\ShrCL.EXE" [2007-12-04 111904] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-14 136600] "HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664] "HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032] "HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-02-18 49152] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-04-28 180269] "Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344] "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088] "Xmodenafid"="c:\windows\okaxoyiviyifani.dll" [2009-01-17 132608] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696] Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.I420"= i263_32.drv "msacm.g723"= g723.acm "vidc.I263"= I263_32.drv "vidc.DIV3"= DivXc32.dll "vidc.DIV4"= DivXc32f.dll "msacm.divxa32"= DivXa32.acm [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\WINDOWS\\system32\\mmc.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= "c:\\Program Files\\DNA\\btdna.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 R4 SVKP;SVKP;c:\windows\system32\SVKP.sys [2008-01-25 2368] S3 FNET_USB;Fluke Networks Scanner USB Interface Driver;c:\windows\system32\drivers\FNETUSB.sys [2006-12-16 13770] . Contents of the 'Scheduled Tasks' folder 2009-01-10 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34] 2009-01-15 c:\windows\Tasks\McDefragTask.job - c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 12:32] 2009-01-01 c:\windows\Tasks\McQcTask.job - c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 12:32] . - - - - ORPHANS REMOVED - - - - HKLM-Run-hgcheck - c:\windows\system32\hgcheck.exe HKLM-Run-Lmabuzageyabeguy - c:\windows\Ptuvomizihawagu.dll . ------- Supplementary Scan ------- . uStart Page = hxxp://mail.yahoo.com/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Settings,ProxyOverride = .local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 IE: Lookup on CD - f:\program files\AHD\ahd.htm IE: {{10F055B8-F443-4adf-948A-EC551E9DBCE4} - c:\documents and settings\jeffw\Start Menu\Programs\UltimateBet\UltimateBet.lnk . *********************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-01-17 21:40:16 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(688) c:\windows\system32\Ati2evxx.dll . Completion time: 2009-01-17 21:41:59 ComboFix-quarantined-files.txt 2009-01-18 03:41:41 Pre-Run: 28,941,783,040 bytes free Post-Run: 28,925,104,128 bytes free Current=2 Default=2 Failed=4 LastKnownGood=1 Sets=1,2,3,4 162 --- E O F --- 2009-01-14 00:10:44

01-17-2009, 09:23 PM	#13 (permalink)
jwood_013 Registered User Join Date: Jan 2009 Posts: 35 OS: XP sp3	Re: Virtumonde I do apologize mcafee was set to turn on at restart ComboFix 09-01-17.03 - jeffw 2009-01-17 22:09:01.3 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.290 [GMT -6:00] Running from: c:\documents and settings\jeffw\Desktop\ComFxx.exe Command switches used :: c:\documents and settings\jeffw\Desktop\CFScript.txt.txt AV: McAfee VirusScan On-access scanning disabled (Updated) FW: McAfee Personal Firewall enabled * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\okaxoyiviyifani.dll c:\windows\system32\work.ini . ((((((((((((((((((((((((( Files Created from 2008-12-18 to 2009-01-18 ))))))))))))))))))))))))))))))) . 2009-01-17 22:05 . 2009-01-17 22:05 755 --a------ c:\windows\system32\spupdsvc.inf 2009-01-17 22:03 . 2009-01-17 22:03 <DIR> d-------- c:\windows\LastGood 2009-01-17 22:03 . 2009-01-17 22:03 <DIR> d--h-c--- c:\windows\ie8 2009-01-15 21:01 . 2009-01-17 16:57 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP 2009-01-15 18:50 . 2009-01-15 18:50 20,176 --ah----- c:\windows\system32\mlfcache.dat 2009-01-15 18:21 . 2009-01-15 18:21 164 --a------ C:\install.dat 2009-01-15 15:49 . 2009-01-15 15:49 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Apple Computer 2009-01-15 14:38 . 2009-01-15 14:38 <DIR> d-------- c:\documents and settings\Administrator 2009-01-15 12:14 . 2009-01-17 20:17 <DIR> d-------- c:\windows\system32\inf 2009-01-03 16:25 . 2009-01-03 16:25 <DIR> d-------- c:\program files\Bonjour . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-01-18 04:02 --------- d-----w c:\documents and settings\jeffw\Application Data\DNA 2009-01-18 02:22 --------- d-----w c:\program files\DNA 2009-01-17 23:03 --------- d-----w c:\program files\Lavasoft 2009-01-16 03:44 --------- d-----w c:\documents and settings\jeffw\Application Data\BitTorrent 2009-01-15 23:48 --------- d-----w c:\documents and settings\jeffw\Application Data\Apple Computer 2009-01-11 07:41 --------- d-----w c:\program files\Common Files\Adobe 2009-01-11 04:03 --------- d-----w c:\program files\Common Files\AVSMedia 2009-01-08 19:27 --------- d-----w c:\program files\UltimateBet 2008-12-14 18:08 410,984 ----a-w c:\windows\system32\deploytk.dll 2008-12-14 18:08 --------- d-----w c:\program files\Java 2008-12-12 17:18 87,336 ----a-w c:\windows\system32\dns-sd.exe 2008-12-12 17:11 61,440 ----a-w c:\windows\system32\dnssd.dll 2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys 2008-11-29 22:25 --------- d-----w c:\program files\Safari 2008-11-26 01:44 --------- d-----w c:\program files\_uninstallation_info 2008-11-22 22:43 --------- d-----w c:\program files\iTunes 2008-11-22 22:43 --------- d-----w c:\program files\iPod 2008-11-22 22:43 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} 2008-11-22 22:41 --------- d-----w c:\program files\QuickTime 2008-11-22 22:40 --------- d-----w c:\program files\Common Files\Apple 2008-11-19 04:17 --------- d-----w c:\program files\Yahoo! 2008-11-19 04:16 --------- d-----w c:\program files\Common Files\Scanner 2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll 2008-08-22 09:14 2,651,968 ----a-w c:\windows\inf\SETE3.tmp 2006-09-03 20:49 19,968 ----a-w c:\documents and settings\jeffw\Application Data\GDIPFONTCACHEV1.DAT 2001-11-23 04:08 712,704 ------w c:\windows\inf\OTHER\AUDIO3D.DLL 2008-09-08 23:08 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090820080909\index.dat . (((((((((((((((((((((((((((((((((((((((((((( Look ))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . ---- Directory of c:\windows\system32\inf ---- ((((((((((((((((((((((((((((( snapshot@2009-01-17_20.25.32.04 ))))))))))))))))))))))))))))))))))))))))) . + 2006-11-07 08:26:44 71,680 -c--a-w c:\windows\ie8\admparse.dll + 2008-10-16 20:38:34 124,928 -c--a-w c:\windows\ie8\advpack.dll + 2008-04-14 00:11:51 35,328 -c--a-w c:\windows\ie8\corpol.dll + 2008-10-16 20:38:34 347,136 -c--a-w c:\windows\ie8\dxtmsft.dll + 2008-10-16 20:38:34 214,528 -c--a-w c:\windows\ie8\dxtrans.dll + 2006-10-17 16:44:36 60,416 -c--a-w c:\windows\ie8\hmmapi.dll + 2008-10-16 20:38:35 63,488 -c--a-w c:\windows\ie8\icardie.dll + 2008-10-16 13:11:09 70,656 -c--a-w c:\windows\ie8\ie4uinit.exe + 2008-10-16 20:38:35 153,088 -c--a-w c:\windows\ie8\ieakeng.dll + 2008-10-16 20:38:35 230,400 -c--a-w c:\windows\ie8\ieaksie.dll + 2008-10-15 07:04:53 161,792 -c--a-w c:\windows\ie8\ieakui.dll + 2007-04-17 09:28:12 2,455,488 -c--a-w c:\windows\ie8\ieapfltr.dat + 2008-10-16 20:38:35 383,488 -c--a-w c:\windows\ie8\ieapfltr.dll + 2008-10-16 20:38:35 384,512 -c--a-w c:\windows\ie8\iedkcs32.dll + 2008-04-14 00:11:54 81,920 -c--a-w c:\windows\ie8\ieencode.dll + 2008-10-16 20:38:37 6,066,176 -c--a-w c:\windows\ie8\ieframe.dll + 2006-11-08 02:03:36 191,488 -c--a-w c:\windows\ie8\iepeers.dll + 2008-10-16 20:38:37 44,544 -c--a-w c:\windows\ie8\iernonce.dll + 2008-10-16 20:38:37 267,776 -c--a-w c:\windows\ie8\iertutil.dll + 2006-11-07 08:26:42 55,296 -c--a-w c:\windows\ie8\iesetup.dll + 2006-11-08 02:03:36 180,736 -c--a-w c:\windows\ie8\ieui.dll + 2008-10-15 0726 633,632 -c--a-w c:\windows\ie8\iexplore.exe + 2006-10-17 16:57:58 36,352 -c--a-w c:\windows\ie8\imgutil.dll + 2006-11-07 08:26:24 92,672 -c--a-w c:\windows\ie8\inseng.dll + 2008-05-09 10:53:39 512,000 -c--a-w c:\windows\ie8\jscript.dll + 2008-10-16 20:38:37 27,648 -c--a-w c:\windows\ie8\jsproxy.dll + 2006-10-17 17:05:10 40,960 -c--a-w c:\windows\ie8\licmgr10.dll + 2008-10-16 20:38:37 459,264 -c--a-w c:\windows\ie8\msfeeds.dll + 2008-10-16 20:38:37 52,224 -c--a-w c:\windows\ie8\msfeedsbs.dll + 2006-10-17 16:58:32 12,288 -c--a-w c:\windows\ie8\msfeedssync.exe + 2006-10-17 16:56:10 45,568 -c--a-w c:\windows\ie8\mshta.exe + 2008-12-13 06:40:02 3,593,216 -c--a-w c:\windows\ie8\mshtml.dll + 2008-10-16 20:38:38 477,696 -c--a-w c:\windows\ie8\mshtmled.dll + 2006-10-17 16:28:56 48,128 -c--a-w c:\windows\ie8\mshtmler.dll + 2006-11-08 02:03:36 156,160 -c--a-w c:\windows\ie8\msls31.dll + 2008-10-16 20:38:38 193,024 -c--a-w c:\windows\ie8\msrating.dll + 2008-10-16 20:38:39 671,232 -c--a-w c:\windows\ie8\mstime.dll + 2008-10-16 20:38:39 102,912 -c--a-w c:\windows\ie8\occache.dll + 2008-10-16 20:38:39 44,544 -c--a-w c:\windows\ie8\pngfilt.dll + 2006-09-06 21:43:16 213,216 -c--a-w c:\windows\ie8\spuninst.exe + 2008-08-22 09:21:04 49,736 -c--a-w c:\windows\ie8\spuninst\iecustom.dll + 2008-06-12 17:27:58 231,456 -c--a-w c:\windows\ie8\spuninst\spuninst.exe + 2008-06-12 17:28:00 382,496 -c--a-w c:\windows\ie8\spuninst\updspapi.dll + 2008-10-16 20:38:39 105,984 -c--a-w c:\windows\ie8\url.dll + 2008-10-16 20:38:39 1,160,192 -c--a-w c:\windows\ie8\urlmon.dll + 2008-05-09 10:53:40 430,080 -c--a-w c:\windows\ie8\vbscript.dll + 2007-07-12 23:31:54 765,952 -c--a-w c:\windows\ie8\vgx.dll + 2008-10-16 20:38:39 233,472 -c--a-w c:\windows\ie8\webcheck.dll + 2006-10-17 17:05:58 206,336 -c--a-w c:\windows\ie8\winfxdocobj.exe + 2008-10-16 20:38:40 826,368 -c--a-w c:\windows\ie8\wininet.dll - 2009-01-18 01:42:22 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat + 2009-01-18 03:46:14 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat - 2009-01-18 01:42:22 32,768 ------w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2009-01-18 03:46:14 32,768 ------w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2008-06-12 17:27:52 1,022,976 -c----w c:\windows\system32\dllcache\browseui.dll + 2008-08-22 09:07:08 18,944 -c----w c:\windows\system32\dllcache\corpol.dll + 2008-06-12 17:27:52 1,497,088 -c----w c:\windows\system32\dllcache\shdocvw.dll + 2008-06-12 17:27:52 474,112 -c----w c:\windows\system32\dllcache\shlwapi.dll + 2008-06-12 17:27:56 134,144 -c----w c:\windows\system32\dllcache\sqmapi.dll - 2006-06-29 13:05:44 26,112 ----a-w c:\windows\system32\idndl.dll + 2008-06-12 17:27:42 26,112 ----a-w c:\windows\system32\idndl.dll - 2008-10-16 13:11:09 13,824 ----a-w c:\windows\system32\ieudinit.exe + 2008-08-22 0924 36,864 ----a-w c:\windows\system32\ieudinit.exe + 2009-01-09 23:35:30 20,853,704 ----a-w c:\windows\system32\MRT.exe + 2008-08-05 23:55:38 265,720 ----a-w c:\windows\system32\msdbg2.dll - 2006-06-28 22:59:26 24,576 ----a-w c:\windows\system32\nlsdl.dll + 2008-06-12 17:27:44 24,576 ----a-w c:\windows\system32\nlsdl.dll - 2009-01-16 03:45:05 52,764 ----a-w c:\windows\system32\perfc009.dat + 2009-01-18 02:26:58 52,764 ----a-w c:\windows\system32\perfc009.dat - 2009-01-16 03:45:05 380,350 ----a-w c:\windows\system32\perfh009.dat + 2009-01-18 02:26:58 380,350 ----a-w c:\windows\system32\perfh009.dat + 2008-08-22 09:05:00 48,640 ------w c:\windows\system32\PrivacIE.dll - 2007-11-30 12:39:22 17,272 ----a-w c:\windows\system32\spmsg.dll + 2008-06-12 17:27:58 16,928 ------w c:\windows\system32\spmsg.dll - 2007-08-11 01:46:18 26,488 ----a-w c:\windows\system32\spupdsvc.exe + 2008-06-12 17:27:58 26,144 ----a-w c:\windows\system32\spupdsvc.exe - 2008-04-14 00:12:11 121,856 ----a-w c:\windows\system32\xmllite.dll + 2008-06-12 17:28:02 121,856 ----a-w c:\windows\system32\xmllite.dll . -- Snapshot reset to current date -- . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-29 68856] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] "DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2008-06-10 785520] "BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-19 342848] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] "DelayShred"="c:\program files\mcafee\mshr\ShrCL.EXE" [2007-12-04 111904] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-14 136600] "HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664] "HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032] "HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-02-18 49152] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-04-28 180269] "Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344] "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696] Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.I420"= i263_32.drv "msacm.g723"= g723.acm "vidc.I263"= I263_32.drv "vidc.DIV3"= DivXc32.dll "vidc.DIV4"= DivXc32f.dll "msacm.divxa32"= DivXa32.acm [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\WINDOWS\\system32\\mmc.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= "c:\\Program Files\\DNA\\btdna.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 R4 SVKP;SVKP;c:\windows\system32\SVKP.sys [2008-01-25 2368] S3 FNET_USB;Fluke Networks Scanner USB Interface Driver;c:\windows\system32\drivers\FNETUSB.sys [2006-12-16 13770] S4 spupdsvc;Windows Service Pack Installer update service;c:\windows\system32\spupdsvc.exe [2005-09-07 26144] . Contents of the 'Scheduled Tasks' folder 2009-01-10 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34] 2009-01-15 c:\windows\Tasks\McDefragTask.job - c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 12:32] 2009-01-01 c:\windows\Tasks\McQcTask.job - c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 12:32] . - - - - ORPHANS REMOVED - - - - HKLM-Run-Xmodenafid - c:\windows\okaxoyiviyifani.dll . ------- Supplementary Scan ------- . uStart Page = hxxp://mail.yahoo.com/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Settings,ProxyOverride = .local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 IE: Lookup on CD - f:\program files\AHD\ahd.htm IE: {{10F055B8-F443-4adf-948A-EC551E9DBCE4} - c:\documents and settings\jeffw\Start Menu\Programs\UltimateBet\UltimateBet.lnk . *********************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-01-17 22:10:51 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(688) c:\windows\system32\Ati2evxx.dll . Completion time: 2009-01-17 22:12:36 ComboFix-quarantined-files.txt 2009-01-18 04:12:17 ComboFix2.txt 2009-01-18 03:42:00 Pre-Run: 28,636,499,968 bytes free Post-Run: 28,650,389,504 bytes free Current=2 Default=2 Failed=4 LastKnownGood=1 Sets=1,2,3,4 237 --- E O F --- 2009-01-14 00:10:44

01-17-2009, 09:29 PM	#14 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,618 OS: 2000 Pro; XP Pro; XP Home	Re: Virtumonde Ok, looks like that went well, and nothing new came in...however...did you just install IE8? It's really not a good idea to make system changes I've not requested while we're working together. Additionally, IE8 is still Beta, and prone to Beta type issues. Leave it for now, but be advised. --------------------------------------------------------------------------------------------- moving on.... Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: J2SE Runtime Environment 5.0 Update 10 J2SE Runtime Environment 5.0 Update 11 J2SE Runtime Environment 5.0 Update 3 J2SE Runtime Environment 5.0 Update 4 J2SE Runtime Environment 5.0 Update 6 J2SE Runtime Environment 5.0 Update 9 Java(TM) 6 Update 2 Java(TM) 6 Update 3 Java(TM) 6 Update 5 Java(TM) 6 Update 7 Java(TM) SE Runtime Environment 6 Update 1 These are all outdated, and security risks by having them installed still. Unfortunately, Java does not uninstall these older versions when you update, nor tell you that you should. Going forward, Java will overwrite existing installs, so removing older versions should not be required after this. Leave Java(TM) 6 Update 11 alone, as it is the most recent. --------------------------------------------------------------------------------------------- Please download ATF Cleaner by Atribune. Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. If you use Firefox browser Click Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browser Click Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. For Technical Support, double-click the e-mail address located at the bottom of each menu. --------------------------------------------------------------------------------------------- Please perform this online scan to help look for remnants Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner Note To optimize scanning time and produce a more sensible report for review: Close any open programs Turn off the real time scanner of any existing antivirus program while performing the online scan. Click Accept, when prompted to download and install the program files and database of malware definitions. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes. Once the update is complete, click on Settings. Uncheck Mail databases. Next, click on My Computer under the green Scan bar to the left to start the scan. Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined. Click View scan report at the bottom. Click the Save Report As... button. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply. --------------------------------------------------------------------------------------------- How is the machine behaving? __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

01-17-2009, 10:27 PM	#15 (permalink)
jwood_013 Registered User Join Date: Jan 2009 Posts: 35 OS: XP sp3	Re: Virtumonde Sorry for the wait. Having trouble with IE and Mcafee. Installed IE 7 but its not working properly. McAfee wont reinstall, it hangs on the reinstall screen.

01-17-2009, 10:40 PM	#16 (permalink)
jwood_013 Registered User Join Date: Jan 2009 Posts: 35 OS: XP sp3	Re: Virtumonde I did the ATF clean. Cant run Kapersky it says my java isnt up to date, but IE isnt loading properly.

01-17-2009, 11:39 PM	#18 (permalink)
jwood_013 Registered User Join Date: Jan 2009 Posts: 35 OS: XP sp3	Re: Virtumonde McAfee is not working. I cannot install it

01-17-2009, 11:41 PM	#19 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,618 OS: 2000 Pro; XP Pro; XP Home	Re: Virtumonde That was a two part question...why did you uninstall it in the first place? I don't understand. It seemed to be fine. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

01-17-2009, 11:44 PM	#20 (permalink)
jwood_013 Registered User Join Date: Jan 2009 Posts: 35 OS: XP sp3	Re: Virtumonde Mcafee was not working. After the last combo fix it wouldnt open. I re installed it with no success. I thought this was logical. I do apologize and will let you know of any issues.