Virtumonde - Strange Startup Files: bepepono, dayevino, huholapu

**melbeach** · 2008-11-24, 05:44

Yesterday (2008-11-22), I began having problems with Google redirects after conducting searches. Websites would open in new windows that related to my search queries. I tried to run Adaware and that would crash. Norton AV picked up nothing. I noticed the following strange startup options that had been added:

Startup Item: bepepono
Command: Rundll32.exe "C:\WINDOWS\system32\bepepono.dll",s
Location: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Startup Item: dayevino
Command: Rundll32.exe "c:\windows\system32\ dayevino.dll",a
Location: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Startup Item: huholapu
Command: Rundll32.exe "C:\WINDOWS\system32\ huholapu.dll",b
Location: SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Startup Item: dayevino
Command: Rundll32.exe "c:\windows\system32\ dayevino.dll",a
Location: SOFTWARE\Microsoft\Windows\CurrentVersion\Run

So I googled these terms and found absolutely nothing. I found it to be very strange that none of these words turned up a single solitary Google entry (bepepono, dayevino, huholapu). As soon as I would uncheck these items in startup, leave, then come back, they would be automatically rechecked. I tried deleting the actual dll files and it wouldn't let me.

So I found Spybot and that helped immensely! It found the following problems:

MS.WindowsSecurityCenter.FirewallBypass
Virtumonde.prx
Virtumonde

I ran Spybot a few more times, a couple times while not connected to the internet (per recommendation on one of the items). Yet the Google redirecting would still occur.

I then ran the Atribune ATF Cleaner. The Google redirecting stopped occurring. The strange startup items now allow me to uncheck them - all except for one:

Startup Item: dayevino
Command: Rundll32.exe "c:\windows\system32\ dayevino.dll",a
Location: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

This startup items always stays checked. So I am concerned that my computer is still infected. Here is my HJT Log. You will notice all of the references to the above-named startup items:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:55:02 PM, on 11/23/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTSvcCDA.exe
C:\Program Files\Matrox Graphics Inc\PowerDesk\Services\Matrox.PowerDesk.Services.exe
C:\Program Files\Matrox Graphics Inc\PowerDesk SE\Matrox.Pdesk.ServicesHost.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\WINDOWS\system32\sessmgr.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\System32\tlntsvr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {ae3b64a3-732c-4b09-bc6a-45f4c916ecd2} - C:\WINDOWS\system32\subalavi.dll
O2 - BHO: Browser Helper Object - {AFD4AD01-58C1-47DB-A404-FBE00A6C5486} - C:\Program Files\Common\_helper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [zowafeduve] Rundll32.exe "C:\WINDOWS\system32\bepepono.dll",s
O4 - HKUS\S-1-5-19\..\Run: [zowafeduve] Rundll32.exe "C:\WINDOWS\system32\bepepono.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [zowafeduve] Rundll32.exe "C:\WINDOWS\system32\bepepono.dll",s (User 'NETWORK SERVICE')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.baisidirect.com
O15 - Trusted Zone: http://www.surfcam.net
O15 - Trusted Zone: http://www.surfguru.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1192966664312
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1222114178859
O18 - Filter hijack: text/html - {ae65d5e4-bcad-467e-b7ec-1aa065a492fe} - C:\WINDOWS\system32\mst120.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\pukovubu.dll c:\windows\system32\dayevino.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\dayevino.dll (file missing)
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\dayevino.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Matrox Centering Service - Matrox Graphics Inc. - C:\Program Files\Matrox Graphics Inc\PowerDesk\Services\Matrox.PowerDesk.Services.exe
O23 - Service: Matrox.Pdesk.ServicesHost - Matrox Graphics Inc - C:\Program Files\Matrox Graphics Inc\PowerDesk SE\Matrox.Pdesk.ServicesHost.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O24 - Desktop Component 0: (no name) - http://assets.espn.go.com/i/espnradi...ivestream2.gif
O24 - Desktop Component 2: (no name) - http://espnradio.espn.go.com/espnrad...ideo?play=live

--
End of file - 7890 bytes

Any help would be very greatly appreciated. I'm almost there!

**pskelley** · 2008-11-25, 22:51

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
The junk can be tough to remove, so do not expect fast or easy.

Not quite sure what this is, please be patient while we find out and remove it.

1) Post an uninstall list: Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
Image: http://img.bleepingcomputer.com/tuto...nstall-man.jpg

2) http://siri.geekstogo.com/SmitfraudFix.php <<< download Smitfraudfix from here and follow ONLY these directions.

Search:
Double-click SmitfraudFix.exe
Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt

Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consultin...rocessutil.htm

Post the C:\rapport.txt and the uninstall list.

Thanks

**melbeach** · 2008-11-26, 00:17

pskelly, thanks so much for the help! Yeah, this is getting worse. The startup files seem to be random. It's like what I read, the files are random eight-letter names. Every now and then, it adds a new one. It's getting much harder to use the internet now. I haven't changed anything since I posted the first time. But it's going to be hard to not use the internet for troubleshooting.

I ran the HJT list, but Smitfraud didn't do much. It opened to a dos window, but just sat there blinking. I left it for about 10 mins, but nothing. Searched the hdd for "rapport" and nothing. No new txt files at the c drive. I did get a new folder on my desktop called "SmitfraudFix". It contains 25 executables. Do I need to use one of these?

Here's the HJT Unistall List:

Ad-Aware
Adobe Flash Player ActiveX
Adobe Photoshop CS
Adobe Reader 8.1.1
APC PowerChute Personal Edition
Audio MP3 Sound Recorder
Canon EOS Kiss REBEL 300D WIA Driver
Canon Utilities File Viewer Utility 1.3
Canon Utilities RemoteCapture 2.7
CC_ccStart
ccCommon
Compaq Monitor Driver (INF) Software 3.00
DAZzle
DeMoirize
DivX
DivX Player
DivX User Guide
Easy CD Creator 5 Basic
eDualHead
Eraser
FLV Player 2.0, build 24
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
HP PrecisionScan Pro 3.0
Intel(R) PRO Network Adapters and Drivers
Internet Explorer Q903235
IrfanView (remove only)
Java 2 Runtime Environment, SE v1.4.2_01
Java(TM) 6 Update 2
LiveReg (Symantec Corporation)
LiveUpdate 3.0 (Symantec Corporation)
Logitech MouseWare 9.78
Macromedia Dreamweaver MX 2004
Macromedia Extension Manager
Macromedia HomeSite+
Matrox Driver
Matrox PowerDesk-SE
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Premium
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
ML-1450 Series
ML-1450 Series PS
MonacoOPTIX 2.0
Mozilla Firefox (3.0.3)
MSRedist
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MultipleIEs
Norton AntiVirus
Norton AntiVirus Parent MSI
Norton CleanSweep
Norton SystemWorks 2004
Norton SystemWorks 2004 (Symantec Corporation)
Norton Utilities
Norton WMI Update
NSW_DRM_COLLECTION
Opera 9.62
PDFCreator
QBFC2
QBImport
QuickBooks Pro 2002
QuickTime
RealPlayer
Road Runner Safe Storage
RoadRunner
Safari
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Sound Blaster PCI
Spybot - Search & Destroy
Symantec Script Blocking Installer
SymNet
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Wacom Tablet Driver
WD Diagnostics
Windows Genuine Advantage v1.3.0254.0
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Media Player 9 Hotfix [See KB885492 for more information]
Windows Messenger 5.0
Windows XP Service Pack 3
WinRAR archiver

**pskelley** · 2008-11-26, 01:06

We need to get Smitfraudfix to run, I need the information it will provide. Read the instructions carefully. Turn off Norton/Symantec for the time you are downloding the program. That is what the disclaimer is for, to let you know your AV program may block a needed file.

Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consultin...rocessutil.htm

1) Remove any Smitfraudfix you have now, right click and delete it.

2) Exit Norton just for the time needed to download the program.

3) Download from here: http://siri.urz.free.fr/Fix/SmitfraudFix.exe

4) "Save this file now" and save it to your Desktop.

5) http://siri.urz.free.fr/Fix/SmitfraudFix.exe <<< look carefully at this information. Look at the screenshot so you will know what you will see when when you Doubleclick on the Smitfraudfix.exe.

Search:
Double-click SmitfraudFix.exe
Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt

That is as far as you go this time, the program will search for the infection, post the C:\rapport.txt

You can see another members report here, Post number 3 is what the report will look like.
http://forums.spybot.info/showthread.php?t=37078

Thanks

**melbeach** · 2008-11-26, 02:48

Thanks for the help, I'm just not having any luck with this. I already had Norton disabled in the taskbar and in startup. So this time, I disabled all the Norton services I could find - thru Computer Management. Shut down. (It wouldn't let me delete the Smitfraud folder until I shut down first.) Turned back on. Deleted the Smitfraud items. Emptied Recycle Bin. Shut down again. Turned back on. Made sure the Norton services I disabled were still disabled and not running. Went back to this page and downloaded Smitfraud file from this page to desktop. Double-clicked and left it alone. Still just a blinking cursor. Then I went back and did it all again, but ran it while offline. Still just the blinking cursor. I can't think of any other ways to turn off Norton. Do I need to uninstall it? Well, it looks like I'm hitting a wall. There were three malignant dll file references checked in startup. I can't shut them off. Could the malware be preventing the software from running?

**pskelley** · 2008-11-26, 13:14

Thanks for the feedback, and it is very possible malware is blocking Smitfraudfix. It is happening all over and I have never seen these files before.

Uninstall list: I look for malware and security issues and will not know all of your programs, but you should.

Hackers are using out of date programs to infect folks more and more,
Here is a small free tool that lets you know when something needs an update if you are interested:
http://secunia.com/vulnerability_scanning/personal/ While PSI runs in the System Tray for realtime notifications, I personally prefer to turn it off in MSConfig and run it from All Programs when I want to do a check.

Adobe Reader 8.1.1 <<< out of date, see this:
http://news.cnet.com/8301-1009_3-100...ml?tag=nl.e433
http://www.filehippo.com/download_adobe_reader/
(if you want a smaller program, look at this one)
Foxit Reader 2.3 for Windows
http://www.foxitsoftware.com/pdf/rd_intro.php

Java 2 Runtime Environment, SE v1.4.2_01 <<< very old very
Java(TM) 6 Update 2
See this information:
http://forums.spybot.info/showpost.p...80&postcount=2
Be aware of this information so you can opt out of anything you do not want.
Microsoft Does MSN Toolbar Distribution Deal With Java:
http://searchengineland.com/microsof...java-15413.php
Very old version can be difficult to uninstall,if you have a problem, this tool will help:
http://www.majorgeeks.com/JavaRa_d5967.html

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Tutorial if needed
http://www.bleepingcomputer.com/comb...o-use-combofix

Thanks

**melbeach** · 2008-11-26, 17:13

Well, this is getting interesting. This post is real long, but here goes. It seems that Combofix will only run if I'm offline. I tried it a couple times with no luck. It would start to open, showing a bar that suggests it's starting. But then nothing. If I opened Task Manager, no programs were open. The next time, as soon as the combofix.exe downloaded from your site, I disconnected my internet connection real fast. Ran Combofix and that time, it worked. But I didn't continue because I was worried about not having the Windows Recovery Console. So I ran a backup to be safe. Here's some things I noticed:

After trying to run Combofix, its desktop icon moves from last of the icons to its proper spot in alphabetical order.

When I shut down, cmd.execf was still running in Task Manager. So I shut that off manually.

I tried renaming the Combofix file to fool the malware. That didn't work.

I have a new file on my root c: called "Bug.txt". Here are the contents:

PUSHD "C:\32788R22FWJFW\"

IF NOT EXIST C:\WINDOWS\system32\cmd.exe GOTO Not_NT

VER 1>OsVer

"C:\WINDOWS\system32\Find.exe" "5.2." OsVer

---------- OSVER

IF 1 == 0 GOTO Not_NT

"C:\WINDOWS\system32\Find.exe" "5.1.2" OsVer

---------- OSVER
Microsoft Windows XP [Version 5.1.2600]

IF 0 == 0 GOTO NT

=============================================

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\user01\Application Data
CFLDR=32788R22FWJFW
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=COMP01
ComSpec=C:\WINDOWS\system32\cmd.execf
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\user01
KMD=CF20764.exe
LOGONSERVER=\\COMP01
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\32788R22FWJFW;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Adaptec Shared\System
PATHEXT=.CFEXE;.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$
RKEY_=hklm\software\microsoft\windows nt\currentversion\windows
SESSIONNAME=Console
sfxcmd="C:\Documents and Settings\user01\Desktop\ComboFix.exe"
sfxname=C:\Documents and Settings\user01\Desktop\ComboFix.exe
SYSTEM=C:\WINDOWS\system32
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\user01\LOCALS~1\Temp
TMP=C:\DOCUME~1\user01\LOCALS~1\Temp
USERDOMAIN=COMP01
USERNAME=user01
USERPROFILE=C:\Documents and Settings\user01
windir=C:\WINDOWS

=============================================

IF NOT DEFINED sfxname GOTO END

-----------------------------------------------------End (not part of file)

Here are some other observations:

My system tray clock is now in military time and the font is different.

In the past week, Norton has stopped something from downloading a few times. I was on a website the first time it happened: http://www.cflsurf.com/. I've noticed that banner ads are getting really aggressive lately. They have audio, telling you that you've won something. Well I'm convinced that one of these ads triggered the first incident. Here's the Norton info on it: http://securityresponse.symantec.com...9&tabid=2.%20I. At the time, I did some poking around and concluded that it was nothing to worry about, mainly based on this thread where the same thing was happening on a forum website: http://www.tdpri.com/forum/forum-pro...p-forum-2.html. It looks like the ad is trying to access Flash and Norton doesn't like it.

Any time I click on a link in IE, another window opens. Here are some of the links that open:

http://gallimp.com/r_cmtp?u=http%3A%...65z&rid=606207

http://zustaus.com/r_cmtp?u=http%3A%...65z&rid=321683

http://cowresti.com/r_cmtp?u=http%3A...65z&rid=502859

One link references live scan 2009.

The power in the house flashed off for a split second. I use a UPS unit, so my computer stayed on. Could be coincidence, but the instant that happened, a new IE window opened like above. Normally, I have to click a link for that to happen.

Okay. So I haven't done anything else. I'm wondering how risky it would be to run Combofix without the Windows Recovery Console. Maybe I can start it with the internet disconnected. Then when it gets to the Windows Recovery Console part, I can plug it in and the malware won't be able to interfere at that point? I'll wait to see what you say. Thanks for your patience with this!

**pskelley** · 2008-11-26, 17:20

Yes...you can run combofix without installing Recovery Console. If that does not work, try running it in safe mode. You can even try renaming it in case the malware is blocking it.

Double click on Combo-Fix.exe & follow the prompts.

**melbeach** · 2008-11-26, 18:52

Wow, this was pulling teeth. But I finally managed to run ComboFix. I had to turn services off, logoff. Try again. I tried so many things, I was about to give up. So I lost track of what exact combination made this work.

Another thing: When ComboFix was trying to make its log, Norton popped up saying I had a virus. This suggests that the malware has control of my Norton. I know I had all signs of Norton off. I even had stopped all Norton related services in Computer Management. (Do I need to always do this?). Well the only option for this virus window was to stop it. It didn't allow me to select Allow. Sneaky. Well I knew this virus was actually Combofix trying to work because it had the same name as the ComboFix exe file that I renamed. So my only option was to enter Task Manager and turn off Norton that way. I did and eventually everything finished.

So here's combofix.txt:

ComboFix 08-11-26.03 - user01 2008-11-26 12:28:02.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1688 [GMT -5:00]
Running from: c:\documents and settings\user01\Desktop\asdfasfa.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Start Menu\Programs\Internet Explorer.lnk
c:\program files\Common\helper.dll
c:\program files\Common\helper.sig
c:\windows\system32\bepepono.dll
c:\windows\system32\bihofiye.dll
c:\windows\system32\butugagu.dll
c:\windows\system32\Cache
c:\windows\system32\ejemavun.ini
c:\windows\system32\ewedefav.ini
c:\windows\system32\hatutiza.dll
c:\windows\system32\huholapu.dll
c:\windows\system32\jayoriji.dll
c:\windows\system32\jijuwajo.dll
c:\windows\system32\lehelojo.dll
c:\windows\system32\nuvameje.dll
c:\windows\system32\ojawujij.ini
c:\windows\system32\osurehiz.ini
c:\windows\system32\pukovubu.dll
c:\windows\system32\subalavi.dll
c:\windows\system32\tudofeju.dll
c:\windows\system32\ugagutub.ini
c:\windows\system32\vafedewe.dll
c:\windows\system32\wayolelu.dll
c:\windows\system32\yofamemo.dll
c:\windows\system32\ziheruso.dll

.
((((((((((((((((((((((((( Files Created from 2008-10-26 to 2008-11-26 )))))))))))))))))))))))))))))))
.

2008-11-26 09:38 . 2008-11-26 12:27 <DIR> d-------- C:\ComboFix
2008-11-26 08:43 . 2008-11-26 08:43 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-26 08:43 . 2008-11-26 08:43 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-11-23 21:17 . 2008-11-23 21:17 <DIR> d-------- c:\program files\Trend Micro
2008-11-23 15:26 . 2008-11-23 15:26 95 --a------ c:\windows\wininit.ini
2008-11-23 13:54 . 2008-11-23 14:14 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-23 13:54 . 2008-11-23 14:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-23 11:13 . 2008-11-23 11:13 <DIR> d-------- C:\ccd066084f53d0438d065ff286
2008-11-23 11:03 . 2008-11-23 11:03 <DIR> d-------- C:\725ff6cd28be1104e3bc64
2008-11-23 11:03 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-23 11:02 . 2008-09-04 12:15 1,106,944 --a------ c:\windows\system32\SET4C.tmp
2008-11-23 11:02 . 2008-09-04 12:15 1,106,944 --------- c:\windows\system32\SET13.tmp
2008-11-23 11:02 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-23 11:00 . 2008-07-18 22:07 270,880 --a------ c:\windows\system32\mucltui.dll
2008-11-23 11:00 . 2008-07-18 22:07 29,728 --a------ c:\windows\system32\mucltui.dll.mui
2008-11-21 09:06 . 2008-11-22 23:04 54,156 --ah----- c:\windows\QTFont.qfn
2008-11-21 09:06 . 2008-11-21 09:06 1,409 --a------ c:\windows\QTFont.for
2008-11-10 18:14 . 2008-11-26 12:28 <DIR> d-------- c:\program files\Common
2008-11-03 19:30 . 2008-11-03 19:30 <DIR> d-------- c:\program files\MultipleIEs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-26 13:42 --------- d-----w c:\program files\Java
2008-11-25 20:09 --------- d-----w c:\program files\QBImport
2008-11-23 06:27 --------- d-----w c:\program files\Bradbury
2008-10-31 03:07 --------- d-----w c:\program files\Opera
2008-10-25 00:41 --------- d-----w c:\program files\MSXML 4.0
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-14 18:44 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-01 19:37 --------- d-----w c:\program files\Safe Storage
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL Companion.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AOL Companion.lnk
backup=c:\windows\pss\AOL Companion.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^APC UPS Status.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\APC UPS Status.lnk
backup=c:\windows\pss\APC UPS Status.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Coloreal Visual.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Coloreal Visual.lnk
backup=c:\windows\pss\Coloreal Visual.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eDualHead Toolbar.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\eDualHead Toolbar.lnk
backup=c:\windows\pss\eDualHead Toolbar.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Instant Update Reminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Instant Update Reminder.lnk
backup=c:\windows\pss\Instant Update Reminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MonacoGamma.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MonacoGamma.lnk
backup=c:\windows\pss\MonacoGamma.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MonacoReminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MonacoReminder.lnk
backup=c:\windows\pss\MonacoReminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks 2002 Delivery Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks 2002 Delivery Agent.lnk
backup=c:\windows\pss\QuickBooks 2002 Delivery Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Road Runner Safe Storage.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Road Runner Safe Storage.lnk
backup=c:\windows\pss\Road Runner Safe Storage.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TabUserW.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\TabUserW.exe.lnk
backup=c:\windows\pss\TabUserW.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^U.S. Robotics Internet Call Notification.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\U.S. Robotics Internet Call Notification.lnk
backup=c:\windows\pss\U.S. Robotics Internet Call Notification.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^user01^Start Menu^Programs^Startup^RoadRunner Setup Wizard.lnk]
path=c:\documents and settings\user01\Start Menu\Programs\Startup\RoadRunner Setup Wizard.lnk
backup=c:\windows\pss\RoadRunner Setup Wizard.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
--------- 2003-03-26 10:15 684032 c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--------- 2006-03-09 11:47 71328 c:\program files\Common Files\Symantec Shared\CCAPP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CreativeMixer]
--------- 1999-11-18 05:01 20480 c:\program files\Creative\Audio\Program\Ctmix32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 19:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Matrox MultiDesktop]
--------- 2003-07-10 16:35 417792 c:\windows\system32\PowerDesk8\MultiDesk\pdmmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Matrox PowerDesk 8]
--------- 2003-09-10 11:16 77824 c:\windows\system32\PowerDesk8\PowerDesk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Matrox PowerDesk SE]
--------- 2008-06-11 15:33 2630664 c:\program files\Matrox Graphics Inc\PowerDesk SE\Matrox.PowerDesk SE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--------- 2007-05-06 13:16 98304 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--------- 2007-05-06 13:05 214560 c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-11-26 08:43 136600 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
--------- 2005-04-27 17:42 100056 c:\progra~1\SYMNET~1\SNDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--------- 2007-05-06 13:05 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
--------- 2003-06-30 09:50 19968 c:\windows\LOGI_MWX.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"zowafeduve"=Rundll32.exe "c:\windows\system32\bepepono.dll",s
"CPM27936735"=Rundll32.exe "c:\windows\system32\dayevino.dll",a
"MSConfig"=c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver MX 2004\\Dreamweaver.exe"=
"c:\\Program Files\\Lavasoft\\Ad-Aware\\aawservice.exe"=
"c:\\Program Files\\Common Files\\Symantec Shared\\CCPD-LC\\symlcsvc.exe"=
"c:\\WINDOWS\\system32\\Tablet.exe"=
"c:\\WINDOWS\\system32\\wuauclt.exe"=
"c:\\Program Files\\Matrox Graphics Inc\\PowerDesk SE\\Matrox.Pdesk.ServicesHost.exe"=
"c:\\WINDOWS\\system32\\services.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\jqs.exe"=

[HKLM\~\Services\\Matrox.PowerDesk.Services.exe"=]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R1 Mtxparmx;Mtxparmx;c:\windows\system32\DRIVERS\Mtxparmx.sys [2008-09-22 5504]
R2 Matrox Centering Service;Matrox Centering Service;"c:\program files\Matrox Graphics Inc\PowerDesk\Services\Matrox.PowerDesk.Services.exe" [2008-06-11 586760]
R2 Matrox.Pdesk.ServicesHost;Matrox.Pdesk.ServicesHost;"c:\program files\Matrox Graphics Inc\PowerDesk SE\Matrox.Pdesk.ServicesHost.exe" [2008-06-11 189448]
R3 MTXPAR;MTXPAR;c:\windows\system32\DRIVERS\MTXPARM.sys [2008-09-22 1485568]
S2 P1C1394;Phase One 1394 Camera Driver;c:\windows\system32\Drivers\p1c1394.sys []
S3 Ccevdmrc_cr;Ccevdmrc_cr; []
S3 Gamrddss;Gamrddss; []
S3 Hiemrt;Hiemrt; []
S3 MTXPARH;MTXPARH;c:\windows\system32\DRIVERS\MTXPARHM.sys [2003-11-20 452736]
S3 Netdwssrrw;Netdwssrrw; []
S3 Nmlnkfkahta;Nmlnkfkahta; []
S3 Rassosadcswf;Rassosadcswf; []
S3 Sfl78pospt;Sfl78pospt; []
S3 Winacusb;Winacusb;c:\windows\system32\DRIVERS\winacusb.sys []
S3 X-Rite;X-Rite USB Service;c:\windows\system32\DRIVERS\XrUsb.sys [2004-03-09 14936]
S4 .nmspsr;.nmspsr; []
.
Contents of the 'Scheduled Tasks' folder

2003-12-01 c:\windows\Tasks\Norton AntiVirus - Scan my computer.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2003-12-04 18:22]

2003-12-01 c:\windows\Tasks\Symantec Drmc.job
- c:\program files\Common Files\Symantec Shared\SymDrmc.exe [2003-09-10 04:48]
.
- - - - ORPHANS REMOVED - - - -

BHO-{ae3b64a3-732c-4b09-bc6a-45f4c916ecd2} - c:\windows\system32\subalavi.dll
MSConfigStartUp-24a054a9 - c:\windows\system32\nuvameje.dll
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe
MSConfigStartUp-CPM27936735 - c:\windows\system32\hatutiza.dll
MSConfigStartUp-zowafeduve - c:\windows\system32\bepepono.dll

.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\user01\Application Data\Mozilla\Firefox\Profiles\8rye090x.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - file:///C:/Documents%20and%20Settings/user01/My%20Documents/Practice/Practice%20-%2015%20-%20SIS/sis-05-xhtml.htm
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-26 12:32:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Common Files\Symantec Shared\CCSETMGR.EXE
c:\windows\system32\Ctsvccda.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
c:\windows\system32\sessmgr.exe
c:\windows\system32\locator.exe
c:\program files\Norton SystemWorks\Norton Antivirus\SAVSCAN.EXE
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\system32\Tablet.exe
c:\windows\system32\tlntsvr.exe
c:\program files\Common Files\Symantec Shared\CCEVTMGR.EXE
c:\program files\Common Files\Symantec Shared\Security Center\symwsc.exe
.
**************************************************************************
.
Completion time: 2008-11-26 12:36:23 - machine was rebooted [user01]
ComboFix-quarantined-files.txt 2008-11-26 17:36:20

Pre-Run: 90,437,300,224 bytes free
Post-Run: 90,360,676,352 bytes free

243

And here's HJT log:

Ad-Aware
Adobe Flash Player ActiveX
Adobe Photoshop CS
APC PowerChute Personal Edition
Audio MP3 Sound Recorder
Canon EOS Kiss REBEL 300D WIA Driver
Canon Utilities File Viewer Utility 1.3
Canon Utilities RemoteCapture 2.7
CC_ccStart
ccCommon
Compaq Monitor Driver (INF) Software 3.00
DAZzle
DeMoirize
DivX
DivX Player
DivX User Guide
Easy CD Creator 5 Basic
eDualHead
Eraser
FLV Player 2.0, build 24
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
HP PrecisionScan Pro 3.0
Intel(R) PRO Network Adapters and Drivers
Internet Explorer Q903235
IrfanView (remove only)
Java(TM) 6 Update 10
LiveReg (Symantec Corporation)
LiveUpdate 3.0 (Symantec Corporation)
Logitech MouseWare 9.78
Macromedia Dreamweaver MX 2004
Macromedia Extension Manager
Macromedia HomeSite+
Matrox Driver
Matrox PowerDesk-SE
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Premium
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
ML-1450 Series
ML-1450 Series PS
MonacoOPTIX 2.0
Mozilla Firefox (3.0.3)
MSRedist
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MultipleIEs
Norton AntiVirus
Norton AntiVirus Parent MSI
Norton CleanSweep
Norton SystemWorks 2004
Norton SystemWorks 2004 (Symantec Corporation)
Norton Utilities
Norton WMI Update
NSW_DRM_COLLECTION
Opera 9.62
PDFCreator
QBFC2
QBImport
QuickBooks Pro 2002
QuickTime
RealPlayer
Road Runner Safe Storage
RoadRunner
Safari
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Sound Blaster PCI
Spybot - Search & Destroy
Symantec Script Blocking Installer
SymNet
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Wacom Tablet Driver
WD Diagnostics
Windows Genuine Advantage v1.3.0254.0
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Media Player 9 Hotfix [See KB885492 for more information]
Windows Messenger 5.0
Windows XP Service Pack 3
WinRAR archiver

I should also mention that Windows Security turned itself back on and there is a yellow shield in my tray that says I have updates. Should I install them? This came up when the computer rebooted at the same time that Norton was trying to kill the ComboFix process.

**pskelley** · 2008-11-26, 19:03

Thanks for posting the combofix log, you said:

When ComboFix was trying to make its log, Norton popped up saying I had a virus.

That is the reason the instructions said this:

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.

Please wait until you are clean before you install those Windows Updates if at all possible.

Please read the directions carefully, I can not proceed without that HJT log.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

I will be away from the computer for the next several hours.

Thread: Virtumonde - Strange Startup Files: bepepono, dayevino, huholapu

Thread Tools

Display

Virtumonde - Strange Startup Files: bepepono, dayevino, huholapu

Posting Permissions