Virtumonde... *sigh*

**chris_0076** · 2008-12-28, 03:55

I scanned with Spybot and found Virtumonde so I had it fix it. Then I rebooted and went into safe mode and pulled out my network cable and ran the scan again as well as AdAware and Avast. It was still there so I removed it again and rebooted back in normal mode... and it is still there.

Problems Occurring:
Google search links go to random places on first click. (Second time they work just fine.)
Lots of Internet Explorer Pop ups when running Firefox.
Large quantities of used RAM that are not documented in Task Manager.
Programs load slow...(but not they normal slow computer slow) It is like it has to search for where it is then it loads the program instantly.
Windows Explorer does the same as loading programs when switching folders.
Other odds and ends...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:38:42 PM, on 12/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\regsvr32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\3Dconnexion\3Dconnexion 3DxSoftware\3DxWare\3dxsrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com.../fix_homepage/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Rxokicozi] rundll32.exe "C:\WINDOWS\Szane.dat",e
O4 - HKLM\..\Run: [vqwstrwtmiest] C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\mnwbmtxjlnhwuouff.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [e7LBFID2j1Preb] C:\Documents and Settings\JUser\Application Data\Microsoft\Windows\qolab.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [3DxAssociateFileExts] C:\Program Files\3Dconnexion\3Dconnexion 3DxSoftware\3DxViewer\register.exe "FileExts" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [3DxAssociateFileExts] C:\Program Files\3Dconnexion\3Dconnexion 3DxSoftware\3DxViewer\register.exe "FileExts" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [3DxAssociateFileExts] C:\Program Files\3Dconnexion\3Dconnexion 3DxSoftware\3DxViewer\register.exe "FileExts" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [3DxAssociateFileExts] C:\Program Files\3Dconnexion\3Dconnexion 3DxSoftware\3DxViewer\register.exe "FileExts" (User 'Default user')
O4 - Global Startup: Start 3DxWare.lnk = C:\Program Files\3Dconnexion\3Dconnexion 3DxSoftware\3DxWare\3dxsrv.exe
O8 - Extra context menu item: &Search - ?p=ZUfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {C62FC49C-C55D-11DA-97D5-000BDB1ABB7B} (NolijWeb.NolijWeb_Logon) - file://\\Katana\Nw\NolijWeb.CAB
O20 - AppInit_DLLs: C:\WINDOWS\system32\wavojami.dll,C:\WINDOWS\system32\mafazupe.dll,C:\WINDOWS\system32\wusiwuto.dll,C:\WINDOWS\system32\mahalemo.dll,fjfvpc.dll,C:\WINDOWS\system32\jutokuki.dll lyedva.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Update Service (gupdate1c96888cdc376f0) (gupdate1c96888cdc376f0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\WINDOWS\system32\Pen_Tablet.exe

--
End of file - 5473 bytes

Thank you for any and all support,
Chris

**Shaba** · 2009-01-01, 10:57

Hi chris_0076

Rename HijackThis.exe to chris_0076.exe and post back a fresh HijackThis log, please

**chris_0076** · 2009-01-02, 00:35

Thanks for the reply... but the symptoms have gotten much much worse. I can no longer get on to that computer, and all of the restore points have been deleted. When ever I turn it on it goes to the desktop and loads a few icons then it just stops. Last known good configuration does not work because it sees that as being a good boot because it makes it all the way to the desktop.

I do not think that it will do much good if I post a log from Safe mode....

Any ideas?

Thanks,
Chris

**chris_0076** · 2009-01-02, 02:52

I went into safe mode and ran another Spybot scan and it found 22 things

... I restarted and was able to go into normal mode. It has been working fine so far, but Virtumonde is still here... and I also noticed that it will not allow me to do anything with System Restore at all.

Anyways here are the logs:

HijackThis.exe

Code:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:47:29 PM, on 1/1/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\regsvr32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\3Dconnexion\3Dconnexion 3DxSoftware\3DxWare\3dxsrv.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Rxokicozi] rundll32.exe "C:\WINDOWS\Szane.dat",e
O4 - HKLM\..\Run: [vqwstrwtmiest] C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\mnwbmtxjlnhwuouff.dll"
O4 - HKUS\S-1-5-19\..\RunOnce: [3DxAssociateFileExts] C:\Program Files\3Dconnexion\3Dconnexion 3DxSoftware\3DxViewer\register.exe "FileExts" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [3DxAssociateFileExts] C:\Program Files\3Dconnexion\3Dconnexion 3DxSoftware\3DxViewer\register.exe "FileExts" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msiexec.exe] msiconf.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [3DxAssociateFileExts] C:\Program Files\3Dconnexion\3Dconnexion 3DxSoftware\3DxViewer\register.exe "FileExts" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msiexec.exe] msiconf.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [3DxAssociateFileExts] C:\Program Files\3Dconnexion\3Dconnexion 3DxSoftware\3DxViewer\register.exe "FileExts" (User 'Default user')
O4 - Global Startup: Start 3DxWare.lnk = C:\Program Files\3Dconnexion\3Dconnexion 3DxSoftware\3DxWare\3dxsrv.exe
O8 - Extra context menu item: &Search - ?p=ZUfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {C62FC49C-C55D-11DA-97D5-000BDB1ABB7B} (NolijWeb.NolijWeb_Logon) - file://\\Katana\Nw\NolijWeb.CAB
O20 - AppInit_DLLs: C:\WINDOWS\system32\wavojami.dll,C:\WINDOWS\system32\mafazupe.dll,C:\WINDOWS\system32\wusiwuto.dll,C:\WINDOWS\system32\mahalemo.dll,fjfvpc.dll,C:\WINDOWS\system32\jutokuki.dll ouyxpw.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Update Service (gupdate1c96888cdc376f0) (gupdate1c96888cdc376f0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\WINDOWS\system32\Pen_Tablet.exe

--
End of file - 5493 bytes

Chris_0076.exe

Code:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:51:34 PM, on 1/1/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\regsvr32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\3Dconnexion\3Dconnexion 3DxSoftware\3DxWare\3dxsrv.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\Chris_0076.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {01698E7A-FB68-441C-989D-28B341D1C033} - (no file)
O2 - BHO: (no name) - {0d6d9717-ba61-4f7a-bc2e-18b5aa35fb2a} - (no file)
O2 - BHO: {a71913a9-4f3c-e5a9-a954-f50579d803e1} - {1e308d97-505f-459a-9a5e-c3f49a31917a} - C:\WINDOWS\system32\ouyxpw.dll
O2 - BHO: (no name) - {3E0366A4-9A52-452A-A719-40136CDF182A} - C:\WINDOWS\system32\mlJYrrqP.dll
O2 - BHO: (no name) - {3E47454F-88D6-415F-9487-A6DD9498AFA6} - (no file)
O2 - BHO: (no name) - {4961599b-e270-408a-9751-097d90cfa075} - (no file)
O2 - BHO: (no name) - {4EEFA112-AB29-4CC4-A0D9-8DCEB03A0698} - (no file)
O2 - BHO: (no name) - {532892D1-073F-4CDD-9B6E-3CC601DD0D17} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5746f1d0-f079-4d1f-8f47-1fa761c71237} - (no file)
O2 - BHO: (no name) - {6d5ee4e7-bd4e-4346-94ae-d13cd52f4dba} - (no file)
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\ddcBSJbA.dll
O2 - BHO: (no name) - {73cee713-756c-4db7-9feb-4216a74b421e} - (no file)
O2 - BHO: (no name) - {8FC025C4-FF29-42EB-B948-031AA58040DF} - (no file)
O2 - BHO: (no name) - {A0C04D9F-CF3A-4818-A66B-87DB27DCA9B6} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: agadoo browser enhancer - {BE2D9D94-B96F-170C-0690-CDAA7E2E2313} - C:\WINDOWS\system32\mnwbmtxjlnhwuouff.dll
O2 - BHO: (no name) - {C3CF227F-2834-4B58-80A0-AA02ADA7192A} - (no file)
O2 - BHO: (no name) - {CC4789A4-807F-4193-826D-9BEB1699B429} - (no file)
O2 - BHO: (no name) - {D08A92D9-B5FD-46E1-974C-8A3DA21C2186} - (no file)
O2 - BHO: (no name) - {E480AFE2-95BD-4D2A-8558-1B26BDD52693} - (no file)
O2 - BHO: (no name) - {e7ad38ba-2c55-4595-827e-35e1f16d5dee} - C:\WINDOWS\system32\jujukeyo.dll (file missing)
O2 - BHO: (no name) - {EA149AE3-8CC5-4EC7-8EB7-22EA6E693178} - (no file)
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Rxokicozi] rundll32.exe "C:\WINDOWS\Szane.dat",e
O4 - HKLM\..\Run: [vqwstrwtmiest] C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\mnwbmtxjlnhwuouff.dll"
O4 - HKUS\S-1-5-19\..\RunOnce: [3DxAssociateFileExts] C:\Program Files\3Dconnexion\3Dconnexion 3DxSoftware\3DxViewer\register.exe "FileExts" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [3DxAssociateFileExts] C:\Program Files\3Dconnexion\3Dconnexion 3DxSoftware\3DxViewer\register.exe "FileExts" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msiexec.exe] msiconf.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [3DxAssociateFileExts] C:\Program Files\3Dconnexion\3Dconnexion 3DxSoftware\3DxViewer\register.exe "FileExts" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msiexec.exe] msiconf.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [3DxAssociateFileExts] C:\Program Files\3Dconnexion\3Dconnexion 3DxSoftware\3DxViewer\register.exe "FileExts" (User 'Default user')
O4 - Global Startup: Start 3DxWare.lnk = C:\Program Files\3Dconnexion\3Dconnexion 3DxSoftware\3DxWare\3dxsrv.exe
O8 - Extra context menu item: &Search - ?p=ZUfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {C62FC49C-C55D-11DA-97D5-000BDB1ABB7B} (NolijWeb.NolijWeb_Logon) - file://\\Katana\Nw\NolijWeb.CAB
O20 - AppInit_DLLs: C:\WINDOWS\system32\wavojami.dll,C:\WINDOWS\system32\mafazupe.dll,C:\WINDOWS\system32\wusiwuto.dll,C:\WINDOWS\system32\mahalemo.dll,fjfvpc.dll,C:\WINDOWS\system32\jutokuki.dll ouyxpw.dll
O20 - Winlogon Notify: ddcBSJbA - C:\WINDOWS\SYSTEM32\ddcBSJbA.dll
O20 - Winlogon Notify: xxyaBUkL - xxyaBUkL.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Update Service (gupdate1c96888cdc376f0) (gupdate1c96888cdc376f0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\WINDOWS\system32\Pen_Tablet.exe

--
End of file - 7620 bytes

**Shaba** · 2009-01-02, 10:20

Yes that is due to infection.

We will continue with ComboFix.

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

If you need help, see this link:
http://www.bleepingcomputer.com/comb...o-use-combofix

**chris_0076** · 2009-01-02, 18:37

Well... it found some things and said that it needed to restart, so it did. When it rebooted it pulled up a window saying that some memory comand dealling with winlogon did not work. There were two options (Debug and Ok) both went to a stop error. (0x00000005) or I think that is how many zeros it had.

Rebooting with last known good configuration now.

**Shaba** · 2009-01-02, 18:39

Thank you for update.

Please check if C:\ComboFix.txt exists after reboot.

**chris_0076** · 2009-01-02, 18:55

....I'm not liking the no editing posts....

Anyways... tried to boot with last known good configuration and it did the same thing. Tried it with safe mode and it still did the same thing.

It is beginning to seem as though the more I do the worse it gets...

**Shaba** · 2009-01-02, 19:00

Did you disable avast! before running combofix as instructed?

If not, that might have caused it.

**chris_0076** · 2009-01-02, 19:03

Yes I disabled it, then it rebooted and turned it back on, but it would not let me turn it off...

Thread: Virtumonde... sigh

Thread Tools

Display

Virtumonde... sigh

Posting Permissions

Thread: Virtumonde... *sigh*