Page 1 of 13 1234511 ... LastLast
Results 1 to 10 of 123

Thread: Virtumonde-New Thread-As Per request

  1. #1
    Member
    Join Date
    Nov 2009
    Posts
    70

    Default Virtumonde-New Thread-As Per request

    As requested by TASHI I am starting a new thread for my problem. (THANK YOU TASHI!)

    For background information see my original post (11-10-09) at the following...

    http://forums.spybot.info/showthread.php?t=53294

    I've successfully restarted the problem computer in NORMAL MODE with no obvious sign of the previous infections and fake Anti Virus System Pro popups and warnings, porno sites, etc., but I do see a Yellow Triangle with an Exclamation Point (!) on top of my AVG Tray Icon

    I have backed up my Registry with ERUNT

    I did not disable SpyBot resident shield (teatimer?)
    I should note IE seemed to hang (not responding) and then recovered while typing this post.
    My HTJ scan log is copied below...

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 2:46:15 PM, on 11/17/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16915)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
    O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
    O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
    O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [kfqcaekj] C:\Documents and Settings\Tom McNeal\Local Settings\Application Data\ogolyy\lwyesysguard.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [kfqcaekj] C:\Documents and Settings\Tom McNeal\Local Settings\Application Data\ogolyy\lwyesysguard.exe
    O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: LUMIX Simple Viewer.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1107516561703
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1230150512703
    O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...Uploader55.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{9CA51FD6-A243-4FAF-BC05-EEE2DEFC690E}: NameServer = 77.74.48.113
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O18 - Filter hijack: text/html - {55f665dc-4099-4d0f-8b1c-7938ee0d4932} - C:\WINDOWS\batmeter16.dll
    O20 - AppInit_DLLs: yosezezu.dll
    O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
    O21 - SSODL: vuzuwuhif - {68c2902b-c16e-4e9d-a2a2-7c9d461276fa} - c:\windows\system32\dukiyuzu.dll (file missing)
    O22 - SharedTaskScheduler: kupuhivus - {68c2902b-c16e-4e9d-a2a2-7c9d461276fa} - c:\windows\system32\dukiyuzu.dll (file missing)
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: Google Update Service (gupdate1c9e522adc4ffec) (gupdate1c9e522adc4ffec) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

    --
    End of file - 8491 bytes

  2. #2
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi there,

    Download DDS and save it to your desktop from here or here or here.
    Disable any script blocker, and then double click dds.scr to run the tool.
    • When done, DDS will open two (2) logs:
      1. DDS.txt
      2. Attach.txt
    • Save both reports to your desktop. Post them back to your topic.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  3. #3
    Member
    Join Date
    Nov 2009
    Posts
    70

    Default Virtumonde Problems

    Hi Blade81,

    Thank you for your reply and your assistance. Please also pardon my questions as I have little inexperience in these matters.

    I have downloaded DDS to a healthy computer and will bring it over to the infected machine on a CD, copy DDS to the desktop, and run the DDS scan. I will then post the results directly from the infected machine. Is this all OK?

    I am not sure what a script blocker is... Would this include SpyBot 1.6.2 and AVG 8.5 and the Resident Shield features of these two programs?

    Should SpyBot and AVG be DISABLED when running the DDS tool?

    And should SpyBot and AVG be ENABLED before reconnecting the infected machine to the internet to post my DDS results?

    I look forward to your reply!
    ZT

  4. #4
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    I have downloaded DDS to a healthy computer and will bring it over to the infected machine on a CD, copy DDS to the desktop, and run the DDS scan. I will then post the results directly from the infected machine. Is this all OK?
    Yes, that's ok

    I am not sure what a script blocker is... Would this include SpyBot 1.6.2 and AVG 8.5 and the Resident Shield features of these two programs?

    Should SpyBot and AVG be DISABLED when running the DDS tool?
    Antivirus programs may contain script blocking component. It's better to run DDS with protection software disabled (Spybot shouldn't cause any trouble even if it was enabled).

    And should SpyBot and AVG be ENABLED before reconnecting the infected machine to the internet to post my DDS results?
    Not necessarily but have firewall enabled.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  5. #5
    Member
    Join Date
    Nov 2009
    Posts
    70

    Default Virtumonde

    Hi Blade81,

    Here are my DDS results

    DDS (Ver_09-10-26.01) - NTFSx86
    Run by Tom McNeal at 11:50:25.63 on Fri 11/20/2009
    Internet Explorer: 7.0.5730.11
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.232 [GMT -6:00]

    AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    svchost.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    svchost
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Documents and Settings\Tom McNeal\Desktop\dds.scr
    C:\WINDOWS\system32\taskkill.exe

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.aol.com/
    uSearch Page = hxxp://www.google.com
    uDefault_Page_URL = hxxp://smbusiness.dellnet.com/
    uSearch Bar = hxxp://www.google.com/ie
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    mSearchAssistant = hxxp://www.google.com/ie
    uURLSearchHooks: H - No File
    uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
    mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
    BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
    TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    uRun: [kfqcaekj] c:\documents and settings\tom mcneal\local settings\application data\ogolyy\lwyesysguard.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [BCMSMMSG] BCMSMMSG.exe
    mRun: [AdaptecDirectCD] c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe
    mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb08.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd.exe
    mRun: [DeviceDiscovery] c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
    mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
    mRun: [kfqcaekj] c:\documents and settings\tom mcneal\local settings\application data\ogolyy\lwyesysguard.exe
    mRun: [11220814] c:\documents and settings\all users\application data\11220814\11220814.exe
    mRun: [jepedonug] Rundll32.exe "c:\windows\system32\diyahema.dll",a
    dRunOnce: [RunNarrator] Narrator.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\lumixs~1.lnk - c:\program files\panasonic\lumixsimpleviewer\PhLeAutoRun.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
    uPolicies-system: EnableProfileQuota = 1 (0x1)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    Trusted Zone: turbotax.com
    DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
    DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
    DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} - hxxp://protect.microsoft.com/security/protect/wsa/shared/CAB/x86/msSecAdv.cab?1107516386875
    DPF: {55027008-315F-4F45-BBC3-8BE119764741} - hxxp://www.slide.com/uploader/SlideImageUploader.cab
    DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1107516561703
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1230150512703
    DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: {9CA51FD6-A243-4FAF-BC05-EEE2DEFC690E} = 77.74.48.113
    Filter: text/html - {55f665dc-4099-4d0f-8b1c-7938ee0d4932} -
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
    Notify: avgrsstarter - avgrsstx.dll
    Notify: igfxcui - igfxsrvc.dll
    AppInit_DLLs: c:\windows\system32\diyahema.dll,lofiketo.dll
    SSODL: vuzuwuhif - {68c2902b-c16e-4e9d-a2a2-7c9d461276fa} - c:\windows\system32\dukiyuzu.dll
    SSODL: jumikuwif - {c1359f34-13f0-48d6-8f95-31a84938bde4} - c:\windows\system32\diyahema.dll
    STS: kupuhivus: {68c2902b-c16e-4e9d-a2a2-7c9d461276fa} - c:\windows\system32\dukiyuzu.dll
    STS: kupuhivus: {c1359f34-13f0-48d6-8f95-31a84938bde4} - c:\windows\system32\diyahema.dll
    LSA: Notification Packages = scecli cPRASO.dll kodatewe.dll

    ============= SERVICES / DRIVERS ===============

    R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-7-9 327688]
    R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-7-9 298776]
    S2 gupdate1c9e522adc4ffec;Google Update Service (gupdate1c9e522adc4ffec);c:\program files\google\update\GoogleUpdate.exe [2009-6-4 133104]
    S2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
    S2 JEPPDRIVE;Smart Modular JeppDrive USB Driver;c:\windows\system32\drivers\jeppd.sys --> c:\windows\system32\drivers\JeppD.sys [?]

    =============== Created Last 30 ================

    2009-11-20 03:27:03 2713 --sh--w- c:\windows\system32\yajigozo.exe
    2009-11-19 09:26:41 2713 --sh--w- c:\windows\system32\mubaruve.exe
    2009-11-18 15:25:41 2713 --sh--w- c:\windows\system32\lokimoli.exe
    2009-11-17 21:29:42 0 d-----w- c:\docume~1\alluse~1\applic~1\11220814
    2009-11-17 21:29:33 1209915 --sh--w- c:\windows\system32\savohofu.exe
    2009-11-17 21:29:27 92672 --sh--w- c:\windows\system32\diyahema.dll
    2009-11-17 21:29:21 53248 --sh--w- c:\windows\system32\gobewowi.dll
    2009-11-17 21:18:48 39424 ----a-w- c:\windows\system32\fonemike.dll
    2009-11-17 21:13:06 53248 ----a-w- c:\windows\system32\zayezeru.dll
    2009-11-11 21:00:25 0 d-----w- c:\program files\Trend Micro
    2009-11-11 18:21:00 12032 ----a-w- c:\windows\system32\iehelper.dll
    2009-11-10 19:27:54 6456 ---ha-w- c:\windows\system32\virasuza
    2009-11-10 06:45:05 95 ----a-w- c:\windows\wininit.ini
    2009-11-10 02:58:33 52736 ----a-w- C:\luobk.exe
    2009-11-10 02:58:31 52736 ----a-w- C:\ydlcgx.exe
    2009-11-10 02:58:20 0 --sha-w- C:\15226409
    2009-11-06 19:00:51 0 d-----w- C:\spoolerlogs
    2009-11-05 16:01:25 0 d-----w- c:\program files\NZ Software

    ==================== Find3M ====================

    2009-10-21 04:08:54 3598336 ----a-w- c:\windows\system32\dllcache\mshtml.dll
    2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
    2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
    2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
    2009-09-04 21:03:36 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
    2009-08-28 10:28:59 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
    2009-08-28 10:28:59 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
    2009-08-27 05:18:44 634648 ------w- c:\windows\system32\dllcache\iexplore.exe
    2009-08-27 05:18:41 161792 ------w- c:\windows\system32\dllcache\ieakui.dll
    2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
    2009-08-26 08:00:21 247326 ------w- c:\windows\system32\dllcache\strmdll.dll
    2003-03-19 05:59:12 207759 ----a-w- c:\program files\INSTALL.LOG
    2009-08-10 03:04:27 115200 --sha-w- c:\windows\system32\hasijale.exe
    2009-08-10 03:04:27 39424 --sha-w- c:\windows\system32\keneruwo.dll
    2009-08-17 21:32:01 53248 --sha-w- c:\windows\system32\kodatewe.dll
    2009-08-17 21:32:01 53248 --sha-w- c:\windows\system32\lofiketo.dll
    2009-08-10 03:04:27 45056 --sha-w- c:\windows\system32\sutatuzu.dll
    2009-08-17 21:32:01 53248 --sha-w- c:\windows\system32\tevaziva.dll
    2008-12-25 09:07:50 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008122520081226\index.dat

    ============= FINISH: 11:53:25.52 ===============


    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_09-10-26.01)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume2
    Install Date: 3/24/2003 10:10:41 AM
    System Uptime: 11/17/2009 2:21:20 PM (69 hours ago)

    Motherboard: Dell Computer Corporation | | 07W080
    Processor: Intel(R) Pentium(R) 4 CPU 2.00GHz | Socket 478 | 1993/400mhz

    ==== Disk Partitions =========================

    A: is Removable
    C: is FIXED (NTFS) - 56 GiB total, 18.55 GiB free.
    D: is CDROM ()
    E: is CDROM ()

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    RP2017: 9/9/2009 3:00:29 AM - Software Distribution Service 3.0
    RP2018: 9/10/2009 3:07:07 AM - System Checkpoint
    RP2019: 9/11/2009 4:09:27 AM - System Checkpoint
    RP2020: 9/12/2009 5:07:09 AM - System Checkpoint
    RP2021: 9/13/2009 6:07:31 AM - System Checkpoint
    RP2022: 9/14/2009 7:07:01 AM - System Checkpoint
    RP2023: 9/15/2009 8:07:01 AM - System Checkpoint
    RP2024: 9/16/2009 9:07:01 AM - System Checkpoint
    RP2025: 9/17/2009 10:07:01 AM - System Checkpoint
    RP2026: 9/18/2009 11:08:06 AM - System Checkpoint
    RP2027: 9/19/2009 12:07:01 PM - System Checkpoint
    RP2028: 9/20/2009 1:07:01 PM - System Checkpoint
    RP2029: 9/21/2009 2:07:01 PM - System Checkpoint
    RP2030: 9/22/2009 3:08:06 PM - System Checkpoint
    RP2031: 9/23/2009 4:07:01 PM - System Checkpoint
    RP2032: 9/24/2009 5:07:01 PM - System Checkpoint
    RP2033: 9/25/2009 6:08:06 PM - System Checkpoint
    RP2034: 9/26/2009 7:07:02 PM - System Checkpoint
    RP2035: 9/27/2009 8:07:02 PM - System Checkpoint
    RP2036: 9/28/2009 8:08:17 PM - System Checkpoint
    RP2037: 9/29/2009 8:13:32 PM - System Checkpoint
    RP2038: 9/30/2009 9:06:41 PM - System Checkpoint
    RP2039: 10/1/2009 10:06:42 PM - System Checkpoint
    RP2040: 10/2/2009 11:06:42 PM - System Checkpoint
    RP2041: 10/3/2009 11:37:55 PM - System Checkpoint
    RP2042: 10/4/2009 11:42:09 PM - System Checkpoint
    RP2043: 10/6/2009 12:06:44 AM - System Checkpoint
    RP2044: 10/7/2009 1:06:49 AM - System Checkpoint
    RP2045: 10/8/2009 2:06:36 AM - System Checkpoint
    RP2046: 10/9/2009 3:06:40 AM - System Checkpoint
    RP2047: 10/10/2009 4:06:37 AM - System Checkpoint
    RP2048: 10/11/2009 5:03:59 AM - System Checkpoint
    RP2049: 10/12/2009 5:48:37 AM - System Checkpoint
    RP2050: 10/13/2009 3:00:22 AM - Software Distribution Service 3.0
    RP2051: 10/14/2009 3:14:41 AM - System Checkpoint
    RP2052: 10/15/2009 4:11:53 AM - System Checkpoint
    RP2053: 10/16/2009 3:01:05 AM - Software Distribution Service 3.0
    RP2054: 10/17/2009 3:48:50 AM - System Checkpoint
    RP2055: 10/18/2009 4:02:19 AM - System Checkpoint
    RP2056: 10/19/2009 5:02:24 AM - System Checkpoint
    RP2057: 10/20/2009 6:02:18 AM - System Checkpoint
    RP2058: 10/21/2009 7:02:15 AM - System Checkpoint
    RP2059: 10/22/2009 8:02:15 AM - System Checkpoint
    RP2060: 10/23/2009 9:02:08 AM - System Checkpoint
    RP2061: 10/24/2009 10:27:31 AM - System Checkpoint
    RP2062: 10/25/2009 11:03:14 AM - System Checkpoint
    RP2063: 10/26/2009 12:02:10 PM - System Checkpoint
    RP2064: 10/26/2009 11:02:41 PM - Spybot-S&D Spyware removal
    RP2065: 10/26/2009 11:34:30 PM - Software Distribution Service 3.0
    RP2066: 10/28/2009 12:13:08 AM - System Checkpoint
    RP2067: 10/29/2009 12:17:39 AM - System Checkpoint
    RP2068: 10/30/2009 1:18:33 AM - System Checkpoint
    RP2069: 10/31/2009 2:17:34 AM - System Checkpoint
    RP2070: 11/1/2009 3:17:35 AM - System Checkpoint
    RP2071: 11/2/2009 4:17:48 AM - System Checkpoint
    RP2072: 11/3/2009 5:17:47 AM - System Checkpoint
    RP2073: 11/4/2009 4:00:22 AM - Software Distribution Service 3.0
    RP2074: 11/5/2009 4:24:12 AM - System Checkpoint
    RP2075: 11/6/2009 5:25:24 AM - System Checkpoint
    RP2076: 11/7/2009 6:24:13 AM - System Checkpoint
    RP2077: 11/8/2009 6:24:10 AM - System Checkpoint
    RP2078: 11/9/2009 7:24:07 AM - System Checkpoint
    RP2079: 11/10/2009 12:05:27 AM - Spybot-S&D Spyware removal
    RP2080: 11/10/2009 12:10:07 AM - Spybot-S&D Spyware removal
    RP2081: 11/10/2009 12:16:22 AM - Spybot-S&D Spyware removal
    RP2082: 11/10/2009 12:45:00 AM - Spybot-S&D Spyware removal
    RP2083: 11/10/2009 1:01:19 AM - Spybot-S&D Spyware removal
    RP2084: 11/10/2009 9:17:55 AM - Spybot-S&D Spyware removal
    RP2085: 11/10/2009 9:37:35 AM - Spybot-S&D Spyware removal
    RP2086: 11/10/2009 10:10:16 AM - Spybot-S&D Spyware removal
    RP2087: 11/10/2009 1:00:40 PM - Spybot-S&D Spyware removal
    RP2088: 11/10/2009 1:27:04 PM - Spybot-S&D Spyware removal
    RP2089: 11/10/2009 1:28:05 PM - Spybot-S&D Spyware removal

    ==== Installed Programs ======================


    Ad-Aware
    Adobe Acrobat 5.0
    Adobe Flash Player 10 ActiveX
    Adobe Reader 7.0.5 Language Support
    Adobe Reader 7.0.9
    Adobe® Photoshop® Album Starter Edition 3.0
    AnswerWorks 4.0 Runtime - English
    AnswerWorks 5.0 English Runtime
    ArcSoft PhotoStudio 5.5
    AVG Free 8.5
    BACS
    BCM V.92 56K Modem
    Bonfire Studio
    Britannica Ready Reference
    Broadcom Advanced Control Suite
    Camera Support Core Library
    Camera Window DS
    Camera Window DVC
    Camera Window MC
    Canon Camera Support Core Library
    Canon Camera WIA Driver
    Canon Camera Window DS for ZoomBrowser EX
    Canon Camera Window DVC for ZoomBrowser EX
    Canon Camera Window for ZoomBrowser EX
    Canon EOS Kiss_N REBEL_XT 350D WIA Driver
    Canon PhotoRecord
    Canon RAW Image Task for ZoomBrowser EX
    Canon RemoteCapture Task for ZoomBrowser EX
    Canon Utilities Digital Photo Professional 1.6
    Canon Utilities EOS Capture 1.3
    Canon Utilities PhotoStitch 3.1
    Canon ZoomBrowser EX
    Core FTP LE 2.1
    Deer Hunter 2004 - Legendary Hunting
    Dell Picture Studio - Dell Image Expert
    Dell Solution Center
    Dell Support 5.0.0 (766)
    Digital Line Detect
    Easy CD Creator 5 Basic
    EOS Capture 1.3
    ERUNT 1.1j
    Garmin Communicator Plugin
    Garmin USB Drivers
    Garmin WebUpdater
    Google Chrome
    Google Earth
    Google Toolbar for Internet Explorer
    Google Update Helper
    Google Updater
    Help and Support Customization
    HijackThis 2.0.2
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Internet Explorer 7 (KB947864)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    hp deskjet 5550 series (Remove only)
    hp deskjet 5600
    hp instant support
    HP Memories Disc
    HP Photo and Imaging 2.0 - Deskjet Series
    hp print screen utility
    Intel(R) Extreme Graphics Driver
    Jeppesen Services
    LTspice IV
    LUMIX Simple Viewer
    MapSource
    Microsoft .NET Framework (English)
    Microsoft .NET Framework (English) v1.0.3705
    Microsoft .NET Framework 1.0 Hotfix (KB928367)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office 2000 Premium
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Access Developer Extensions (English) 2007
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Runtime (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Professional 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Software Update for Web Folders (English) 12
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Modem Helper
    MUSICMATCH Jukebox
    Paint Shop Pro 7
    PhotoStitch
    Quicken 2002 New User Edition
    QuickTime
    RAW Image Task 2.0
    RemoteCapture Task 1.1
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB969679)
    Security Update for Microsoft Office Excel 2007 (KB969682)
    Security Update for Microsoft Office Outlook 2007 (KB972363)
    Security Update for Microsoft Office PowerPoint 2007 (KB957789)
    Security Update for Microsoft Office Publisher 2007 (KB969693)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB969613)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB969604)
    Security Update for Step By Step Interactive Training (KB898458)
    Security Update for Step By Step Interactive Training (KB923723)
    Security Update for Windows Internet Explorer 7 (KB928090)
    Security Update for Windows Internet Explorer 7 (KB929969)
    Security Update for Windows Internet Explorer 7 (KB933566)
    Security Update for Windows Internet Explorer 7 (KB937143)
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB939653)
    Security Update for Windows Internet Explorer 7 (KB942615)
    Security Update for Windows Internet Explorer 7 (KB950759)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 7 (KB969897)
    Security Update for Windows Internet Explorer 7 (KB972260)
    Security Update for Windows Internet Explorer 7 (KB974455)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows Media Player 9 (KB911565)
    Security Update for Windows Media Player 9 (KB917734)
    Security Update for Windows Media Player 9 (KB936782)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB938464-v2)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Spybot - Search & Destroy
    Spybot - Search & Destroy 1.5.2.20
    TeLL me More
    TurboTax 2008
    TurboTax 2008 wiliper
    TurboTax 2008 WinPerFedFormset
    TurboTax 2008 WinPerProgramHelp
    TurboTax 2008 WinPerReleaseEngine
    TurboTax 2008 WinPerTaxSupport
    TurboTax 2008 WinPerUserEducation
    TurboTax 2008 wrapper
    TurboTax Home & Business 2006
    TurboTax Home & Business 2007
    TurboTax ItsDeductible 2006
    upapp
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Outlook 2007 Junk Email Filter (KB974810)
    Update for Windows Internet Explorer 7 (KB976749)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB973815)
    WebFldrs XP
    WexTech AnswerWorks
    Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0)
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 7
    Windows XP Service Pack 3
    WordPerfect Office 2002

    ==== Event Viewer Messages From Past Week ========

    11/17/2009 2:40:52 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 30 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
    11/17/2009 2:25:52 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
    11/17/2009 2:25:35 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Intuit Update Service service to connect.
    11/17/2009 2:25:35 PM, error: Service Control Manager [7000] - The Smart Modular JeppDrive USB Driver service failed to start due to the following error: The system cannot find the file specified.
    11/17/2009 2:25:35 PM, error: Service Control Manager [7000] - The Intuit Update Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    11/17/2009 2:22:27 PM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
    11/17/2009 2:22:27 PM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.

    ==== End Of File ===========================

  6. #6
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Disable Spybot's TeaTimer to make sure it won't interfere with fixes. You can re-enable it when you're clean again:
    • Run Spybot-S&D in Advanced Mode
    • If it is not already set to do this, go to the Mode menu
      select
      Advanced Mode
    • On the left hand side, click on Tools
    • Then click on the Resident icon in the list
    • Uncheck
      Resident TeaTimer
      and OK any prompts.
    • Restart your computer



    Please visit this webpage for download links, and instructions for running ComboFix tool:

    http://www.bleepingcomputer.com/comb...o-use-combofix

    Please ensure you read this guide carefully first.


    Please continue as follows:

    1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
      Remember to re-enable them afterwards.

    2. Click Yes to allow ComboFix to continue scanning for malware.


    When the tool is finished, it will produce a report for you.

    Please include the following reports for further review, and so we may continue cleansing the system:

    C:\ComboFix.txt
    New dds log.


    A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  7. #7
    Member
    Join Date
    Nov 2009
    Posts
    70

    Default Virtumonde

    Hi Blade81,

    Thanks again for your assistance and your quick replies!

    I have downloaded ComboFix and will copy it over to the infected machine as I did before with DDS.

    I have also printed out the ComboFix Instructions and will carefully read them before running the ComboFix program. I don't know how long it will take me to absorb and understand the ComboFix Instructions and Cautions but I will post the results ASAP.

    Being in Finland, and thus 6 or 7 hours ahead of me, you are probably nearing the end of your "Work Day!" :-) so I understand if you do not reply again as quickly as you have so far.

    If this is the case, please enjoy your "off time" and I will look forward to your next reply!

  8. #8
    Member
    Join Date
    Nov 2009
    Posts
    70

    Default Good News and Bad News

    Well Blade, I have some good news and then some bad news.

    I downloaded and copied ComboFix to the desktop of the infected machine. I then read and re-read the ComboFix Instructions to be sure of what I could expect. As per the instructions, before running ComboFix, I disabled my Anti/Virus/Malware and Firewall programs (SpyBot and AVG Resident Shields... and the Windows Firewall). The machine was not connected to the internet.

    After reading how ComboFix would check and install the Windows Restore Console if not already installed, I also checked my Win XP Help and Support Screen to verify that the Restore Console was present there. I also remembered seeing in the DDS report log a number of system restore points going back to at least October. So I was pretty sure that ComboFix would not need to install the Restore Console.

    I then ran ComboFix. The program ran as expected and outlined in the instructions, backed up the registry, created a restore point, and then surprisingly announced "This machine does not have the Windows Recovery Console installed...Without it ComboFix will not attempt to fix some serious infections... Click Yes to have ComboFix download/install it... an internet connection is required.)" This was unexpected but I then reconnected the machine to the internet and clicked Yes. The install reported that it was successful. (BUT I did notice this successful install message mentioned Windows XP SP2 and this machine does have SP3 installed.) Oh well, I thought, and clicked YES again to continue with Scanning.

    Scanning completed all the numbered scan stages and then reported...
    "C:\Windows\system32\ws2_32.dll INFECTED" and then...
    "Successfully Restored" Then deleting files... and deleting folders... (quite a few of each)

    I then saw the message saying "Preparing Log Report" but before ComboFix closed and succesfully displayed the log report the machine rebooted. After a long Welcome screen, a BLUE SCREEN opened saying... "A problem has been detected and Windows has been shut down to prevent damage... Check newly installed H/W and S/W... If this is the first time you've seen this screen RESTART the machine...." and...
    TECHNICAL INFO
    STOP: 0x0000000A (0x00000000, 0x00000002, 0x00000000, 0x804DC25D)

    I could not shut down normally so I powered off the machine and turned it back on. SAME BLUE SCREEN, slightly different message about checking for Viruses and Hard Drive & HD Controllers.. and..
    TECHNICAL INFO
    STOP: 0x0000007B (0xF79FA528, 0xC0000034, 0x00000000, 0x00000000)

    Subsequent attempts to restart in NORMAL or SAFE MODE resulted in the same second blue screen described above. I did not try starting at a SYSTEM RESTORE POINT. Before trying a SYSTEM RESTORE point I thought I'd ask you what RESTORE POINT I should select if I can get to that point and if you think any restore point might be successful.

    TRY SYSTEM RESTORE...
    TO A DATE BEFORE THE INFECTION?
    TO A DATE BEFORE OR AFTER my initial HJT scan or DDS scan?
    TO A DATE AND TIME BEFORE the ComboFix Scan
    OR WHAT?

    Having not yet been able to restart in safe or normal mode, I am not sure if ComboFix successfully created & saved a report as C:\ComboFix.txt.

    I sure hope you know what's happening and you can still help!

    TomZT

    PS: Also in case it might help you... while checking that all my anti/virus/spyware was disabled and before running ComboFix, I opened TASK MANAGER and noticed 20-30% of CPU was being used (Off and On) by the process "taskill.exe or taskkill.exe". I didn't like the looks of that but proceeded with the ComboFix as described above.

  9. #9
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi,

    Have you tried to reboot using last known good configuration -option?
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  10. #10
    Member
    Join Date
    Nov 2009
    Posts
    70

    Default Rebooting

    Hi Blade,
    Do you mean... try a sytem restore to a point before the infection happened?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •