Virtumonde-New Thread-As Per request

**TomZT** · 2009-11-26, 17:59

Must the bad machine be re-connected to the network in order to accomplish your last suggestion?

**Blade81** · 2009-11-26, 18:01

Yes to be able to see if fix has any effect.

**TomZT** · 2009-11-26, 18:05

OK I will sign off this machine... disconnect the good machines... and connect the bad machine and post the results.

I am still afraid to connect the bad machine to our network with any of the other good machines connected.

**TomZT** · 2009-11-26, 18:26

That worked great!

The DNS servers radio button was not set to Automatic, It was set to Use the bad 77.74.48.113.

As soon as I flushed the dns, the Windows Automatic Update button appeared so I new I was connected. IE connected fine and I am posting now from the bad machine.

Thanks again! "You da' man Blades!"

What's next? Should I just continue now with the online ESET scan and the Adobe Reader and Flash updates? Or go back for a fresh ComboFix, ATF, and DDS scan first?

**Blade81** · 2009-11-26, 18:52

Good to hear that helped

Should I just continue now with the online ESET scan and the Adobe Reader and Flash updates?

Yes, let's carry out these things at this point. Also, let's run GMER after that.

Download GMER here by clicking download exe -button and then saving it your desktop:

Double-click .exe that you downloaded
Click rootkit-tab and then scan.
Don't check
Show All
box while scanning in progress!
When scanning is ready, click Copy.
This copies log to clipboard.
Please save log into a file and attach the file to your reply.

**TomZT** · 2009-11-26, 20:33

Hi Blade,

I installed the lastest versions of Adobe Reader and Flash Player.

But I was UNABLE to run the ESET Online Scan. I followed the ESET prompts to setup the scanner but when it downloaded the Virus Signature Database (Step 2 of 4), I got an UNEXPECTED ERROR 2002 message. The configuration seemed to hangup there. When I pressed the BACK button to try to download the Virus DB a second time, a report popped up "Scan Complete" but all 0's. Files scanned = 0, etc.

I used the ESET Uninstall on Exit option and tried again from scratch, but still the same error message at the end of the Virus DB download. I looked over the ESET FAQs and Help page but found no info on the 2002 Error Message.

Have you ever seen this before or have any ideas on what might be causing this?

My Internet Explorer is setup with both an AVG and a Google Toolbar. Could these toolbars prevent the installation, DB download, and successful ESET scan? Or perhaps certain Internet Security Options?

Do you have any suggestions on getting the ESET Scan to work or should I just proceed on to the GMER TOOL?

**Blade81** · 2009-11-26, 21:08

Hi,

It seems either ESET is having issues or something else. Another user I'm helping elsewhere just reported about the same error.

Let's use Malwarebytes' Anti-Malware instead (other instructions remain same).

Please download Malwarebytes' Anti-Malware to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Please post contents of that file in your next reply.

**Blade81** · 2009-11-27, 12:48

Good. Now there're two things to do: run ComboFix again and post back its log along with a fresh dds log. Let me know how's the system running.

**TomZT** · 2009-11-27, 17:42

Originally Posted by Blade81

Good. Now there're two things to do: run ComboFix again and post back its log along with a fresh dds log. Let me know how's the system running.

Good morning / Good evening Blades!

Accomplished the above instructions... Logs are copied below...

QUESTION: When I started ComboFix, message box popped up saying "A newer Update is Available. Update Now? YES/NO... I clicked YES and then thought, "I wonder if this is a real update or a fraud modification of ComboFix???" (CF appeared to run normally) Do you believe this was a valid CF Update?

QUESTION: Do you want me to paste (or attach) the DDS_Attach Log?

The system appears to be running pretty good except for Windows Security Alert in Tray... "AVG A/V is out of date!" (I have not run or updated AVG or SpyBot for awhile.) Windows Automatic Updates are also turned off.

Tom
==================================
ComboFix Log
==================================
ComboFix 09-11-26.02 - Tom McNeal 11/27/2009 9:51.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.333 [GMT -6:00]
Running from: c:\documents and settings\Tom McNeal\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2009-10-27 to 2009-11-27 )))))))))))))))))))))))))))))))
.

2009-11-27 00:06 . 2008-04-13 18:40 96512 ----a-w- C:\atapi.sys.vir
2009-11-26 20:25 . 2009-11-26 20:25 -------- d-----w- c:\documents and settings\Tom McNeal\Application Data\Malwarebytes
2009-11-26 20:25 . 2009-09-10 20:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-26 20:25 . 2009-11-26 20:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-26 20:25 . 2009-11-26 20:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-26 20:25 . 2009-09-10 20:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-26 18:07 . 2009-10-10 07:07 38208 ----a-w- c:\documents and settings\Tom McNeal\Application Data\Macromedia\Flash Player\http://www.macromedia.com\bin\airapp...pinstaller.exe
2009-11-26 18:05 . 2009-11-26 18:05 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-11-26 18:03 . 2009-11-26 18:03 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-11-26 18:03 . 2009-11-26 20:40 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-11-25 02:06 . 2001-08-17 19:51 3328 ----a-w- c:\windows\system32\drivers\pciide.sys
2009-11-20 22:30 . 2008-04-13 18:36 187776 ----a-w- c:\windows\system32\drivers\ACPI_2.sys
2009-11-20 22:24 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-11-20 22:24 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-11-11 21:00 . 2009-11-11 21:00 -------- d-----w- c:\program files\Trend Micro
2009-11-11 17:36 . 2009-11-11 17:36 -------- d-----w- c:\program files\ERUNT
2009-11-06 19:00 . 2009-11-06 19:00 -------- d-----w- C:\spoolerlogs
2009-11-05 16:01 . 2009-11-05 16:01 -------- d-----w- c:\program files\NZ Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-26 18:06 . 2005-03-22 02:19 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-26 01:07 . 2005-09-12 16:32 -------- d-----w- c:\program files\Google
2009-11-26 00:59 . 2003-03-19 05:59 -------- d-----w- c:\program files\Corel
2009-11-26 00:51 . 2006-06-26 20:20 -------- d-----w- c:\program files\Panasonic
2009-11-26 00:51 . 2006-06-26 20:29 -------- d-----w- c:\documents and settings\Tom McNeal\Application Data\Panasonic
2009-11-26 00:49 . 2003-03-24 15:59 -------- d-----w- c:\program files\Hewlett-Packard
2009-11-26 00:45 . 2003-03-19 05:57 -------- d-----w- c:\program files\Britannica
2009-11-26 00:45 . 2003-03-19 05:55 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-26 00:21 . 2009-01-13 05:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-11-10 04:04 . 2003-03-19 06:02 97424 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-27 05:06 . 2005-02-04 06:59 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-27 04:47 . 2008-12-24 18:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-27 04:40 . 2008-12-24 18:53 -------- d-----w- c:\program files\Microsoft Works
2009-10-27 03:19 . 2008-06-25 15:31 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-11 14:18 . 2002-08-29 11:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2002-08-29 11:00 58880 ----a-w- c:\windows\system32\msasn1.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-11-25_18.32.03 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-10-28 18:02 . 2009-08-30 18:27 88589 c:\windows\SYSTEM32\Macromed\Flash\uninstall_activeX.exe
+ 2009-11-26 18:12 . 2009-11-26 18:12 88589 c:\windows\SYSTEM32\Macromed\Flash\uninstall_activeX.exe
+ 2002-09-03 19:45 . 2009-11-27 06:10 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT
- 2002-09-03 19:45 . 2009-11-25 18:30 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT
- 2002-09-03 19:45 . 2009-11-25 18:30 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
+ 2002-09-03 19:45 . 2009-11-27 06:10 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
+ 2002-09-03 19:45 . 2009-11-27 06:10 16384 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
- 2002-09-03 19:45 . 2009-11-25 18:30 16384 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
+ 2009-11-26 18:07 . 2009-11-26 18:07 21504 c:\windows\Installer\7f5af5.msi
+ 2009-11-26 18:05 . 2009-11-26 18:05 27648 c:\windows\Installer\7f5aeb.msi
+ 2009-11-26 18:07 . 2009-11-26 18:07 3940352 c:\windows\Installer\7f5af0.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-17 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-01-13 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-01-13 114688]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2007-02-25 684032]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb08.exe" [2003-03-26 172032]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-18 282624]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2002-12-17 49152]
"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2002-12-03 40960]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-07-10 1948440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"BCMSMMSG"="BCMSMMSG.exe" - c:\windows\BCMSMMSG.exe [2003-08-29 122880]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\SYSTEM32\narrator.exe [2008-04-14 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2003-3-18 45056]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-07-10 06:04 11952 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [7/9/2009 11:53 PM 327688]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/9/2009 11:52 PM 298776]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 4:45 AM 13088]
S2 gupdate1c9e522adc4ffec;Google Update Service (gupdate1c9e522adc4ffec);c:\program files\Google\Update\GoogleUpdate.exe [6/4/2009 8:42 AM 133104]
S2 JEPPDRIVE;Smart Modular JeppDrive USB Driver;c:\windows\system32\Drivers\JeppD.sys --> c:\windows\system32\Drivers\JeppD.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - fwdoapog
.
Contents of the 'Scheduled Tasks' folder

2003-07-25 c:\windows\Tasks\FRU Task 2002-06-04 23:12ewlett-Packardeskjet4E8BF07F6DE51996434C1696D032A924550.job
- c:\program files\Hewlett-Packard\upapp\hpqfruv.exe [2002-06-04 22:12]

2009-11-27 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-27 14:40]

2009-11-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-04 14:41]

2009-11-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-04 14:41]

2009-11-27 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-15 03:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://forums.spybot.info/forumdisplay.php?f=22
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: turbotax.com
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-27 10:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2176)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2009-11-27 10:05
ComboFix-quarantined-files.txt 2009-11-27 16:05
ComboFix2.txt 2009-11-26 00:10
ComboFix3.txt 2009-11-25 18:47

Pre-Run: 20,230,172,672 bytes free
Post-Run: 20,207,677,440 bytes free

- - End Of File - - 78F338B5766500ED5A375984C93014CD

=================================
DDS Log
=================================

DDS (Ver_09-10-26.01) - NTFSx86
Run by Tom McNeal at 10:13:22.95 on Fri 11/27/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.311 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Tom McNeal\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://forums.spybot.info/forumdisplay.php?f=22
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: H - No File
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [AdaptecDirectCD] c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb08.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd.exe
mRun: [DeviceDiscovery] c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: turbotax.com
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} - hxxp://protect.microsoft.com/security/protect/wsa/shared/CAB/x86/msSecAdv.cab?1107516386875
DPF: {55027008-315F-4F45-BBC3-8BE119764741} - hxxp://www.slide.com/uploader/SlideImageUploader.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1107516561703
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1230150512703
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-7-9 327688]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-7-9 298776]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
S2 gupdate1c9e522adc4ffec;Google Update Service (gupdate1c9e522adc4ffec);c:\program files\google\update\GoogleUpdate.exe [2009-6-4 133104]
S2 JEPPDRIVE;Smart Modular JeppDrive USB Driver;c:\windows\system32\drivers\jeppd.sys --> c:\windows\system32\drivers\JeppD.sys [?]

=============== Created Last 30 ================

2009-11-27 00:06:27 96512 ----a-w- C:\atapi.sys.vir
2009-11-26 20:25:20 0 d-----w- c:\docume~1\tommcn~1\applic~1\Malwarebytes
2009-11-26 20:25:13 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-26 20:25:11 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-26 20:25:11 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-26 20:25:11 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-26 00:21:08 0 d-----w- c:\windows\system32\appmgmt
2009-11-25 02:06:09 3328 ----a-w- c:\windows\system32\drivers\pciide.sys
2009-11-20 22:30:16 187776 ----a-w- c:\windows\system32\drivers\ACPI_2.sys
2009-11-20 22:24:05 50176 ----a-w- c:\windows\system32\proquota.exe
2009-11-20 22:24:05 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-11-20 22:02:13 0 d-sha-r- C:\cmdcons
2009-11-20 21:54:56 98816 ----a-w- c:\windows\sed.exe
2009-11-20 21:54:56 77312 ----a-w- c:\windows\MBR.exe
2009-11-20 21:54:56 260608 ----a-w- c:\windows\PEV.exe
2009-11-20 21:54:56 161792 ----a-w- c:\windows\SWREG.exe
2009-11-11 21:00:25 0 d-----w- c:\program files\Trend Micro
2009-11-10 06:45:05 95 ----a-w- c:\windows\wininit.ini
2009-11-06 19:00:51 0 d-----w- C:\spoolerlogs
2009-11-05 16:01:25 0 d-----w- c:\program files\NZ Software

==================== Find3M ====================

2009-10-21 04:08:54 3598336 ----a-w- c:\windows\system32\dllcache\mshtml.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 21:03:36 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
2008-12-25 09:07:50 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008122520081226\index.dat

============= FINISH: 10:13:47.87 ===============

**Blade81** · 2009-11-27, 17:52

Do you believe this was a valid CF Update?

Yes, CF checks for available update before it runs.

QUESTION: Do you want me to paste (or attach) the DDS_Attach Log?

Won't need attach.txt anymore

C:\atapi.sys.vir can be deleted. How is your system running now?

Thread: Virtumonde-New Thread-As Per request

Thread Tools

Display

Hybrid View

Eureka!

New ComboFix & DDS

Posting Permissions