Virtumonde-New Thread-As Per request

**Blade81** · 2009-11-25, 10:17

Hi,

I believe it's pretty late where you live so following steps may be best to leave till later

Before we continue, delete old ComboFix.exe file on your desktop.

Disable Spybot's TeaTimer to make sure it won't interfere with fixes. You can re-enable it when you're clean again:

Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu
select
Advanced Mode
On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck
Resident TeaTimer
and OK any prompts.
Restart your computer

Download a fresh copy of ComboFix from one of these links to your desktop:
Link 1
Link 2

Disable antivirus protection and run ComboFix. Post back the resultant log & fresh dds log.

**TomZT** · 2009-11-25, 17:35

Good Morning and Good Evening Blades!
You were right! I really did need some sleep!

Before I continue on...

As you know, I post most of the time from a good machine,
then when I have to post a log from the infected machine...
I disconnect my good machines from the router...
then reconnect the bad machine to the router with SpyBot/TeaTimer and AVG Resident Shield enabled to post the log...
Then disconnect the bad machine and reconnect the good machines.
(I've been leaving SpyBot/TT and AVG/RS running on the bad machine unless & until you instruct me to disable them before doing fixes.)

After "my nap", the bad machine is now displaying an AVG Window...
TITLE BAR: AVG Resident Shield Alert
Multiple Threat Detection:
FILE: c:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP2090\A0051449.dll
INFECTION: Trojan horse BHO.JEW
RESULT: Infected (There are 6 instances - exactly the same)
BUTTONS: REMOVE SELECTED INFECTIONS/REMOVE ALL UNHEALED INFECTIONS/OR CLOSE

What (if anything?) should I do with this AVG Alert before I proceed with downloading and running a fresh ComboFix and a new DDS scan?

**Blade81** · 2009-11-25, 17:51

Hi,

Ignore those AVG alerts for now. System restore will be cleaned a bit later.

**TomZT** · 2009-11-25, 17:58

OK Blade!

I will just X out of the AVG alert window and proceed with your last instructions. I'll post again when done.

BTW When do you sleep?

**Blade81** · 2009-11-25, 18:18

It's just 7.15pm here so I'll stay awake for the next 5 hrs or so

**TomZT** · 2009-11-25, 21:50

Hi Blade,
I apologize for all the trouble I'm having and what may seem to be an excessive amount of caution.

Before downloading and running the Fresh ComboFix and the new DDS scan, I I could no longer access the internet from the problem machine. I tried a restart and ControlPanel> Network Connection> Repair but neither one helped. Hopefully we can get this corrected later.

So I downloaded a Fresh ComboFix on a good machine and brought it over to the bad machine via CD. Then I ran both scans which appeared to complete normally.

Unfortunately, I can think of no other choice but to copy the logs to a CD on the bad machine and bring them over to a good machine to post. I understand there is some risk here!

I first viewed the CD making sure I was NOT Hiding Hidden files and folders or Hiding OS files and then scanned the CD with the TWO text files with Spybot and AVG; No threats were detected. I did notice though, that AVG reported scanning THREE OBJECTS instead of just the TWO text files. I'm wondering what the THIRD OBJECT might be.

Please let me know if you think it is safe to copy the text files from the CD to one of the good computers to get the logs posted???

**Blade81** · 2009-11-25, 21:52

It's safe to copy those.

**TomZT** · 2009-11-25, 22:01

Thanks again Blade for your help and your patience with me!

Here's the ComboFix Log:

ComboFix 09-11-25.01 - Tom McNeal 11/25/2009 12:13.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.427 [GMT -6:00]
Running from: c:\documents and settings\Tom McNeal\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Shared
.
---- Previous Run -------
.
c:\documents and settings\All Users\Application Data\11220814\11220814.bat
c:\documents and settings\All Users\Application Data\11220814\11220814.exe
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\All Users\Documents\ZbThumbnail.info
c:\documents and settings\Tom McNeal\Local Settings\Application Data\ogolyy\lwyesysguard.exe
c:\program files\INSTALL.LOG
c:\program files\Shared\_lib.sig
c:\program files\Shared\lib.sig
c:\windows\cPRASO.dll
c:\windows\system32\dezojoyi.exe
c:\windows\system32\diyahema.dll
c:\windows\system32\drivers\fad.sys
c:\windows\system32\drivers\pciide.sys
c:\windows\system32\fonemike.dll
c:\windows\system32\gobewowi.dll
c:\windows\system32\hasijale.exe
c:\windows\system32\iehelper.dll
c:\windows\system32\jehezaho.dll.tmp
c:\windows\system32\keneruwo.dll
c:\windows\system32\kodatewe.dll
c:\windows\system32\lofiketo.dll
c:\windows\system32\lokimoli.exe
c:\windows\system32\mubaruve.exe
c:\windows\system32\sutatuzu.dll
c:\windows\system32\tevaziva.dll
c:\windows\system32\vahafeku.dll.tmp
c:\windows\system32\wbem\proquota.exe
c:\windows\system32\yajigozo.exe
c:\windows\system32\yosezezu.dll.tmp
c:\windows\system32\zayezeru.dll
C:\ydlcgx.exe

-- Previous Run --

Infected copy of c:\windows\system32\ws2_32.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\ws2_32.dll

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

--------

.
((((((((((((((((((((((((( Files Created from 2009-10-25 to 2009-11-25 )))))))))))))))))))))))))))))))
.

2009-11-25 02:06 . 2001-08-17 19:51 3328 ----a-w- c:\windows\system32\drivers\pciide.sys
2009-11-20 22:30 . 2008-04-13 18:36 187776 ----a-w- c:\windows\system32\drivers\ACPI_2.sys
2009-11-20 22:24 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-11-20 22:24 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-11-17 21:29 . 2009-11-17 21:29 1209915 --sh--w- c:\windows\system32\savohofu.exe
2009-11-11 21:00 . 2009-11-11 21:00 -------- d-----w- c:\program files\Trend Micro
2009-11-11 17:36 . 2009-11-11 17:36 -------- d-----w- c:\program files\ERUNT
2009-11-10 02:58 . 2009-11-10 02:58 52736 ----a-w- C:\luobk.exe
2009-11-06 19:00 . 2009-11-06 19:00 -------- d-----w- C:\spoolerlogs
2009-11-05 16:01 . 2009-11-05 16:01 -------- d-----w- c:\program files\NZ Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-10 04:04 . 2003-03-19 06:02 97424 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-05 16:01 . 2003-03-19 05:55 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-27 05:06 . 2005-02-04 06:59 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-27 04:47 . 2008-12-24 18:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-27 04:40 . 2008-12-24 18:53 -------- d-----w- c:\program files\Microsoft Works
2009-10-27 03:19 . 2008-06-25 15:31 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-11 14:18 . 2002-08-29 11:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2002-08-29 11:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2004-08-24 01:32 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2002-08-29 11:00 17408 ----a-w- c:\windows\system32\corpol.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-17 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-01-13 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-01-13 114688]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2007-02-25 684032]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb08.exe" [2003-03-26 172032]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-18 282624]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2002-12-17 49152]
"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2002-12-03 40960]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-07-10 1948440]
"BCMSMMSG"="BCMSMMSG.exe" - c:\windows\BCMSMMSG.exe [2003-08-29 122880]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\SYSTEM32\narrator.exe [2008-04-14 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2003-3-18 45056]
LUMIX Simple Viewer.lnk - c:\program files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe [2006-6-26 61440]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-07-10 06:04 11952 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [7/9/2009 11:53 PM 327688]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/9/2009 11:52 PM 298776]
S2 gupdate1c9e522adc4ffec;Google Update Service (gupdate1c9e522adc4ffec);c:\program files\Google\Update\GoogleUpdate.exe [6/4/2009 8:42 AM 133104]
S2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 4:45 AM 13088]
S2 JEPPDRIVE;Smart Modular JeppDrive USB Driver;c:\windows\system32\Drivers\JeppD.sys --> c:\windows\system32\Drivers\JeppD.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2003-07-25 c:\windows\Tasks\FRU Task 2002-06-04 23:12ewlett-Packardeskjet4E8BF07F6DE51996434C1696D032A924550.job
- c:\program files\Hewlett-Packard\upapp\hpqfruv.exe [2002-06-04 22:12]

2009-11-25 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-27 14:40]

2009-11-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-04 14:41]

2009-11-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-04 14:41]

2009-11-25 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-15 03:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.taxidermy.net/forum/index.php?PHPSESSID=7f0b92f066d537238560b422c507423a&board=14.0
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: turbotax.com
TCP: {9CA51FD6-A243-4FAF-BC05-EEE2DEFC690E} = 77.74.48.113
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

BHO-{107563d4-6b90-4055-8501-45cbeb7af0a6} - tevaziva.dll
HKCU-Run-kfqcaekj - c:\documents and settings\Tom McNeal\Local Settings\Application Data\ogolyy\lwyesysguard.exe
HKLM-Run-kfqcaekj - c:\documents and settings\Tom McNeal\Local Settings\Application Data\ogolyy\lwyesysguard.exe
HKLM-Run-11220814 - c:\documents and settings\All Users\Application Data\11220814\11220814.exe
HKLM-Run-jepedonug - c:\windows\system32\diyahema.dll
HKLM-Run-jokimuruha - kodatewe.dll
SharedTaskScheduler-{68c2902b-c16e-4e9d-a2a2-7c9d461276fa} - c:\windows\system32\dukiyuzu.dll
SharedTaskScheduler-{c1359f34-13f0-48d6-8f95-31a84938bde4} - c:\windows\system32\diyahema.dll
SSODL-vuzuwuhif-{68c2902b-c16e-4e9d-a2a2-7c9d461276fa} - c:\windows\system32\dukiyuzu.dll
SSODL-jumikuwif-{c1359f34-13f0-48d6-8f95-31a84938bde4} - c:\windows\system32\diyahema.dll
AddRemove-BCM V.92 56K Modem - c:\windows\BCMSMU.exe quiet

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-25 12:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x83B5A170]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf764cf28
\Driver\ACPI -> ACPI.sys @ 0xf75bfcb8
\Driver\atapi -> atapi.sys @ 0xf7551852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: Broadcom 440x 10/100 Integrated Controller -> SendCompleteHandler -> NDIS.sys @ 0xf745dbb0
PacketIndicateHandler -> NDIS.sys @ 0xf744ca0d
SendHandler -> NDIS.sys @ 0xf7460b40
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(684)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(744)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(236)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-11-25 12:47 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-25 18:47

Pre-Run: 19,906,727,936 bytes free
Post-Run: 19,863,654,400 bytes free

- - End Of File - - 75085D53AD29566D718D8ACE5D6146C5

===========================================
AND THE NEW DDS LOG
===========================================

DDS (Ver_09-10-26.01) - NTFSx86
Run by Tom McNeal at 12:55:29.79 on Wed 11/25/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.361 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Tom McNeal\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.taxidermy.net/forum/index.php?PHPSESSID=7f0b92f066d537238560b422c507423a&board=14.0
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: H - No File
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [AdaptecDirectCD] c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb08.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd.exe
mRun: [DeviceDiscovery] c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\lumixs~1.lnk - c:\program files\panasonic\lumixsimpleviewer\PhLeAutoRun.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: turbotax.com
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} - hxxp://protect.microsoft.com/security/protect/wsa/shared/CAB/x86/msSecAdv.cab?1107516386875
DPF: {55027008-315F-4F45-BBC3-8BE119764741} - hxxp://www.slide.com/uploader/SlideImageUploader.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1107516561703
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1230150512703
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {9CA51FD6-A243-4FAF-BC05-EEE2DEFC690E} = 77.74.48.113
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-7-9 327688]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-7-9 298776]
S2 gupdate1c9e522adc4ffec;Google Update Service (gupdate1c9e522adc4ffec);c:\program files\google\update\GoogleUpdate.exe [2009-6-4 133104]
S2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
S2 JEPPDRIVE;Smart Modular JeppDrive USB Driver;c:\windows\system32\drivers\jeppd.sys --> c:\windows\system32\drivers\JeppD.sys [?]

=============== Created Last 30 ================

2009-11-25 18:47:57 54156 ---ha-w- c:\windows\QTFont.qfn
2009-11-25 18:47:57 1409 ----a-w- c:\windows\QTFont.for
2009-11-25 02:06:09 3328 ----a-w- c:\windows\system32\drivers\pciide.sys
2009-11-20 22:30:16 187776 ----a-w- c:\windows\system32\drivers\ACPI_2.sys
2009-11-20 22:24:05 50176 ----a-w- c:\windows\system32\proquota.exe
2009-11-20 22:24:05 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-11-20 22:02:13 0 d-sha-r- C:\cmdcons
2009-11-20 21:54:56 98816 ----a-w- c:\windows\sed.exe
2009-11-20 21:54:56 77312 ----a-w- c:\windows\MBR.exe
2009-11-20 21:54:56 260608 ----a-w- c:\windows\PEV.exe
2009-11-20 21:54:56 161792 ----a-w- c:\windows\SWREG.exe
2009-11-17 21:29:33 1209915 --sh--w- c:\windows\system32\savohofu.exe
2009-11-11 21:00:25 0 d-----w- c:\program files\Trend Micro
2009-11-10 19:27:54 6456 ---ha-w- c:\windows\system32\virasuza
2009-11-10 06:45:05 95 ----a-w- c:\windows\wininit.ini
2009-11-10 02:58:33 52736 ----a-w- C:\luobk.exe
2009-11-10 02:58:20 0 --sha-w- C:\15226409
2009-11-06 19:00:51 0 d-----w- C:\spoolerlogs
2009-11-05 16:01:25 0 d-----w- c:\program files\NZ Software

==================== Find3M ====================

2009-10-21 04:08:54 3598336 ----a-w- c:\windows\system32\dllcache\mshtml.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 21:03:36 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
2009-08-28 10:28:59 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-08-28 10:28:59 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2008-12-25 09:07:50 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008122520081226\index.dat

============= FINISH: 12:57:06.20 ===============

**Blade81** · 2009-11-25, 22:26

Hi again,

Open notepad and copy/paste the text in the quotebox below into it:

Code:

File::
c:\windows\system32\savohofu.exe
C:\luobk.exe
c:\windows\system32\virasuza
C:\15226409
DDS::
BHO: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

Uninstall old Adobe Reader versions and get the latest one (9.2) here or get Foxit Reader here. Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here.

Check here to see if your Flash is up-to-date (do it separately with each of your browsers). If not, uninstall vulnerable versions by following instructions here. Fresh version can be obtained here.

Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

* Go here to run an online scanner from ESET.

Tick the box next to YES, I accept the Terms of Use.
Click Start
Make sure that the option Remove found threats is UNchecked.
Click Scan
Wait for the scan to finish
Post back the report, a fresh dds.txt log and above mentioned ComboFix resultant log.

**TomZT** · 2009-11-25, 22:34

Thanks Blade,

I will work my way through the above steps. Some of this will be difficult (especially the last one - Online Scanner from EST) without being able to connect with the internet from the problem machine.

Do you have any suggestions how I can restore the internet connection?

Thread: Virtumonde-New Thread-As Per request

Thread Tools

Display

Two steps forward, One Step Back!

Posting Permissions