Virtumonde - Strange Startup Files: bepepono, dayevino, huholapu

Status
Not open for further replies.
Doh! I forgot, I renamed it. Now that I think about it, each time I deleted Combofix to reinstall, I only deleted the executable on the desktop. I was not doing a real uninstall. That might have been my problem making it run - not to mention the malware biting at it. Okay, just deleted the two folders.

Just one question. I heard Norton is tough to remove. I would like to instead use a free av for now. I heard that Antivir free version is good enough. I just wonder if my system is too "infiltrated" with Norton to use something else. Maybe I should just pay the $40 and keep using it until the day I reformat my hdd? Actually, I did hear good things about the new Norton suite.

Thanks again!
 
I heard that Antivir free version is good enough.
Click to expand...
I understand it is a good free program, see this link:
http://users.telenet.be/bluepatchy/miekiemoes/Links.html

I personally use AVG 8 free, if you use it, this tutorial will help:
How to Install Free version AVG 8.0 without LinkScanner feature
http://russelltexas.com/tutorials/avg8install.htm
and this information:
FAQ: http://www.avg.com/faq
AVG Free Forum: http://freeforum.avg.com/

All programs should be uninstalled via Add Remove programs if possible. Having said that, even though I have never used a Symantec product, I know they are hard to remove, dealing with it all of the time. These links will help if the uninstaller does not do it:
http://basconotw.mvps.org/SymRem.htm or
http://service1.symantec.com/SUPPOR...sf&view=docid&dtype=&prod=&ver=&osv=&osv_lvl=

Hope that helps
 
Wow, I thought I was done. Just for kicks, I thought I would go back and run another Spybot scan. What do you know. Virtumonde is back! Plus Right Media - tracking cookie: ad.yieldmanager.com.

I'm not going to trouble you guys with this. I already know what to do now. I'll let you know if I can't get rid of it.
 
melbeach said:
I'm not going to trouble you guys with this. I already know what to do now. I'll let you know if I can't get rid of it.
Click to expand...

Oops. :red: I hope I didn't lose you. I think I made some important progress. I remembered what I read here about Virtumonde: http://www.articlesbase.com/securit...monde-free-removal-peculiarities-570642.html:

First, it is necessary to unload malware services from system memory.
Second, registry entries and keys related to Trojan virtumonde should be deleted at once.
Third, malicious files should be permanently erased from the system.

All this has to be done in one Windows session, without restarting, or the Trojan will be able to restore itself to previous state.

I think this makes alot of sense. I think if you leave the internet connected and don't kill everything at once, it will come back. So I decided to start from scratch. I did only the tasks that you had me do before - in the same order. But this time, I wanted to be offline and do it all in one session, without rebooting. Here's what I did:

  • Uninstalled all av products except for Norton.
  • Deleted temp stuff and Recycle Bin by using ATF Cleaner.
  • Removed ATF Cleaner.
  • Made sure Norton was on highest setting while going back online.
  • Downloaded and installed new versions of ATF Cleaner, Spybot, HJT, SmitFraud, ComboFix, and MBAM. Updated each with newest definitions while I was online.
  • Unpglugged internet while Norton was still protecting.
  • Turned off Norton and everything else in Startup.
  • Reboot.
  • Run Spybot.
  • Run HJT.
  • Run SmitfraudFix.
  • Run ComboFix.
  • Run MBAM.
  • Run Norton.
  • Run Spybot again.
  • Run HJT again.
  • Turned Norton back on with full protect. Set IE to High security.
  • Reboot.
  • Reconnect internet.
  • Reboot.
  • Went back online here to post.
I have all of these logs if you think I should post them. From what I can see there is nothing unusual, except for the Combofix log. I actually have two of these logs as I did run Combofix once before doing everything above. It was this log that inspired me to do the above. In the "Reg Loading Points" section, there is an entry:

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"zowafeduve"=Rundll32.exe "c:\windows\system32\bepepono.dll",s
"CPM27936735"=Rundll32.exe "c:\windows\system32\dayevino.dll",a
"MSConfig"=c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

These dll entries are the same files that appeared in my Startup when I first had the infection. So I don't know if this is a problem. These lines are identical in both Combofix reports I have.

Some things to note:

  • All along, my systray clock has been on military time. I read that's a symptom of Virtumonde. Well at some point after when we thought we had everything fixed, I set the clock back to normal thru Regional and Language Options. But at some point again, it had changed back to military. Also, the font looked a different size. I don't know. Should I consider that a sign of still being infected? I just recently changed the clock format thru Regional and Language Options, and it seems to be sticking now.
  • The Virtumonde reference that Spybot caught at first that sent me into this tizzy: "User settings: HKEY_USERS\S-1-5-21-117609710-2000478354-1801674531-1003\Software\Microsoft\fias4013". If you google "fias4013", you may or may not find something interesting.
  • I always set my Taskbar to "Display Favorites". Well something keeps turning that off. I think it may be one of the av programs though.
  • Previously I was turning off Norton by using Startup and Services. This time, I opened the software and turned off all forms of scanning there as well. This took care of Norton popping up to interfere with other scans. But after doing this, I noticed a funny item in my Startup. It was only a square, followed by a dot, followed by a cross with a circle on top (forgot what that's called.) Anyway, now it's the same thing - except instead of a square, it's a Chinese character. (You'll see these in my above log(s) actually.)
So. What do you think? Is there anything else I should run? Here's my last Combofix, HJT Log, and Uninstall List:

ComboFix 08-11-27.03 - user01 2008-11-28 3:06:43.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1672 [GMT -5:00]
Running from: c:\documents and settings\user01\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-10-28 to 2008-11-28 )))))))))))))))))))))))))))))))
.

2008-11-28 01:49 . 2008-11-28 02:11 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-28 01:42 . 2008-11-28 01:42 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-28 01:42 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-28 01:42 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-28 01:14 . 2008-11-28 01:14 <DIR> d-------- c:\program files\Windows Installer Clean Up
2008-11-28 01:13 . 2008-11-28 01:13 <DIR> d-------- c:\program files\MSECACHE
2008-11-27 23:45 . 2008-11-28 03:00 214 --a------ c:\windows\system32\tmp.reg
2008-11-26 19:50 . 2008-11-26 19:50 <DIR> d-------- c:\documents and settings\user01\Application Data\Malwarebytes
2008-11-26 19:50 . 2008-11-26 19:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-26 08:43 . 2008-11-26 08:43 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-26 08:43 . 2008-11-26 08:43 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-11-23 21:17 . 2008-11-23 21:17 <DIR> d-------- c:\program files\Trend Micro
2008-11-23 15:26 . 2008-11-23 15:26 95 --a------ c:\windows\wininit.ini
2008-11-23 13:54 . 2008-11-28 01:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-23 11:13 . 2008-11-23 11:13 <DIR> d-------- C:\ccd066084f53d0438d065ff286
2008-11-23 11:03 . 2008-11-23 11:03 <DIR> d-------- C:\725ff6cd28be1104e3bc64
2008-11-23 11:03 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-23 11:02 . 2008-09-04 12:15 1,106,944 --a------ c:\windows\system32\SET4C.tmp
2008-11-23 11:02 . 2008-09-04 12:15 1,106,944 --------- c:\windows\system32\SET13.tmp
2008-11-23 11:02 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-23 11:00 . 2008-07-18 22:07 270,880 --a------ c:\windows\system32\mucltui.dll
2008-11-23 11:00 . 2008-07-18 22:07 29,728 --a------ c:\windows\system32\mucltui.dll.mui
2008-11-21 09:06 . 2008-11-22 23:04 54,156 --ah----- c:\windows\QTFont.qfn
2008-11-21 09:06 . 2008-11-21 09:06 1,409 --a------ c:\windows\QTFont.for
2008-11-10 18:14 . 2008-11-26 12:28 <DIR> d-------- c:\program files\Common
2008-11-03 19:30 . 2008-11-03 19:30 <DIR> d-------- c:\program files\MultipleIEs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-26 20:28 --------- d-----w c:\program files\QBImport
2008-11-26 13:42 --------- d-----w c:\program files\Java
2008-11-23 06:27 --------- d-----w c:\program files\Bradbury
2008-10-31 03:07 --------- d-----w c:\program files\Opera
2008-10-25 00:41 --------- d-----w c:\program files\MSXML 4.0
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-14 18:44 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-01 19:37 --------- d-----w c:\program files\Safe Storage
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\SET54.tmp
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\SET17.tmp
2008-09-06 04:30 241,704 ------w c:\windows\system32\SETB.tmp
2008-09-06 04:30 1,480,232 ------w c:\windows\system32\SETA.tmp
2008-09-06 04:30 1,480,232 ------w c:\windows\system32\SET45.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL Companion.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AOL Companion.lnk
backup=c:\windows\pss\AOL Companion.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^APC UPS Status.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\APC UPS Status.lnk
backup=c:\windows\pss\APC UPS Status.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Coloreal Visual.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Coloreal Visual.lnk
backup=c:\windows\pss\Coloreal Visual.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eDualHead Toolbar.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\eDualHead Toolbar.lnk
backup=c:\windows\pss\eDualHead Toolbar.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Instant Update Reminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Instant Update Reminder.lnk
backup=c:\windows\pss\Instant Update Reminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MonacoGamma.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MonacoGamma.lnk
backup=c:\windows\pss\MonacoGamma.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MonacoReminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MonacoReminder.lnk
backup=c:\windows\pss\MonacoReminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks 2002 Delivery Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks 2002 Delivery Agent.lnk
backup=c:\windows\pss\QuickBooks 2002 Delivery Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Road Runner Safe Storage.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Road Runner Safe Storage.lnk
backup=c:\windows\pss\Road Runner Safe Storage.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TabUserW.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\TabUserW.exe.lnk
backup=c:\windows\pss\TabUserW.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^U.S. Robotics Internet Call Notification.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\U.S. Robotics Internet Call Notification.lnk
backup=c:\windows\pss\U.S. Robotics Internet Call Notification.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^user01^Start Menu^Programs^Startup^RoadRunner Setup Wizard.lnk]
path=c:\documents and settings\user01\Start Menu\Programs\Startup\RoadRunner Setup Wizard.lnk
backup=c:\windows\pss\RoadRunner Setup Wizard.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QD FastAndSafe]
? [?]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
--------- 2003-03-26 10:15 684032 c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--------- 2006-03-09 11:47 71328 c:\program files\Common Files\Symantec Shared\CCAPP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CreativeMixer]
--------- 1999-11-18 05:01 20480 c:\program files\Creative\Audio\Program\Ctmix32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 19:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Matrox MultiDesktop]
--------- 2003-07-10 16:35 417792 c:\windows\system32\PowerDesk8\MultiDesk\pdmmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Matrox PowerDesk 8]
--------- 2003-09-10 11:16 77824 c:\windows\system32\PowerDesk8\PowerDesk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Matrox PowerDesk SE]
--------- 2008-06-11 15:33 2630664 c:\program files\Matrox Graphics Inc\PowerDesk SE\Matrox.PowerDesk SE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--------- 2007-05-06 13:16 98304 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--------- 2007-05-06 13:05 214560 c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-11-26 08:43 136600 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
--------- 2005-04-27 17:42 100056 c:\progra~1\SYMNET~1\SNDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--------- 2007-05-06 13:05 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
--------- 2003-06-30 09:50 19968 c:\windows\LOGI_MWX.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"zowafeduve"=Rundll32.exe "c:\windows\system32\bepepono.dll",s
"CPM27936735"=Rundll32.exe "c:\windows\system32\dayevino.dll",a
"MSConfig"=c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver MX 2004\\Dreamweaver.exe"=
"c:\\Program Files\\Lavasoft\\Ad-Aware\\aawservice.exe"=
"c:\\Program Files\\Common Files\\Symantec Shared\\CCPD-LC\\symlcsvc.exe"=
"c:\\WINDOWS\\system32\\Tablet.exe"=
"c:\\WINDOWS\\system32\\wuauclt.exe"=
"c:\\Program Files\\Matrox Graphics Inc\\PowerDesk SE\\Matrox.Pdesk.ServicesHost.exe"=
"c:\\WINDOWS\\system32\\services.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\jqs.exe"=

[HKLM\~\Services\\Matrox.PowerDesk.Services.exe"=]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R1 Mtxparmx;Mtxparmx;c:\windows\system32\DRIVERS\Mtxparmx.sys [2008-09-22 5504]
R2 Matrox Centering Service;Matrox Centering Service;"c:\program files\Matrox Graphics Inc\PowerDesk\Services\Matrox.PowerDesk.Services.exe" [2008-06-11 586760]
R2 Matrox.Pdesk.ServicesHost;Matrox.Pdesk.ServicesHost;"c:\program files\Matrox Graphics Inc\PowerDesk SE\Matrox.Pdesk.ServicesHost.exe" [2008-06-11 189448]
R3 MTXPAR;MTXPAR;c:\windows\system32\DRIVERS\MTXPARM.sys [2008-09-22 1485568]
S2 P1C1394;Phase One 1394 Camera Driver;c:\windows\system32\Drivers\p1c1394.sys []
S3 Gamrddss;Gamrddss; []
S3 Hiemrt;Hiemrt; []
S3 MTXPARH;MTXPARH;c:\windows\system32\DRIVERS\MTXPARHM.sys [2003-11-20 452736]
S3 Netdwssrrw;Netdwssrrw; []
S3 Nmlnkfkahta;Nmlnkfkahta; []
S3 Rassosadcswf;Rassosadcswf; []
S3 Sfl78pospt;Sfl78pospt; []
S3 Winacusb;Winacusb;c:\windows\system32\DRIVERS\winacusb.sys []
S3 X-Rite;X-Rite USB Service;c:\windows\system32\DRIVERS\XrUsb.sys [2004-03-09 14936]
S4 .nmspsr;.nmspsr; []
.
Contents of the 'Scheduled Tasks' folder

2003-12-01 c:\windows\Tasks\Norton AntiVirus - Scan my computer.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2003-12-04 18:22]

2003-12-01 c:\windows\Tasks\Symantec Drmc.job
- c:\program files\Common Files\Symantec Shared\SymDrmc.exe [2003-09-10 04:48]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\user01\Application Data\Mozilla\Firefox\Profiles\8rye090x.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - file:///C:/Documents%20and%20Settings/user01/My%20Documents/Practice/Practice%20-%2015%20-%20SIS/sis-05-xhtml.htm
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-28 03:08:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-28 3:09:49
ComboFix-quarantined-files.txt 2008-11-28 08:09:17

Pre-Run: 93,186,830,336 bytes free
Post-Run: 93,173,379,072 bytes free

206


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:19:51, on 11/28/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTSvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Matrox Graphics Inc\PowerDesk\Services\Matrox.PowerDesk.Services.exe
C:\Program Files\Matrox Graphics Inc\PowerDesk SE\Matrox.Pdesk.ServicesHost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\user01\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.540wfla.com
O15 - Trusted Zone: http://*.540wfla.com
O15 - Trusted Zone: http://www.azcardinals.com
O15 - Trusted Zone: http://www.baisidirect.com
O15 - Trusted Zone: *.espn.go.com
O15 - Trusted Zone: http://sports.espn.go.com
O15 - Trusted Zone: *.go.com
O15 - Trusted Zone: http://*.ktar.com
O15 - Trusted Zone: http://www.mapquest.com
O15 - Trusted Zone: http://*.mapquest.com
O15 - Trusted Zone: http://www.nasdaq.com
O15 - Trusted Zone: http://*.nasdaq.com
O15 - Trusted Zone: http://www.realradio.fm
O15 - Trusted Zone: http://*.stockcharts.com
O15 - Trusted Zone: http://www.surfcam.net
O15 - Trusted Zone: http://www.surfguru.com
O15 - Trusted Zone: http://wwwapps.ups.com
O15 - Trusted Zone: http://*.wmmbam.com
O15 - Trusted Zone: http://www.xtra910.com
O15 - Trusted Zone: http://*.xtra910.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1192966664312
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1222114178859
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Matrox Centering Service - Matrox Graphics Inc. - C:\Program Files\Matrox Graphics Inc\PowerDesk\Services\Matrox.PowerDesk.Services.exe
O23 - Service: Matrox.Pdesk.ServicesHost - Matrox Graphics Inc - C:\Program Files\Matrox Graphics Inc\PowerDesk SE\Matrox.Pdesk.ServicesHost.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O24 - Desktop Component 0: (no name) - http://assets.espn.go.com/i/espnradio/07/player/skin_livestream2.gif
O24 - Desktop Component 2: (no name) - http://espnradio.espn.go.com/espnradio/radiovideo?play=live

--
End of file - 7366 bytes


Ad-Aware
Adobe Flash Player ActiveX
Adobe Photoshop CS
APC PowerChute Personal Edition
Audio MP3 Sound Recorder
Canon EOS Kiss REBEL 300D WIA Driver
Canon Utilities File Viewer Utility 1.3
Canon Utilities RemoteCapture 2.7
CC_ccStart
ccCommon
Compaq Monitor Driver (INF) Software 3.00
DAZzle
DeMoirize
DivX
DivX Player
DivX User Guide
Easy CD Creator 5 Basic
eDualHead
Eraser
FLV Player 2.0, build 24
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
HP PrecisionScan Pro 3.0
Intel(R) PRO Network Adapters and Drivers
Internet Explorer Q903235
IrfanView (remove only)
Java(TM) 6 Update 10
LiveReg (Symantec Corporation)
LiveUpdate 3.0 (Symantec Corporation)
Logitech MouseWare 9.78
Macromedia Dreamweaver MX 2004
Macromedia Extension Manager
Macromedia HomeSite+
Malwarebytes' Anti-Malware
Matrox Driver
Matrox PowerDesk-SE
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Premium
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
ML-1450 Series
ML-1450 Series PS
MonacoOPTIX 2.0
Mozilla Firefox (3.0.3)
MSRedist
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MultipleIEs
Norton AntiVirus
Norton AntiVirus Parent MSI
Norton CleanSweep
Norton SystemWorks 2004
Norton SystemWorks 2004 (Symantec Corporation)
Norton Utilities
Norton WMI Update
NSW_DRM_COLLECTION
Opera 9.62
PDFCreator
QBFC2
QBImport
QuickBooks Pro 2002
QuickTime
RealPlayer
Road Runner Safe Storage
RoadRunner
Safari
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Sound Blaster PCI
Spybot - Search & Destroy
Symantec Script Blocking Installer
SymNet
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Wacom Tablet Driver
WD Diagnostics
Windows Genuine Advantage v1.3.0254.0
Windows Installer Clean Up
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Media Player 9 Hotfix [See KB885492 for more information]
Windows Messenger 5.0
Windows XP Service Pack 3
WinRAR archiver
 
I wish you would just post what your problem is instead of a lot of information I have not asked for. How about you tell me exactly what symptoms you are having. If you receive any error messages, post those word for word.

Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here along with a new HJT log and NOTHING else but comments you think will help.

Thanks
 
pskelley said:
I wish you would just post what your problem is instead of a lot of information I have not asked for. How about you tell me exactly what symptoms you are having. If you receive any error messages, post those word for word.
Click to expand...

Sorry about that, I just thought you would want as much information as possible. When other people are having similiar symptoms, there might be a correlation. I thought I was doing us all a favor. I guess my mistake was posting the logs you didn't ask for. If you just ignore the logs and look at everything above them, it's all possibly relevant. But I'll summarize my symptoms:

Post 24: I thought we were all done, but ran another Spybot scan. It came up with a new Virtumonnde reference:

Virtumonde:
User settings:
HKEY_USERS\S-1-5-21-117609710-2000478354-1801674531-1003\Software\Microsoft\fias4013

ComboFix scan yielded in the "Reg Loading Points" section:

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"zowafeduve"=Rundll32.exe "c:\windows\system32\bepepono.dll",s
"CPM27936735"=Rundll32.exe "c:\windows\system32\dayevino.dll",a
"MSConfig"=c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

These dll entries are the same files that appeared in my Startup when I first had the infection.

Systray clock was stuck on military time. Though I might have regained control of that now.

Well, I can't get the Kaspersky online scanner to work. It says I need Java 1.5 or higher. I have the latest version. Reinstalled anyway. Set IE to loosest java and activex specs possible. I hate doing that. But did anyway. Still tells me I need Java 1.5. Norton is completely off. I noticed that their page gives my a general yellow triangle java error message at the bottom (only if I go straight to the free download page. If I click a link and go back, no error.)
 
If the instructions I posted in Post #16 were followed, you would not have combofix on the computer. If we use it again I will want a new copy because it does not update. If you removed combofix, the clock should have returned to normal. If not, here are directions:
http://www.ehow.com/how_4483170_time-regular-time-windows-xp.html

What I need now, since you can not seem to run Kaspersky Online Scan, is a fresh HJT log.
Then post it here along with a new HJT log
Click to expand...
Thanks
 
pskelley said:
If the instructions I posted in Post #16 were followed, you would not have combofix on the computer. If we use it again I will want a new copy because it does not update. If you removed combofix, the clock should have returned to normal.
Click to expand...

Actually, I did uninstall Combofix before I ran it again. (I also searched my hdd for combofix just to make sure there were no remnants. Then emptied Recylce Bin and cleared with ATF Cleaner.) The Combofix log results that I gave you that referenced those rogue dll files, they came from a fresh install of Combofix.

When I double-clicked HJT on my desktop, I got an error "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." So I uinstalled it, then came back and reinstalled from the link on your site. Here's the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:49:57 PM, on 11/28/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTSvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Matrox Graphics Inc\PowerDesk\Services\Matrox.PowerDesk.Services.exe
C:\Program Files\Matrox Graphics Inc\PowerDesk SE\Matrox.Pdesk.ServicesHost.exe
C:\WINDOWS\system32\sessmgr.exe
C:\WINDOWS\System32\rsvp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Documents and Settings\user01\Desktop\HiJackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.540wfla.com
O15 - Trusted Zone: http://*.540wfla.com
O15 - Trusted Zone: http://www.azcardinals.com
O15 - Trusted Zone: http://www.baisidirect.com
O15 - Trusted Zone: *.espn.go.com
O15 - Trusted Zone: http://sports.espn.go.com
O15 - Trusted Zone: *.go.com
O15 - Trusted Zone: http://*.ktar.com
O15 - Trusted Zone: http://www.mapquest.com
O15 - Trusted Zone: http://*.mapquest.com
O15 - Trusted Zone: http://www.nasdaq.com
O15 - Trusted Zone: http://*.nasdaq.com
O15 - Trusted Zone: http://www.realradio.fm
O15 - Trusted Zone: http://*.stockcharts.com
O15 - Trusted Zone: http://www.surfcam.net
O15 - Trusted Zone: http://www.surfguru.com
O15 - Trusted Zone: http://wwwapps.ups.com
O15 - Trusted Zone: http://*.wmmbam.com
O15 - Trusted Zone: http://www.xtra910.com
O15 - Trusted Zone: http://*.xtra910.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1192966664312
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1222114178859
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Matrox Centering Service - Matrox Graphics Inc. - C:\Program Files\Matrox Graphics Inc\PowerDesk\Services\Matrox.PowerDesk.Services.exe
O23 - Service: Matrox.Pdesk.ServicesHost - Matrox Graphics Inc - C:\Program Files\Matrox Graphics Inc\PowerDesk SE\Matrox.Pdesk.ServicesHost.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O24 - Desktop Component 0: (no name) - http://assets.espn.go.com/i/espnradio/07/player/skin_livestream2.gif
O24 - Desktop Component 2: (no name) - http://espnradio.espn.go.com/espnradio/radiovideo?play=live

--
End of file - 7464 bytes

Thanks!
 
Thanks for the HJT log, one step at a time. This HJT log:
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2:49:57 PM, on 11/28/2008 with the exception of the 015 Trusted Zone items which you assure me are valid, appears to be clean.

What I want from you is a description of any malware symptoms that are occuring on the computer. I am interested only in actual physical symptoms, like popups, redirections, etc.

Please do not quote my instructions, it is a waste of space, I know what I said and you can scroll back if you need to read the instructions.

Thanks
 
Everything is still running fast. No popups or redirects. Only a couple of things I noticed that are probably nothing:

After rebooting, when it's coming back up - the part where the screen says something like "Please select an operating system..." I think you have the choice of selecting operating system options. It's too quick to really see. But anyway, it seems to hold for an extra full second at this screen - where it was quicker before all of this.

This probably doesn't qualify, but the startup item I mentioned earlier is kind of strange. Now I don't see it. But earlier for this particular line item, both the Startup Item and Command were a face - followed by a dot, followed by a question mark. This face was kind of like a smiley icon ;<) I forgot what you call these. But it was more complex, looked kind of like a cat face - obviously mand-made. Before that, the cat face was a cross with a circle at the top - kind of like the Blue Oyster Cult cross. Yeah, that's a stretch. But it's all I can come up with!
 
Update your antivirus program and scan the complete system, post the results.
 
Well I'm not worried about those issues if you're not (from #31). But thanks for the links. All of this has me in computer maintain mode. I have other issues to handle. So they look like good places to start.
 
pskelley, what do you think? Are we done? Before we wrap this up, can you tell me what these lines mean from the Combofix report from post #25?

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"zowafeduve"=Rundll32.exe "c:\windows\system32\bepepono.dll",s
"CPM27936735"=Rundll32.exe "c:\windows\system32\dayevino.dll",a
"MSConfig"=c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

These were under the "Reg Loading Points" section. I don't understand what that means. Is this a current threat? Or just harmless remnants of the past threat?

Thanks alot for the help! Everything really feels like it's back to normal. I can even get into Windows Update now. I haven't updated yet though. I wanted to make sure we were done first.
 
Those are old registry entries, the executables have been deleted so they can not harm you. I could probably come up with a CFScript to remove the information from the registry, but I don't see a reason for installing combofix again just to do that.


I believe I have done about all I can do, safe surfing:bigthumb:
 
Status
Not open for further replies.
Back
Top