Virtumonde-New Thread-As Per request

T

TomZT

New member
As requested by TASHI I am starting a new thread for my problem. (THANK YOU TASHI!)

For background information see my original post (11-10-09) at the following...

http://forums.spybot.info/showthread.php?t=53294

I've successfully restarted the problem computer in NORMAL MODE with no obvious sign of the previous infections and fake Anti Virus System Pro popups and warnings, porno sites, etc., but I do see a Yellow Triangle with an Exclamation Point (!) on top of my AVG Tray Icon

I have backed up my Registry with ERUNT

I did not disable SpyBot resident shield (teatimer?)
I should note IE seemed to hang (not responding) and then recovered while typing this post.
My HTJ scan log is copied below...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:46:15 PM, on 11/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [kfqcaekj] C:\Documents and Settings\Tom McNeal\Local Settings\Application Data\ogolyy\lwyesysguard.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [kfqcaekj] C:\Documents and Settings\Tom McNeal\Local Settings\Application Data\ogolyy\lwyesysguard.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: LUMIX Simple Viewer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1107516561703
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1230150512703
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9CA51FD6-A243-4FAF-BC05-EEE2DEFC690E}: NameServer = 77.74.48.113
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Filter hijack: text/html - {55f665dc-4099-4d0f-8b1c-7938ee0d4932} - C:\WINDOWS\batmeter16.dll
O20 - AppInit_DLLs: yosezezu.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O21 - SSODL: vuzuwuhif - {68c2902b-c16e-4e9d-a2a2-7c9d461276fa} - c:\windows\system32\dukiyuzu.dll (file missing)
O22 - SharedTaskScheduler: kupuhivus - {68c2902b-c16e-4e9d-a2a2-7c9d461276fa} - c:\windows\system32\dukiyuzu.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Update Service (gupdate1c9e522adc4ffec) (gupdate1c9e522adc4ffec) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

--
End of file - 8491 bytes
 
Hi there,

Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt
  • Save both reports to your desktop. Post them back to your topic.
 
Virtumonde Problems

Hi Blade81,

Thank you for your reply and your assistance. Please also pardon my questions as I have little inexperience in these matters.

I have downloaded DDS to a healthy computer and will bring it over to the infected machine on a CD, copy DDS to the desktop, and run the DDS scan. I will then post the results directly from the infected machine. Is this all OK?

I am not sure what a script blocker is... Would this include SpyBot 1.6.2 and AVG 8.5 and the Resident Shield features of these two programs?

Should SpyBot and AVG be DISABLED when running the DDS tool?

And should SpyBot and AVG be ENABLED before reconnecting the infected machine to the internet to post my DDS results?

I look forward to your reply!
ZT
 
I have downloaded DDS to a healthy computer and will bring it over to the infected machine on a CD, copy DDS to the desktop, and run the DDS scan. I will then post the results directly from the infected machine. Is this all OK?
Click to expand...
Yes, that's ok :)

I am not sure what a script blocker is... Would this include SpyBot 1.6.2 and AVG 8.5 and the Resident Shield features of these two programs?

Should SpyBot and AVG be DISABLED when running the DDS tool?
Click to expand...
Antivirus programs may contain script blocking component. It's better to run DDS with protection software disabled (Spybot shouldn't cause any trouble even if it was enabled).

And should SpyBot and AVG be ENABLED before reconnecting the infected machine to the internet to post my DDS results?
Click to expand...
Not necessarily but have firewall enabled.
 
Virtumonde

Hi Blade81,

Here are my DDS results

DDS (Ver_09-10-26.01) - NTFSx86
Run by Tom McNeal at 11:50:25.63 on Fri 11/20/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.232 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
svchost
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Documents and Settings\Tom McNeal\Desktop\dds.scr
C:\WINDOWS\system32\taskkill.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.aol.com/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://smbusiness.dellnet.com/
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: H - No File
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [kfqcaekj] c:\documents and settings\tom mcneal\local settings\application data\ogolyy\lwyesysguard.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [AdaptecDirectCD] c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb08.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd.exe
mRun: [DeviceDiscovery] c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [kfqcaekj] c:\documents and settings\tom mcneal\local settings\application data\ogolyy\lwyesysguard.exe
mRun: [11220814] c:\documents and settings\all users\application data\11220814\11220814.exe
mRun: [jepedonug] Rundll32.exe "c:\windows\system32\diyahema.dll",a
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\lumixs~1.lnk - c:\program files\panasonic\lumixsimpleviewer\PhLeAutoRun.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: turbotax.com
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} - hxxp://protect.microsoft.com/security/protect/wsa/shared/CAB/x86/msSecAdv.cab?1107516386875
DPF: {55027008-315F-4F45-BBC3-8BE119764741} - hxxp://www.slide.com/uploader/SlideImageUploader.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1107516561703
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1230150512703
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {9CA51FD6-A243-4FAF-BC05-EEE2DEFC690E} = 77.74.48.113
Filter: text/html - {55f665dc-4099-4d0f-8b1c-7938ee0d4932} -
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: c:\windows\system32\diyahema.dll,lofiketo.dll
SSODL: vuzuwuhif - {68c2902b-c16e-4e9d-a2a2-7c9d461276fa} - c:\windows\system32\dukiyuzu.dll
SSODL: jumikuwif - {c1359f34-13f0-48d6-8f95-31a84938bde4} - c:\windows\system32\diyahema.dll
STS: kupuhivus: {68c2902b-c16e-4e9d-a2a2-7c9d461276fa} - c:\windows\system32\dukiyuzu.dll
STS: kupuhivus: {c1359f34-13f0-48d6-8f95-31a84938bde4} - c:\windows\system32\diyahema.dll
LSA: Notification Packages = scecli cPRASO.dll kodatewe.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-7-9 327688]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-7-9 298776]
S2 gupdate1c9e522adc4ffec;Google Update Service (gupdate1c9e522adc4ffec);c:\program files\google\update\GoogleUpdate.exe [2009-6-4 133104]
S2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
S2 JEPPDRIVE;Smart Modular JeppDrive USB Driver;c:\windows\system32\drivers\jeppd.sys --> c:\windows\system32\drivers\JeppD.sys [?]

=============== Created Last 30 ================

2009-11-20 03:27:03 2713 --sh--w- c:\windows\system32\yajigozo.exe
2009-11-19 09:26:41 2713 --sh--w- c:\windows\system32\mubaruve.exe
2009-11-18 15:25:41 2713 --sh--w- c:\windows\system32\lokimoli.exe
2009-11-17 21:29:42 0 d-----w- c:\docume~1\alluse~1\applic~1\11220814
2009-11-17 21:29:33 1209915 --sh--w- c:\windows\system32\savohofu.exe
2009-11-17 21:29:27 92672 --sh--w- c:\windows\system32\diyahema.dll
2009-11-17 21:29:21 53248 --sh--w- c:\windows\system32\gobewowi.dll
2009-11-17 21:18:48 39424 ----a-w- c:\windows\system32\fonemike.dll
2009-11-17 21:13:06 53248 ----a-w- c:\windows\system32\zayezeru.dll
2009-11-11 21:00:25 0 d-----w- c:\program files\Trend Micro
2009-11-11 18:21:00 12032 ----a-w- c:\windows\system32\iehelper.dll
2009-11-10 19:27:54 6456 ---ha-w- c:\windows\system32\virasuza
2009-11-10 06:45:05 95 ----a-w- c:\windows\wininit.ini
2009-11-10 02:58:33 52736 ----a-w- C:\luobk.exe
2009-11-10 02:58:31 52736 ----a-w- C:\ydlcgx.exe
2009-11-10 02:58:20 0 --sha-w- C:\15226409
2009-11-06 19:00:51 0 d-----w- C:\spoolerlogs
2009-11-05 16:01:25 0 d-----w- c:\program files\NZ Software

==================== Find3M ====================

2009-10-21 04:08:54 3598336 ----a-w- c:\windows\system32\dllcache\mshtml.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 21:03:36 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
2009-08-28 10:28:59 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-08-28 10:28:59 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-08-27 05:18:44 634648 ------w- c:\windows\system32\dllcache\iexplore.exe
2009-08-27 05:18:41 161792 ------w- c:\windows\system32\dllcache\ieakui.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-26 08:00:21 247326 ------w- c:\windows\system32\dllcache\strmdll.dll
2003-03-19 05:59:12 207759 ----a-w- c:\program files\INSTALL.LOG
2009-08-10 03:04:27 115200 --sha-w- c:\windows\system32\hasijale.exe
2009-08-10 03:04:27 39424 --sha-w- c:\windows\system32\keneruwo.dll
2009-08-17 21:32:01 53248 --sha-w- c:\windows\system32\kodatewe.dll
2009-08-17 21:32:01 53248 --sha-w- c:\windows\system32\lofiketo.dll
2009-08-10 03:04:27 45056 --sha-w- c:\windows\system32\sutatuzu.dll
2009-08-17 21:32:01 53248 --sha-w- c:\windows\system32\tevaziva.dll
2008-12-25 09:07:50 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008122520081226\index.dat

============= FINISH: 11:53:25.52 ===============


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-10-26.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 3/24/2003 10:10:41 AM
System Uptime: 11/17/2009 2:21:20 PM (69 hours ago)

Motherboard: Dell Computer Corporation | | 07W080
Processor: Intel(R) Pentium(R) 4 CPU 2.00GHz | Socket 478 | 1993/400mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 56 GiB total, 18.55 GiB free.
D: is CDROM ()
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP2017: 9/9/2009 3:00:29 AM - Software Distribution Service 3.0
RP2018: 9/10/2009 3:07:07 AM - System Checkpoint
RP2019: 9/11/2009 4:09:27 AM - System Checkpoint
RP2020: 9/12/2009 5:07:09 AM - System Checkpoint
RP2021: 9/13/2009 6:07:31 AM - System Checkpoint
RP2022: 9/14/2009 7:07:01 AM - System Checkpoint
RP2023: 9/15/2009 8:07:01 AM - System Checkpoint
RP2024: 9/16/2009 9:07:01 AM - System Checkpoint
RP2025: 9/17/2009 10:07:01 AM - System Checkpoint
RP2026: 9/18/2009 11:08:06 AM - System Checkpoint
RP2027: 9/19/2009 12:07:01 PM - System Checkpoint
RP2028: 9/20/2009 1:07:01 PM - System Checkpoint
RP2029: 9/21/2009 2:07:01 PM - System Checkpoint
RP2030: 9/22/2009 3:08:06 PM - System Checkpoint
RP2031: 9/23/2009 4:07:01 PM - System Checkpoint
RP2032: 9/24/2009 5:07:01 PM - System Checkpoint
RP2033: 9/25/2009 6:08:06 PM - System Checkpoint
RP2034: 9/26/2009 7:07:02 PM - System Checkpoint
RP2035: 9/27/2009 8:07:02 PM - System Checkpoint
RP2036: 9/28/2009 8:08:17 PM - System Checkpoint
RP2037: 9/29/2009 8:13:32 PM - System Checkpoint
RP2038: 9/30/2009 9:06:41 PM - System Checkpoint
RP2039: 10/1/2009 10:06:42 PM - System Checkpoint
RP2040: 10/2/2009 11:06:42 PM - System Checkpoint
RP2041: 10/3/2009 11:37:55 PM - System Checkpoint
RP2042: 10/4/2009 11:42:09 PM - System Checkpoint
RP2043: 10/6/2009 12:06:44 AM - System Checkpoint
RP2044: 10/7/2009 1:06:49 AM - System Checkpoint
RP2045: 10/8/2009 2:06:36 AM - System Checkpoint
RP2046: 10/9/2009 3:06:40 AM - System Checkpoint
RP2047: 10/10/2009 4:06:37 AM - System Checkpoint
RP2048: 10/11/2009 5:03:59 AM - System Checkpoint
RP2049: 10/12/2009 5:48:37 AM - System Checkpoint
RP2050: 10/13/2009 3:00:22 AM - Software Distribution Service 3.0
RP2051: 10/14/2009 3:14:41 AM - System Checkpoint
RP2052: 10/15/2009 4:11:53 AM - System Checkpoint
RP2053: 10/16/2009 3:01:05 AM - Software Distribution Service 3.0
RP2054: 10/17/2009 3:48:50 AM - System Checkpoint
RP2055: 10/18/2009 4:02:19 AM - System Checkpoint
RP2056: 10/19/2009 5:02:24 AM - System Checkpoint
RP2057: 10/20/2009 6:02:18 AM - System Checkpoint
RP2058: 10/21/2009 7:02:15 AM - System Checkpoint
RP2059: 10/22/2009 8:02:15 AM - System Checkpoint
RP2060: 10/23/2009 9:02:08 AM - System Checkpoint
RP2061: 10/24/2009 10:27:31 AM - System Checkpoint
RP2062: 10/25/2009 11:03:14 AM - System Checkpoint
RP2063: 10/26/2009 12:02:10 PM - System Checkpoint
RP2064: 10/26/2009 11:02:41 PM - Spybot-S&D Spyware removal
RP2065: 10/26/2009 11:34:30 PM - Software Distribution Service 3.0
RP2066: 10/28/2009 12:13:08 AM - System Checkpoint
RP2067: 10/29/2009 12:17:39 AM - System Checkpoint
RP2068: 10/30/2009 1:18:33 AM - System Checkpoint
RP2069: 10/31/2009 2:17:34 AM - System Checkpoint
RP2070: 11/1/2009 3:17:35 AM - System Checkpoint
RP2071: 11/2/2009 4:17:48 AM - System Checkpoint
RP2072: 11/3/2009 5:17:47 AM - System Checkpoint
RP2073: 11/4/2009 4:00:22 AM - Software Distribution Service 3.0
RP2074: 11/5/2009 4:24:12 AM - System Checkpoint
RP2075: 11/6/2009 5:25:24 AM - System Checkpoint
RP2076: 11/7/2009 6:24:13 AM - System Checkpoint
RP2077: 11/8/2009 6:24:10 AM - System Checkpoint
RP2078: 11/9/2009 7:24:07 AM - System Checkpoint
RP2079: 11/10/2009 12:05:27 AM - Spybot-S&D Spyware removal
RP2080: 11/10/2009 12:10:07 AM - Spybot-S&D Spyware removal
RP2081: 11/10/2009 12:16:22 AM - Spybot-S&D Spyware removal
RP2082: 11/10/2009 12:45:00 AM - Spybot-S&D Spyware removal
RP2083: 11/10/2009 1:01:19 AM - Spybot-S&D Spyware removal
RP2084: 11/10/2009 9:17:55 AM - Spybot-S&D Spyware removal
RP2085: 11/10/2009 9:37:35 AM - Spybot-S&D Spyware removal
RP2086: 11/10/2009 10:10:16 AM - Spybot-S&D Spyware removal
RP2087: 11/10/2009 1:00:40 PM - Spybot-S&D Spyware removal
RP2088: 11/10/2009 1:27:04 PM - Spybot-S&D Spyware removal
RP2089: 11/10/2009 1:28:05 PM - Spybot-S&D Spyware removal

==== Installed Programs ======================


Ad-Aware
Adobe Acrobat 5.0
Adobe Flash Player 10 ActiveX
Adobe Reader 7.0.5 Language Support
Adobe Reader 7.0.9
Adobe® Photoshop® Album Starter Edition 3.0
AnswerWorks 4.0 Runtime - English
AnswerWorks 5.0 English Runtime
ArcSoft PhotoStudio 5.5
AVG Free 8.5
BACS
BCM V.92 56K Modem
Bonfire Studio
Britannica Ready Reference
Broadcom Advanced Control Suite
Camera Support Core Library
Camera Window DS
Camera Window DVC
Camera Window MC
Canon Camera Support Core Library
Canon Camera WIA Driver
Canon Camera Window DS for ZoomBrowser EX
Canon Camera Window DVC for ZoomBrowser EX
Canon Camera Window for ZoomBrowser EX
Canon EOS Kiss_N REBEL_XT 350D WIA Driver
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities Digital Photo Professional 1.6
Canon Utilities EOS Capture 1.3
Canon Utilities PhotoStitch 3.1
Canon ZoomBrowser EX
Core FTP LE 2.1
Deer Hunter 2004 - Legendary Hunting
Dell Picture Studio - Dell Image Expert
Dell Solution Center
Dell Support 5.0.0 (766)
Digital Line Detect
Easy CD Creator 5 Basic
EOS Capture 1.3
ERUNT 1.1j
Garmin Communicator Plugin
Garmin USB Drivers
Garmin WebUpdater
Google Chrome
Google Earth
Google Toolbar for Internet Explorer
Google Update Helper
Google Updater
Help and Support Customization
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
hp deskjet 5550 series (Remove only)
hp deskjet 5600
hp instant support
HP Memories Disc
HP Photo and Imaging 2.0 - Deskjet Series
hp print screen utility
Intel(R) Extreme Graphics Driver
Jeppesen Services
LTspice IV
LUMIX Simple Viewer
MapSource
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft .NET Framework 1.0 Hotfix (KB928367)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Premium
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access Developer Extensions (English) 2007
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Runtime (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Modem Helper
MUSICMATCH Jukebox
Paint Shop Pro 7
PhotoStitch
Quicken 2002 New User Edition
QuickTime
RAW Image Task 2.0
RemoteCapture Task 1.1
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB969679)
Security Update for Microsoft Office Excel 2007 (KB969682)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB969693)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
TeLL me More
TurboTax 2008
TurboTax 2008 wiliper
TurboTax 2008 WinPerFedFormset
TurboTax 2008 WinPerProgramHelp
TurboTax 2008 WinPerReleaseEngine
TurboTax 2008 WinPerTaxSupport
TurboTax 2008 WinPerUserEducation
TurboTax 2008 wrapper
TurboTax Home & Business 2006
TurboTax Home & Business 2007
TurboTax ItsDeductible 2006
upapp
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Outlook 2007 Junk Email Filter (KB974810)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
WebFldrs XP
WexTech AnswerWorks
Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows XP Service Pack 3
WordPerfect Office 2002

==== Event Viewer Messages From Past Week ========

11/17/2009 2:40:52 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 30 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
11/17/2009 2:25:52 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
11/17/2009 2:25:35 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Intuit Update Service service to connect.
11/17/2009 2:25:35 PM, error: Service Control Manager [7000] - The Smart Modular JeppDrive USB Driver service failed to start due to the following error: The system cannot find the file specified.
11/17/2009 2:25:35 PM, error: Service Control Manager [7000] - The Intuit Update Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
11/17/2009 2:22:27 PM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
11/17/2009 2:22:27 PM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.

==== End Of File ===========================
 
Disable Spybot's TeaTimer to make sure it won't interfere with fixes. You can re-enable it when you're clean again:
  • Run Spybot-S&D in Advanced Mode
  • If it is not already set to do this, go to the Mode menu
    select
    Advanced Mode
  • On the left hand side, click on Tools
  • Then click on the Resident icon in the list
  • Uncheck
    Resident TeaTimer
     and OK any prompts.
  • Restart your computer


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.


Please continue as follows:

  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
 
Virtumonde

Hi Blade81,

Thanks again for your assistance and your quick replies!

I have downloaded ComboFix and will copy it over to the infected machine as I did before with DDS.

I have also printed out the ComboFix Instructions and will carefully read them before running the ComboFix program. I don't know how long it will take me to absorb and understand the ComboFix Instructions and Cautions but I will post the results ASAP.

Being in Finland, and thus 6 or 7 hours ahead of me, you are probably nearing the end of your "Work Day!" :-) so I understand if you do not reply again as quickly as you have so far.

If this is the case, please enjoy your "off time" and I will look forward to your next reply!
 
Good News and Bad News

Well Blade, I have some good news and then some bad news.

I downloaded and copied ComboFix to the desktop of the infected machine. I then read and re-read the ComboFix Instructions to be sure of what I could expect. As per the instructions, before running ComboFix, I disabled my Anti/Virus/Malware and Firewall programs (SpyBot and AVG Resident Shields... and the Windows Firewall). The machine was not connected to the internet.

After reading how ComboFix would check and install the Windows Restore Console if not already installed, I also checked my Win XP Help and Support Screen to verify that the Restore Console was present there. I also remembered seeing in the DDS report log a number of system restore points going back to at least October. So I was pretty sure that ComboFix would not need to install the Restore Console.

I then ran ComboFix. The program ran as expected and outlined in the instructions, backed up the registry, created a restore point, and then surprisingly announced "This machine does not have the Windows Recovery Console installed...Without it ComboFix will not attempt to fix some serious infections... Click Yes to have ComboFix download/install it... an internet connection is required.)" This was unexpected but I then reconnected the machine to the internet and clicked Yes. The install reported that it was successful. (BUT I did notice this successful install message mentioned Windows XP SP2 and this machine does have SP3 installed.) Oh well, I thought, and clicked YES again to continue with Scanning.

Scanning completed all the numbered scan stages and then reported...
"C:\Windows\system32\ws2_32.dll INFECTED" and then...
"Successfully Restored" Then deleting files... and deleting folders... (quite a few of each)

I then saw the message saying "Preparing Log Report" but before ComboFix closed and succesfully displayed the log report the machine rebooted. After a long Welcome screen, a BLUE SCREEN opened saying... "A problem has been detected and Windows has been shut down to prevent damage... Check newly installed H/W and S/W... If this is the first time you've seen this screen RESTART the machine...." and...
TECHNICAL INFO
STOP: 0x0000000A (0x00000000, 0x00000002, 0x00000000, 0x804DC25D)

I could not shut down normally so I powered off the machine and turned it back on. SAME BLUE SCREEN, slightly different message about checking for Viruses and Hard Drive & HD Controllers.. and..
TECHNICAL INFO
STOP: 0x0000007B (0xF79FA528, 0xC0000034, 0x00000000, 0x00000000)

Subsequent attempts to restart in NORMAL or SAFE MODE resulted in the same second blue screen described above. I did not try starting at a SYSTEM RESTORE POINT. Before trying a SYSTEM RESTORE point I thought I'd ask you what RESTORE POINT I should select if I can get to that point and if you think any restore point might be successful.

TRY SYSTEM RESTORE...
TO A DATE BEFORE THE INFECTION?
TO A DATE BEFORE OR AFTER my initial HJT scan or DDS scan?
TO A DATE AND TIME BEFORE the ComboFix Scan
OR WHAT?

Having not yet been able to restart in safe or normal mode, I am not sure if ComboFix successfully created & saved a report as C:\ComboFix.txt.

I sure hope you know what's happening and you can still help!

TomZT

PS: Also in case it might help you... while checking that all my anti/virus/spyware was disabled and before running ComboFix, I opened TASK MANAGER and noticed 20-30% of CPU was being used (Off and On) by the process "taskill.exe or taskkill.exe". I didn't like the looks of that but proceeded with the ComboFix as described above.
 
Hi,

Have you tried to reboot using last known good configuration -option?
 
I mean this.

Also, system restore and recovery console are not the same thing.
 
Last edited:
Thanks Blade

Thanks Blade,

I will look at the link you provided and also try rebooting to last known good config. I can't do this right now as today is my wife's birthday and we're heading out to eat. I will get back on this again in a couple of hours and post what happens. I do appreciate your assistance.
 
Can't restart Windows

Hi Blade81,

I do not have any good news.

I cannot restart in NORMAL or SAFE MODE or to LAST KNOWN GOOD CONFIGURATION. RESULT = Same Blue screen

If I restart with the F8 key, the select START NORMALLY, SAFE MODE or LAST GOOD CONFIG, and then select Microsoft Windows Recovery Mode, I come to a selection screen labeled Microsoft Windows XP Recovery Console which asks me "Which Windows installation would you like to log on to?"

There is only one choice...
1: C:\Windows

Pressing #1 and then Enter I come to a black screen with a Dos Prompt...
C:\WINDOWS>_

Once there, I ran...
1. chkdsk c: with no switch - RESULT= Volume appears good and was not checked
2. chkdsk c: /p - RESULT = Chkdsk ran to 25% then slowly to about 50% the a bit faster to 75% and then quit and reported results. (The Drive is about 75% full)
3 Then ran chkdsk c: /r - RESULT CHkdsk ran OK to about 50% then slowly to 75% and returned to 50% and again slowly to 75% and back to 50%. I then powered off.

Still can not boot to any Windows XP mode except the Black Screen DOS Prompt when pressing F8 while restarting then selecting NORMAL, SAFE, or LAST KNOWN GOOD CONFIG, and then choosing Windows Recovery Console.

Do you think I will ever be able to restart Windows XP again?
Perhaps with...
...the ERUNT Registry Backup?
...the ComboFix Registry Backup?
...any other means?

Or am I doomed to reformatting this hard drive and reinstalling everything?

I look forward to your guidance and suggestions.
TomZT
 
Hi,

We'll try to restore things back. First I'd like to know if you have a flash memory to transfer c:\ComboFix.txt file (if it's present) from infected system?

This can be done from by entering recovery console (like you did earlier) and entering following commands (press enter after each one), f: drive is usb drive letter here (it may be different in your system):
set allowallpaths = true
set allowallremovablemedia = true
copy c:\combofix.txt f:\combofix.txt
 
Recovery

Hi Blade,

I will try your suggestion... But first I have a couple of questions...

What method should I use to get to the Recovery Console...
F8 when Booting, then SAFE MODE, Then Recovery Console?
F8 when Booting, then NORMAL MODE, Then Recovery Console?
or, F8 when Booting, then LAST GOOD CONFIG MODE, Then Recover Console?

I have several mapped network drives on this computer but I'm not sure what drive letters have been assigned to them. Is there any way I can, from the Recovery Console, determine the correct letter for the Flash Drive?

I await your reply.
Tom
 
When system reboots you should have two options to choose from (those will appear a couple of seconds):
Microsoft Windows XP Recovery Console
Windows XP Professional

Choose recovery console. You could copy some dummy test file to your flash drive (create empty test.txt file with notepad for example) and then in recovery console, after entering those two set commands instructed in my previous post, use command dir <drive letter> e.g. dir f: and see what will list test.txt file.
 
Recovery

I created a test.txt file on another machine and saved it to a flash drive. Then plugged the flash drive into the infected machine.

Then entered the Recovery Console...
C:\WINDOWS>_

The first command: set allowallpaths = true (this worked fine)

The second command: set allowallremoveablemedia = true (this did not - bad parameter). After using the DOS command (HELP - /?) feature, I modified your parameter slightly, and tried: set allowremovablemedia = true (this seemed to work fine).

The ONLY GOOD NEWS SO FAR is, after the above commands, I discovered that Combofix did create a ComboFix.txt file; however the file was actually located in C:\ComboFix\combofix.txt (361 bytes) rather than in the C:\ (root directory).

So then I entered your third command (modified slightly):
copy c:\combofix\combofix.txt f:\combofix.txt (this did not work - NO floppy or CD in drive).

Trying to find the correct drive letter for the Flash Drive, I tried...
dir f: - (this did not work - No floppy or CD in drive) Then...
dir g: - dir h: - dir h: - etc. - on through: dir z: (this did not work - All reported invalid path or file)

So the ComboFix.txt file is in there, I just need to find out how to get it out! Any more suggestions?
 
More good news, I hope

I remembered from my old DOS days the commands Print or LPrint.... Couldn't find any help on those commands but searching further in the DOS command help feature, I re-discovered that I could use the type command to display a text file on-screen. So I entered...

type c:\combofix\combofix.txt

Here (re-typed by hand) is the contents of the ComboFix.txt file...
-------------------------------------------------------------------------
ComboFix 09-11-20.01 - Tom McNeal 11-20-2009 16:06:51.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.360 [GMT -6:00]

Running from: C:\Documnets and Settings\Tom McNeal\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point
.
-------------------------------------------------------------------------
I sure hope this helps Blade!
 
Hi Tom,

Seems that ComboFix didn't get far there. Let's see if we can get your system bootable now.


1. Restart your computer
2. Enter to recovery console like earlier.
3. At the C:\Windows prompt, type the following bolded text, and press Enter:

cd erdnt\subs

4. At the next prompt, type the following bolded text, and press Enter:

batch erdnt.con

5. The erunt backups will begin copying.
6. At the next prompt, type the following bolded text, and press Enter:

exit

Windows will now begin loading. See if you're able to create a fresh DDS log now :)
 
No Joy

Hi Blade,

I ran the ERUNT Registry Restore as described above...
from c:\WINDOWS>_

cd erdnt\subs
batch erdnt.con
(appeared to complete successfully - 9 files copied - returned to prompt)
Then... exit

Windows began loading and then displayed the same blue screen described in my previous posts.

Tom
 
You must log in or register to reply here.
Back
Top