Virtumonde - Strange Startup Files: bepepono, dayevino, huholapu

Status
Not open for further replies.
M

melbeach

New member
Yesterday (2008-11-22), I began having problems with Google redirects after conducting searches. Websites would open in new windows that related to my search queries. I tried to run Adaware and that would crash. Norton AV picked up nothing. I noticed the following strange startup options that had been added:

Startup Item: bepepono
Command: Rundll32.exe "C:\WINDOWS\system32\bepepono.dll",s
Location: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Startup Item: dayevino
Command: Rundll32.exe "c:\windows\system32\ dayevino.dll",a
Location: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Startup Item: huholapu
Command: Rundll32.exe "C:\WINDOWS\system32\ huholapu.dll",b
Location: SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Startup Item: dayevino
Command: Rundll32.exe "c:\windows\system32\ dayevino.dll",a
Location: SOFTWARE\Microsoft\Windows\CurrentVersion\Run

So I googled these terms and found absolutely nothing. I found it to be very strange that none of these words turned up a single solitary Google entry (bepepono, dayevino, huholapu). As soon as I would uncheck these items in startup, leave, then come back, they would be automatically rechecked. I tried deleting the actual dll files and it wouldn't let me.

So I found Spybot and that helped immensely! It found the following problems:

MS.WindowsSecurityCenter.FirewallBypass
Virtumonde.prx
Virtumonde

I ran Spybot a few more times, a couple times while not connected to the internet (per recommendation on one of the items). Yet the Google redirecting would still occur.

I then ran the Atribune ATF Cleaner. The Google redirecting stopped occurring. The strange startup items now allow me to uncheck them - all except for one:

Startup Item: dayevino
Command: Rundll32.exe "c:\windows\system32\ dayevino.dll",a
Location: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

This startup items always stays checked. So I am concerned that my computer is still infected. Here is my HJT Log. You will notice all of the references to the above-named startup items:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:55:02 PM, on 11/23/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTSvcCDA.exe
C:\Program Files\Matrox Graphics Inc\PowerDesk\Services\Matrox.PowerDesk.Services.exe
C:\Program Files\Matrox Graphics Inc\PowerDesk SE\Matrox.Pdesk.ServicesHost.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\WINDOWS\system32\sessmgr.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\System32\tlntsvr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {ae3b64a3-732c-4b09-bc6a-45f4c916ecd2} - C:\WINDOWS\system32\subalavi.dll
O2 - BHO: Browser Helper Object - {AFD4AD01-58C1-47DB-A404-FBE00A6C5486} - C:\Program Files\Common\_helper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [zowafeduve] Rundll32.exe "C:\WINDOWS\system32\bepepono.dll",s
O4 - HKUS\S-1-5-19\..\Run: [zowafeduve] Rundll32.exe "C:\WINDOWS\system32\bepepono.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [zowafeduve] Rundll32.exe "C:\WINDOWS\system32\bepepono.dll",s (User 'NETWORK SERVICE')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.baisidirect.com
O15 - Trusted Zone: http://www.surfcam.net
O15 - Trusted Zone: http://www.surfguru.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1192966664312
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1222114178859
O18 - Filter hijack: text/html - {ae65d5e4-bcad-467e-b7ec-1aa065a492fe} - C:\WINDOWS\system32\mst120.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\pukovubu.dll c:\windows\system32\dayevino.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\dayevino.dll (file missing)
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\dayevino.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Matrox Centering Service - Matrox Graphics Inc. - C:\Program Files\Matrox Graphics Inc\PowerDesk\Services\Matrox.PowerDesk.Services.exe
O23 - Service: Matrox.Pdesk.ServicesHost - Matrox Graphics Inc - C:\Program Files\Matrox Graphics Inc\PowerDesk SE\Matrox.Pdesk.ServicesHost.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O24 - Desktop Component 0: (no name) - http://assets.espn.go.com/i/espnradio/07/player/skin_livestream2.gif
O24 - Desktop Component 2: (no name) - http://espnradio.espn.go.com/espnradio/radiovideo?play=live

--
End of file - 7890 bytes

Any help would be very greatly appreciated. I'm almost there!
 
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
The junk can be tough to remove, so do not expect fast or easy.

Not quite sure what this is, please be patient while we find out and remove it.

1) Post an uninstall list: Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
Image: http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg


2) http://siri.geekstogo.com/SmitfraudFix.php <<< download Smitfraudfix from here and follow ONLY these directions.

Search:
Double-click SmitfraudFix.exe
Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt

Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/processutil/processutil.htm

Post the C:\rapport.txt and the uninstall list.

Thanks
 
pskelly, thanks so much for the help! Yeah, this is getting worse. The startup files seem to be random. It's like what I read, the files are random eight-letter names. Every now and then, it adds a new one. It's getting much harder to use the internet now. I haven't changed anything since I posted the first time. But it's going to be hard to not use the internet for troubleshooting.

I ran the HJT list, but Smitfraud didn't do much. It opened to a dos window, but just sat there blinking. I left it for about 10 mins, but nothing. Searched the hdd for "rapport" and nothing. No new txt files at the c drive. I did get a new folder on my desktop called "SmitfraudFix". It contains 25 executables. Do I need to use one of these?

Here's the HJT Unistall List:

Ad-Aware
Adobe Flash Player ActiveX
Adobe Photoshop CS
Adobe Reader 8.1.1
APC PowerChute Personal Edition
Audio MP3 Sound Recorder
Canon EOS Kiss REBEL 300D WIA Driver
Canon Utilities File Viewer Utility 1.3
Canon Utilities RemoteCapture 2.7
CC_ccStart
ccCommon
Compaq Monitor Driver (INF) Software 3.00
DAZzle
DeMoirize
DivX
DivX Player
DivX User Guide
Easy CD Creator 5 Basic
eDualHead
Eraser
FLV Player 2.0, build 24
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
HP PrecisionScan Pro 3.0
Intel(R) PRO Network Adapters and Drivers
Internet Explorer Q903235
IrfanView (remove only)
Java 2 Runtime Environment, SE v1.4.2_01
Java(TM) 6 Update 2
LiveReg (Symantec Corporation)
LiveUpdate 3.0 (Symantec Corporation)
Logitech MouseWare 9.78
Macromedia Dreamweaver MX 2004
Macromedia Extension Manager
Macromedia HomeSite+
Matrox Driver
Matrox PowerDesk-SE
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Premium
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
ML-1450 Series
ML-1450 Series PS
MonacoOPTIX 2.0
Mozilla Firefox (3.0.3)
MSRedist
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MultipleIEs
Norton AntiVirus
Norton AntiVirus Parent MSI
Norton CleanSweep
Norton SystemWorks 2004
Norton SystemWorks 2004 (Symantec Corporation)
Norton Utilities
Norton WMI Update
NSW_DRM_COLLECTION
Opera 9.62
PDFCreator
QBFC2
QBImport
QuickBooks Pro 2002
QuickTime
RealPlayer
Road Runner Safe Storage
RoadRunner
Safari
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Sound Blaster PCI
Spybot - Search & Destroy
Symantec Script Blocking Installer
SymNet
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Wacom Tablet Driver
WD Diagnostics
Windows Genuine Advantage v1.3.0254.0
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Media Player 9 Hotfix [See KB885492 for more information]
Windows Messenger 5.0
Windows XP Service Pack 3
WinRAR archiver
 
We need to get Smitfraudfix to run, I need the information it will provide. Read the instructions carefully. Turn off Norton/Symantec for the time you are downloding the program. That is what the disclaimer is for, to let you know your AV program may block a needed file.
Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/processutil/processutil.htm
Click to expand...


1) Remove any Smitfraudfix you have now, right click and delete it.

2) Exit Norton just for the time needed to download the program.

3) Download from here: http://siri.urz.free.fr/Fix/SmitfraudFix.exe

4) "Save this file now" and save it to your Desktop.

5) http://siri.urz.free.fr/Fix/SmitfraudFix.exe <<< look carefully at this information. Look at the screenshot so you will know what you will see when when you Doubleclick on the Smitfraudfix.exe.

Search:
Double-click SmitfraudFix.exe
Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt

That is as far as you go this time, the program will search for the infection, post the C:\rapport.txt

You can see another members report here, Post number 3 is what the report will look like.
http://forums.spybot.info/showthread.php?t=37078

Thanks
 
Thanks for the help, I'm just not having any luck with this. I already had Norton disabled in the taskbar and in startup. So this time, I disabled all the Norton services I could find - thru Computer Management. Shut down. (It wouldn't let me delete the Smitfraud folder until I shut down first.) Turned back on. Deleted the Smitfraud items. Emptied Recycle Bin. Shut down again. Turned back on. Made sure the Norton services I disabled were still disabled and not running. Went back to this page and downloaded Smitfraud file from this page to desktop. Double-clicked and left it alone. Still just a blinking cursor. Then I went back and did it all again, but ran it while offline. Still just the blinking cursor. I can't think of any other ways to turn off Norton. Do I need to uninstall it? Well, it looks like I'm hitting a wall. There were three malignant dll file references checked in startup. I can't shut them off. Could the malware be preventing the software from running?
 
Thanks for the feedback, and it is very possible malware is blocking Smitfraudfix. It is happening all over and I have never seen these files before.

Uninstall list: I look for malware and security issues and will not know all of your programs, but you should.

Hackers are using out of date programs to infect folks more and more,
Here is a small free tool that lets you know when something needs an update if you are interested:
http://secunia.com/vulnerability_scanning/personal/ While PSI runs in the System Tray for realtime notifications, I personally prefer to turn it off in MSConfig and run it from All Programs when I want to do a check.

Adobe Reader 8.1.1 <<< out of date, see this:
http://news.cnet.com/8301-1009_3-10081618-83.html?tag=nl.e433
http://www.filehippo.com/download_adobe_reader/
(if you want a smaller program, look at this one)
Foxit Reader 2.3 for Windows
http://www.foxitsoftware.com/pdf/rd_intro.php

Java 2 Runtime Environment, SE v1.4.2_01 <<< very old very
Java(TM) 6 Update 2
See this information:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
Be aware of this information so you can opt out of anything you do not want.
Microsoft Does MSN Toolbar Distribution Deal With Java:
http://searchengineland.com/microsoft-does-msn-toolbar-distribution-deal-with-java-15413.php
Very old version can be difficult to uninstall,if you have a problem, this tool will help:
http://www.majorgeeks.com/JavaRa_d5967.html


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • See this Link for programs that need to be disabled and instruction on how to disable them.
  • Remember to re-enable them when we're done.

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
whatnext.jpg

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Tutorial if needed
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Thanks
 
Well, this is getting interesting. This post is real long, but here goes. It seems that Combofix will only run if I'm offline. I tried it a couple times with no luck. It would start to open, showing a bar that suggests it's starting. But then nothing. If I opened Task Manager, no programs were open. The next time, as soon as the combofix.exe downloaded from your site, I disconnected my internet connection real fast. Ran Combofix and that time, it worked. But I didn't continue because I was worried about not having the Windows Recovery Console. So I ran a backup to be safe. Here's some things I noticed:

After trying to run Combofix, its desktop icon moves from last of the icons to its proper spot in alphabetical order.

When I shut down, cmd.execf was still running in Task Manager. So I shut that off manually.

I tried renaming the Combofix file to fool the malware. That didn't work.

I have a new file on my root c: called "Bug.txt". Here are the contents:

PUSHD "C:\32788R22FWJFW\"

IF NOT EXIST C:\WINDOWS\system32\cmd.exe GOTO Not_NT

VER 1>OsVer

"C:\WINDOWS\system32\Find.exe" "5.2." OsVer

---------- OSVER

IF 1 == 0 GOTO Not_NT

"C:\WINDOWS\system32\Find.exe" "5.1.2" OsVer

---------- OSVER
Microsoft Windows XP [Version 5.1.2600]

IF 0 == 0 GOTO NT

=============================================

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\user01\Application Data
CFLDR=32788R22FWJFW
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=COMP01
ComSpec=C:\WINDOWS\system32\cmd.execf
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\user01
KMD=CF20764.exe
LOGONSERVER=\\COMP01
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\32788R22FWJFW;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Adaptec Shared\System
PATHEXT=.CFEXE;.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$
RKEY_=hklm\software\microsoft\windows nt\currentversion\windows
SESSIONNAME=Console
sfxcmd="C:\Documents and Settings\user01\Desktop\ComboFix.exe"
sfxname=C:\Documents and Settings\user01\Desktop\ComboFix.exe
SYSTEM=C:\WINDOWS\system32
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\user01\LOCALS~1\Temp
TMP=C:\DOCUME~1\user01\LOCALS~1\Temp
USERDOMAIN=COMP01
USERNAME=user01
USERPROFILE=C:\Documents and Settings\user01
windir=C:\WINDOWS

=============================================


IF NOT DEFINED sfxname GOTO END

-----------------------------------------------------End (not part of file)


Here are some other observations:

My system tray clock is now in military time and the font is different.

In the past week, Norton has stopped something from downloading a few times. I was on a website the first time it happened: http://www.cflsurf.com/. I've noticed that banner ads are getting really aggressive lately. They have audio, telling you that you've won something. Well I'm convinced that one of these ads triggered the first incident. Here's the Norton info on it: http://securityresponse.symantec.co...teup.jsp?docid=2008-080702-2357-99&tabid=2. I. At the time, I did some poking around and concluded that it was nothing to worry about, mainly based on this thread where the same thing was happening on a forum website: http://www.tdpri.com/forum/forum-problems-issues/127157-trojan-horse-virus-amp-forum-2.html. It looks like the ad is trying to access Flash and Norton doesn't like it.

Any time I click on a link in IE, another window opens. Here are some of the links that open:

http://gallimp.com/r_cmtp?u=http://...304890471a&affid=169011&tid=red65z&rid=606207

http://zustaus.com/r_cmtp?u=http://...304890471a&affid=169011&tid=red65z&rid=321683

http://cowresti.com/r_cmtp?u=http:/...304890471a&affid=169011&tid=red65z&rid=502859

One link references live scan 2009.

The power in the house flashed off for a split second. I use a UPS unit, so my computer stayed on. Could be coincidence, but the instant that happened, a new IE window opened like above. Normally, I have to click a link for that to happen.

Okay. So I haven't done anything else. I'm wondering how risky it would be to run Combofix without the Windows Recovery Console. Maybe I can start it with the internet disconnected. Then when it gets to the Windows Recovery Console part, I can plug it in and the malware won't be able to interfere at that point? I'll wait to see what you say. Thanks for your patience with this!
 
Yes...you can run combofix without installing Recovery Console. If that does not work, try running it in safe mode. You can even try renaming it in case the malware is blocking it.

CF_download_rename.gif

Double click on Combo-Fix.exe & follow the prompts.
 
Wow, this was pulling teeth. But I finally managed to run ComboFix. I had to turn services off, logoff. Try again. I tried so many things, I was about to give up. So I lost track of what exact combination made this work.

Another thing: When ComboFix was trying to make its log, Norton popped up saying I had a virus. This suggests that the malware has control of my Norton. I know I had all signs of Norton off. I even had stopped all Norton related services in Computer Management. (Do I need to always do this?). Well the only option for this virus window was to stop it. It didn't allow me to select Allow. Sneaky. Well I knew this virus was actually Combofix trying to work because it had the same name as the ComboFix exe file that I renamed. So my only option was to enter Task Manager and turn off Norton that way. I did and eventually everything finished.

So here's combofix.txt:

ComboFix 08-11-26.03 - user01 2008-11-26 12:28:02.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1688 [GMT -5:00]
Running from: c:\documents and settings\user01\Desktop\asdfasfa.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Start Menu\Programs\Internet Explorer.lnk
c:\program files\Common\helper.dll
c:\program files\Common\helper.sig
c:\windows\system32\bepepono.dll
c:\windows\system32\bihofiye.dll
c:\windows\system32\butugagu.dll
c:\windows\system32\Cache
c:\windows\system32\ejemavun.ini
c:\windows\system32\ewedefav.ini
c:\windows\system32\hatutiza.dll
c:\windows\system32\huholapu.dll
c:\windows\system32\jayoriji.dll
c:\windows\system32\jijuwajo.dll
c:\windows\system32\lehelojo.dll
c:\windows\system32\nuvameje.dll
c:\windows\system32\ojawujij.ini
c:\windows\system32\osurehiz.ini
c:\windows\system32\pukovubu.dll
c:\windows\system32\subalavi.dll
c:\windows\system32\tudofeju.dll
c:\windows\system32\ugagutub.ini
c:\windows\system32\vafedewe.dll
c:\windows\system32\wayolelu.dll
c:\windows\system32\yofamemo.dll
c:\windows\system32\ziheruso.dll

.
((((((((((((((((((((((((( Files Created from 2008-10-26 to 2008-11-26 )))))))))))))))))))))))))))))))
.

2008-11-26 09:38 . 2008-11-26 12:27 <DIR> d-------- C:\ComboFix
2008-11-26 08:43 . 2008-11-26 08:43 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-26 08:43 . 2008-11-26 08:43 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-11-23 21:17 . 2008-11-23 21:17 <DIR> d-------- c:\program files\Trend Micro
2008-11-23 15:26 . 2008-11-23 15:26 95 --a------ c:\windows\wininit.ini
2008-11-23 13:54 . 2008-11-23 14:14 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-23 13:54 . 2008-11-23 14:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-23 11:13 . 2008-11-23 11:13 <DIR> d-------- C:\ccd066084f53d0438d065ff286
2008-11-23 11:03 . 2008-11-23 11:03 <DIR> d-------- C:\725ff6cd28be1104e3bc64
2008-11-23 11:03 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-23 11:02 . 2008-09-04 12:15 1,106,944 --a------ c:\windows\system32\SET4C.tmp
2008-11-23 11:02 . 2008-09-04 12:15 1,106,944 --------- c:\windows\system32\SET13.tmp
2008-11-23 11:02 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-23 11:00 . 2008-07-18 22:07 270,880 --a------ c:\windows\system32\mucltui.dll
2008-11-23 11:00 . 2008-07-18 22:07 29,728 --a------ c:\windows\system32\mucltui.dll.mui
2008-11-21 09:06 . 2008-11-22 23:04 54,156 --ah----- c:\windows\QTFont.qfn
2008-11-21 09:06 . 2008-11-21 09:06 1,409 --a------ c:\windows\QTFont.for
2008-11-10 18:14 . 2008-11-26 12:28 <DIR> d-------- c:\program files\Common
2008-11-03 19:30 . 2008-11-03 19:30 <DIR> d-------- c:\program files\MultipleIEs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-26 13:42 --------- d-----w c:\program files\Java
2008-11-25 20:09 --------- d-----w c:\program files\QBImport
2008-11-23 06:27 --------- d-----w c:\program files\Bradbury
2008-10-31 03:07 --------- d-----w c:\program files\Opera
2008-10-25 00:41 --------- d-----w c:\program files\MSXML 4.0
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-14 18:44 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-01 19:37 --------- d-----w c:\program files\Safe Storage
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL Companion.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AOL Companion.lnk
backup=c:\windows\pss\AOL Companion.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^APC UPS Status.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\APC UPS Status.lnk
backup=c:\windows\pss\APC UPS Status.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Coloreal Visual.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Coloreal Visual.lnk
backup=c:\windows\pss\Coloreal Visual.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eDualHead Toolbar.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\eDualHead Toolbar.lnk
backup=c:\windows\pss\eDualHead Toolbar.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Instant Update Reminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Instant Update Reminder.lnk
backup=c:\windows\pss\Instant Update Reminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MonacoGamma.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MonacoGamma.lnk
backup=c:\windows\pss\MonacoGamma.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MonacoReminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MonacoReminder.lnk
backup=c:\windows\pss\MonacoReminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks 2002 Delivery Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks 2002 Delivery Agent.lnk
backup=c:\windows\pss\QuickBooks 2002 Delivery Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Road Runner Safe Storage.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Road Runner Safe Storage.lnk
backup=c:\windows\pss\Road Runner Safe Storage.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TabUserW.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\TabUserW.exe.lnk
backup=c:\windows\pss\TabUserW.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^U.S. Robotics Internet Call Notification.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\U.S. Robotics Internet Call Notification.lnk
backup=c:\windows\pss\U.S. Robotics Internet Call Notification.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^user01^Start Menu^Programs^Startup^RoadRunner Setup Wizard.lnk]
path=c:\documents and settings\user01\Start Menu\Programs\Startup\RoadRunner Setup Wizard.lnk
backup=c:\windows\pss\RoadRunner Setup Wizard.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
--------- 2003-03-26 10:15 684032 c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--------- 2006-03-09 11:47 71328 c:\program files\Common Files\Symantec Shared\CCAPP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CreativeMixer]
--------- 1999-11-18 05:01 20480 c:\program files\Creative\Audio\Program\Ctmix32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 19:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Matrox MultiDesktop]
--------- 2003-07-10 16:35 417792 c:\windows\system32\PowerDesk8\MultiDesk\pdmmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Matrox PowerDesk 8]
--------- 2003-09-10 11:16 77824 c:\windows\system32\PowerDesk8\PowerDesk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Matrox PowerDesk SE]
--------- 2008-06-11 15:33 2630664 c:\program files\Matrox Graphics Inc\PowerDesk SE\Matrox.PowerDesk SE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--------- 2007-05-06 13:16 98304 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--------- 2007-05-06 13:05 214560 c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-11-26 08:43 136600 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
--------- 2005-04-27 17:42 100056 c:\progra~1\SYMNET~1\SNDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--------- 2007-05-06 13:05 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
--------- 2003-06-30 09:50 19968 c:\windows\LOGI_MWX.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"zowafeduve"=Rundll32.exe "c:\windows\system32\bepepono.dll",s
"CPM27936735"=Rundll32.exe "c:\windows\system32\dayevino.dll",a
"MSConfig"=c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver MX 2004\\Dreamweaver.exe"=
"c:\\Program Files\\Lavasoft\\Ad-Aware\\aawservice.exe"=
"c:\\Program Files\\Common Files\\Symantec Shared\\CCPD-LC\\symlcsvc.exe"=
"c:\\WINDOWS\\system32\\Tablet.exe"=
"c:\\WINDOWS\\system32\\wuauclt.exe"=
"c:\\Program Files\\Matrox Graphics Inc\\PowerDesk SE\\Matrox.Pdesk.ServicesHost.exe"=
"c:\\WINDOWS\\system32\\services.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\jqs.exe"=

[HKLM\~\Services\\Matrox.PowerDesk.Services.exe"=]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R1 Mtxparmx;Mtxparmx;c:\windows\system32\DRIVERS\Mtxparmx.sys [2008-09-22 5504]
R2 Matrox Centering Service;Matrox Centering Service;"c:\program files\Matrox Graphics Inc\PowerDesk\Services\Matrox.PowerDesk.Services.exe" [2008-06-11 586760]
R2 Matrox.Pdesk.ServicesHost;Matrox.Pdesk.ServicesHost;"c:\program files\Matrox Graphics Inc\PowerDesk SE\Matrox.Pdesk.ServicesHost.exe" [2008-06-11 189448]
R3 MTXPAR;MTXPAR;c:\windows\system32\DRIVERS\MTXPARM.sys [2008-09-22 1485568]
S2 P1C1394;Phase One 1394 Camera Driver;c:\windows\system32\Drivers\p1c1394.sys []
S3 Ccevdmrc_cr;Ccevdmrc_cr; []
S3 Gamrddss;Gamrddss; []
S3 Hiemrt;Hiemrt; []
S3 MTXPARH;MTXPARH;c:\windows\system32\DRIVERS\MTXPARHM.sys [2003-11-20 452736]
S3 Netdwssrrw;Netdwssrrw; []
S3 Nmlnkfkahta;Nmlnkfkahta; []
S3 Rassosadcswf;Rassosadcswf; []
S3 Sfl78pospt;Sfl78pospt; []
S3 Winacusb;Winacusb;c:\windows\system32\DRIVERS\winacusb.sys []
S3 X-Rite;X-Rite USB Service;c:\windows\system32\DRIVERS\XrUsb.sys [2004-03-09 14936]
S4 .nmspsr;.nmspsr; []
.
Contents of the 'Scheduled Tasks' folder

2003-12-01 c:\windows\Tasks\Norton AntiVirus - Scan my computer.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2003-12-04 18:22]

2003-12-01 c:\windows\Tasks\Symantec Drmc.job
- c:\program files\Common Files\Symantec Shared\SymDrmc.exe [2003-09-10 04:48]
.
- - - - ORPHANS REMOVED - - - -

BHO-{ae3b64a3-732c-4b09-bc6a-45f4c916ecd2} - c:\windows\system32\subalavi.dll
MSConfigStartUp-24a054a9 - c:\windows\system32\nuvameje.dll
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe
MSConfigStartUp-CPM27936735 - c:\windows\system32\hatutiza.dll
MSConfigStartUp-zowafeduve - c:\windows\system32\bepepono.dll


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\user01\Application Data\Mozilla\Firefox\Profiles\8rye090x.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - file:///C:/Documents%20and%20Settings/user01/My%20Documents/Practice/Practice%20-%2015%20-%20SIS/sis-05-xhtml.htm
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-26 12:32:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Common Files\Symantec Shared\CCSETMGR.EXE
c:\windows\system32\Ctsvccda.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
c:\windows\system32\sessmgr.exe
c:\windows\system32\locator.exe
c:\program files\Norton SystemWorks\Norton Antivirus\SAVSCAN.EXE
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\system32\Tablet.exe
c:\windows\system32\tlntsvr.exe
c:\program files\Common Files\Symantec Shared\CCEVTMGR.EXE
c:\program files\Common Files\Symantec Shared\Security Center\symwsc.exe
.
**************************************************************************
.
Completion time: 2008-11-26 12:36:23 - machine was rebooted [user01]
ComboFix-quarantined-files.txt 2008-11-26 17:36:20

Pre-Run: 90,437,300,224 bytes free
Post-Run: 90,360,676,352 bytes free

243


And here's HJT log:

Ad-Aware
Adobe Flash Player ActiveX
Adobe Photoshop CS
APC PowerChute Personal Edition
Audio MP3 Sound Recorder
Canon EOS Kiss REBEL 300D WIA Driver
Canon Utilities File Viewer Utility 1.3
Canon Utilities RemoteCapture 2.7
CC_ccStart
ccCommon
Compaq Monitor Driver (INF) Software 3.00
DAZzle
DeMoirize
DivX
DivX Player
DivX User Guide
Easy CD Creator 5 Basic
eDualHead
Eraser
FLV Player 2.0, build 24
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
HP PrecisionScan Pro 3.0
Intel(R) PRO Network Adapters and Drivers
Internet Explorer Q903235
IrfanView (remove only)
Java(TM) 6 Update 10
LiveReg (Symantec Corporation)
LiveUpdate 3.0 (Symantec Corporation)
Logitech MouseWare 9.78
Macromedia Dreamweaver MX 2004
Macromedia Extension Manager
Macromedia HomeSite+
Matrox Driver
Matrox PowerDesk-SE
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Premium
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
ML-1450 Series
ML-1450 Series PS
MonacoOPTIX 2.0
Mozilla Firefox (3.0.3)
MSRedist
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MultipleIEs
Norton AntiVirus
Norton AntiVirus Parent MSI
Norton CleanSweep
Norton SystemWorks 2004
Norton SystemWorks 2004 (Symantec Corporation)
Norton Utilities
Norton WMI Update
NSW_DRM_COLLECTION
Opera 9.62
PDFCreator
QBFC2
QBImport
QuickBooks Pro 2002
QuickTime
RealPlayer
Road Runner Safe Storage
RoadRunner
Safari
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Sound Blaster PCI
Spybot - Search & Destroy
Symantec Script Blocking Installer
SymNet
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Wacom Tablet Driver
WD Diagnostics
Windows Genuine Advantage v1.3.0254.0
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Media Player 9 Hotfix [See KB885492 for more information]
Windows Messenger 5.0
Windows XP Service Pack 3
WinRAR archiver


I should also mention that Windows Security turned itself back on and there is a yellow shield in my tray that says I have updates. Should I install them? This came up when the computer rebooted at the same time that Norton was trying to kill the ComboFix process.
 
Thanks for posting the combofix log, you said:
When ComboFix was trying to make its log, Norton popped up saying I had a virus.
Click to expand...
That is the reason the instructions said this:
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Click to expand...
Please wait until you are clean before you install those Windows Updates if at all possible.

Please read the directions carefully, I can not proceed without that HJT log.:sad:
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.
Click to expand...

I will be away from the computer for the next several hours.
 
pskelley said:
That is the reason the instructions said this:

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link for programs that need to be disabled and instruction on how to disable them.
Click to expand...

pskelley, you didn't read my post. I had Norton off in more ways than one. I think the malware had control of Norton. That's also why I don't trust the MS update it's offering! Read my post again. I think some of these things could be important.

pskelley said:
Please read the directions carefully, I can not proceed without that HJT log.
Click to expand...

I included the HJT log. Look again. :rolleyes: We're doing good! My speed is back. Emails come in quickly again. I don't see any strange startup files. I'm not convinced though. My systray is still showing military time.
 
That is NOT a HijackThis log, that is the uninstall list, please post a new HJT log.
 
pskelley said:
That is NOT a HijackThis log, that is the uninstall list, please post a new HJT log.
Click to expand...

Do I feel like a heel! I even added the funny face. Sorry about that. Here's the HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:49:09, on 11/26/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTSvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Matrox Graphics Inc\PowerDesk\Services\Matrox.PowerDesk.Services.exe
C:\Program Files\Matrox Graphics Inc\PowerDesk SE\Matrox.Pdesk.ServicesHost.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\WINDOWS\system32\sessmgr.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\System32\tlntsvr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.540wfla.com
O15 - Trusted Zone: http://*.540wfla.com
O15 - Trusted Zone: http://www.azcardinals.com
O15 - Trusted Zone: http://www.baisidirect.com
O15 - Trusted Zone: *.espn.go.com
O15 - Trusted Zone: http://sports.espn.go.com
O15 - Trusted Zone: *.go.com
O15 - Trusted Zone: http://*.ktar.com
O15 - Trusted Zone: http://www.mapquest.com
O15 - Trusted Zone: http://*.mapquest.com
O15 - Trusted Zone: http://www.nasdaq.com
O15 - Trusted Zone: http://*.nasdaq.com
O15 - Trusted Zone: http://www.realradio.fm
O15 - Trusted Zone: http://*.stockcharts.com
O15 - Trusted Zone: http://www.surfcam.net
O15 - Trusted Zone: http://www.surfguru.com
O15 - Trusted Zone: http://wwwapps.ups.com
O15 - Trusted Zone: http://*.wmmbam.com
O15 - Trusted Zone: http://www.xtra910.com
O15 - Trusted Zone: http://*.xtra910.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1192966664312
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1222114178859
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Ccevdmrc_cr - Unknown owner - (no file)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Matrox Centering Service - Matrox Graphics Inc. - C:\Program Files\Matrox Graphics Inc\PowerDesk\Services\Matrox.PowerDesk.Services.exe
O23 - Service: Matrox.Pdesk.ServicesHost - Matrox Graphics Inc - C:\Program Files\Matrox Graphics Inc\PowerDesk SE\Matrox.Pdesk.ServicesHost.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O24 - Desktop Component 0: (no name) - http://assets.espn.go.com/i/espnradio/07/player/skin_livestream2.gif
O24 - Desktop Component 2: (no name) - http://espnradio.espn.go.com/espnradio/radiovideo?play=live

--
End of file - 7686 bytes

I don't think anything will be holding me back from running Smitfraud now. So let me know if I should. Thanks for all the help!
 
Thanks for the HJT log, what about all of those 015 - Trusted Zone items? Did you create those for a reason? Unless you have a reason, you can remove those, here is information:
http://www.bleepingcomputer.com/tutorials/tutorial42.html#O15Diag


Let's do some cleaning and have MBAM take a look, proceed like this.

1) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

2) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

(leave this if you set it to about:blank)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

015 Trusted Zone <<< you may check and remove any of those items you don't know or need.

Close all programs but HJT and all browser windows, then click on "Fix Checked"

3) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

*Cleaning Prefetch may result in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

4) Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file & a new HJT log in your next reply.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Tutorial if needed:
http://www.techsupportteam.org/forum/tutorials/2282-malwarebytes-anti-malware-mbam.html

How is the computer running now.

Thanks...Phil:santa:
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:07:33, on 11/26/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTSvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Matrox Graphics Inc\PowerDesk\Services\Matrox.PowerDesk.Services.exe
C:\Program Files\Matrox Graphics Inc\PowerDesk SE\Matrox.Pdesk.ServicesHost.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\WINDOWS\system32\sessmgr.exe
C:\WINDOWS\System32\rsvp.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\System32\tlntsvr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.540wfla.com
O15 - Trusted Zone: http://*.540wfla.com
O15 - Trusted Zone: http://www.azcardinals.com
O15 - Trusted Zone: http://www.baisidirect.com
O15 - Trusted Zone: *.espn.go.com
O15 - Trusted Zone: http://sports.espn.go.com
O15 - Trusted Zone: *.go.com
O15 - Trusted Zone: http://*.ktar.com
O15 - Trusted Zone: http://www.mapquest.com
O15 - Trusted Zone: http://*.mapquest.com
O15 - Trusted Zone: http://www.nasdaq.com
O15 - Trusted Zone: http://*.nasdaq.com
O15 - Trusted Zone: http://www.realradio.fm
O15 - Trusted Zone: http://*.stockcharts.com
O15 - Trusted Zone: http://www.surfcam.net
O15 - Trusted Zone: http://www.surfguru.com
O15 - Trusted Zone: http://wwwapps.ups.com
O15 - Trusted Zone: http://*.wmmbam.com
O15 - Trusted Zone: http://www.xtra910.com
O15 - Trusted Zone: http://*.xtra910.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1192966664312
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1222114178859
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Ccevdmrc_cr - Unknown owner - (no file)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Matrox Centering Service - Matrox Graphics Inc. - C:\Program Files\Matrox Graphics Inc\PowerDesk\Services\Matrox.PowerDesk.Services.exe
O23 - Service: Matrox.Pdesk.ServicesHost - Matrox Graphics Inc - C:\Program Files\Matrox Graphics Inc\PowerDesk SE\Matrox.Pdesk.ServicesHost.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O24 - Desktop Component 0: (no name) - http://assets.espn.go.com/i/espnradio/07/player/skin_livestream2.gif
O24 - Desktop Component 2: (no name) - http://espnradio.espn.go.com/espnradio/radiovideo?play=live

--
End of file - 7733 bytes


Malwarebytes' Anti-Malware 1.30
Database version: 1427
Windows 5.1.2600 Service Pack 3

11/26/2008 8:46:45 PM
mbam-log-2008-11-26 (20-46-45).txt

Scan type: Full Scan (C:\|)
Objects scanned: 138571
Time elapsed: 43 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 28

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\main.bho.1 (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\bepepono.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\butugagu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\hatutiza.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\huholapu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\jayoriji.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\lehelojo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\nuvameje.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\pukovubu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\subalavi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\tudofeju.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\vafedewe.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\wayolelu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\yofamemo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ziheruso.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A6A28C8B-4CA9-44E3-B942-5F32F5DDE444}\RP3\A0000201.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A6A28C8B-4CA9-44E3-B942-5F32F5DDE444}\RP3\A0000203.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A6A28C8B-4CA9-44E3-B942-5F32F5DDE444}\RP3\A0000206.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A6A28C8B-4CA9-44E3-B942-5F32F5DDE444}\RP3\A0000207.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A6A28C8B-4CA9-44E3-B942-5F32F5DDE444}\RP3\A0000208.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A6A28C8B-4CA9-44E3-B942-5F32F5DDE444}\RP3\A0000210.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A6A28C8B-4CA9-44E3-B942-5F32F5DDE444}\RP3\A0000214.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A6A28C8B-4CA9-44E3-B942-5F32F5DDE444}\RP3\A0000215.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A6A28C8B-4CA9-44E3-B942-5F32F5DDE444}\RP3\A0000216.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A6A28C8B-4CA9-44E3-B942-5F32F5DDE444}\RP3\A0000218.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A6A28C8B-4CA9-44E3-B942-5F32F5DDE444}\RP3\A0000219.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A6A28C8B-4CA9-44E3-B942-5F32F5DDE444}\RP3\A0000220.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A6A28C8B-4CA9-44E3-B942-5F32F5DDE444}\RP3\A0000221.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A6A28C8B-4CA9-44E3-B942-5F32F5DDE444}\RP3\A0000211.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

Nice! I don't see anything foul. I googled a couple services I didn't recognize. But they look to be legit. I don't know if the Telnet service being open is a problem: C:\WINDOWS\System32\tlntsvr.exe.

The 015's are my Trusted Sites. Since I had this infection, I went back to using the Trusted Sites system. That's what got me in this trouble - not using Trusted Sites in IE. I used to browse the web with scripting and ActiveX off. Sites that I trusted were added to Trusted Sites, where that stuff was turned on. That kept me virus free for six or seven years at least. But when I upgraded from IE6 to IE7, I stopped doing that - probably because IE7 deleted them all and I would have had to start from scratch. Plus, nobody else does it I thought. Well that was my undoing! So I went back to using the Trusted Sites system. But I will probably just switch to Firefox. The only thing that's kept me from doing that is the fact that Firefox doesn't have an option to turn off ActiveX. I hear that it's more secure than IE. But if ActiveX is always running? I don't know. I was going to ask about that. So for now, I want to keep the 015's there.

So the computer is running fast now. I'm really surprised. I thought there would be residual effects. But I'm not seeing it. Everything is responsive.

Do you have any suggestions for how to protect myself going forward? I'm not married to any av software or browser right now. My Norton is expiring in a couple days. So now would be the time to switch. I don't mind paying for something if it can be more proactive about stopping this Virtumonde infection before it starts. I think my problem was probably more about my browser security though. So that leads me back to the Firefox question.

Thanks. You've been a great help! I'll be donating to the cause for sure when were done. Are we there yet? Or are there more scans to run?
 
Thanks for returning your information and the feedback, looks like this service is no longer used?
O23 - Service: Ccevdmrc_cr - Unknown owner - (no file)
Google does not know it, do you? Delete it if you wish:
Open a command prompt (start run type cmd press enter) type
sc delete "Ccevdmrc_cr"
press enter, type in
sc delete "cmdService"
press enter, type exit and press enter to exit the command prompt
I don't know if the Telnet service being open is a problem
Click to expand...
http://www.theeldergeek.com/telnet.htm
If this service is disabled, any services that explicitly depend on it will fail to start.
Click to expand...
If you do not use this service, disable it or delete it.

Firefox/Internet Explorer...understand that the reason hackers go after IE is numbers, that's where they make their $$$. I have both but run IE most of the time. Firefox is seeing more and more attacks as more and more folks use it.
http://itmanagement.earthweb.com/secu/article.php/3698606
http://www.google.com/search?hl=en&q=Firefox+vs+IE&btnG=Search

Let's wrap up like this, after you had read the information from experts I post, if you still have question, please post them and I will do my best to give you answers.

Remove combofix from the computer like this:

Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

CF_Cleanup.png


Clean the System Restore files like this:

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Update MBAM and scan to be sure we missed none of the junk, there is no need to post a clean scan result.

Update Norton Antivirus and scan the system, to be sure it is running right and scanning clean. If you have problems with the program, contact tech support for instructions.
http://www.symantec.com/enterprise/support/index.jsp
If all is well at this point, let me know and I will close the topic.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

http://users.telenet.be/bluepatchy/miekiemoes/Links.html
 
What are you doing, it's Thanksgiving! Well, I'll be quick. I ran MBAM and it found nothing. I was about to post on here that everything was okay. I figured running Norton would be trivial, because it picked up nothing before. Well what do you know. It did pick up:

Source: C:\Qoobox\Quarantine\C\Program Files\Common\helper.dll.vir
Description: The file C:\Qoobox\Quarantine\C\Program Files\Common\helper.dll.vir is infected with the Trojan Horse virus.

Norton's linky: http://securityresponse.symantec.com/security_response/writeup.jsp?docid=2004-021914-2822-99

So I quarantied that. Man, now Norton doesn't seem so bad. Funny how different software picks up different things.

Also for what it's worth, deleting cmdService failed. It said it didn't exist. I don't see it on the list either.

Other than that, I'll check out the links you added. If you want to close this, let's go ahead. Trust me, you don't want to wait around for me to come up with questions.

Thanks for all the help. You did great. Enjoy the holiday!
 
Source: C:\Qoobox\Quarantine\C\Program Files\Common\helper.dll.vir
Description: The file C:\Qoobox\Quarantine\C\Program Files\Common\helper.dll.vir is infected with the Trojan Horse virus
Click to expand...
Those are the combofix quarantine files, if the directions I posted to remove combofix were followed, that should have been removed? The instructions have to be done in the order I post them. You can take a look here:
C:\Qoobox <<< just to be sure that folder is gone if you wish.

Thanks
 
When I tried to delete Combofix per your instructions, it said "Windows can't find Combofix". I just searched the hdd and it can't find the executable. I must have deleted it off the desktop last night. I don't remember doing that though. But it wasn't there. So I figured it was all gone, must have deleted it off the desktop last night. But I know better than that. Usually, I'll look for the uninstall. I guess not though. The Recycle Bin is empty too. Should I just delete the folders? It's not under Add/Remove. Thanks!
 
sUBs writes the uninstaller into the program to be used via the command function, if that would not work then something had to happen somehow.

c:\documents and settings\user01\Desktop\asdfasfa.exe <<< here is where you installed it, delete that file

c:\ComboFix <<< look here and delete the folder and contents

c:\Qoobox <<< look here and delete folder and contents

Thanks
 
Status
Not open for further replies.
Back
Top