Virtumonde problem

Hi. I've had a virtumonde problem for a few days now. I recall on the night that this started, first getting a warning message from AVG about a virus with the name "SHeur2.GRY"

Next, I got a warning balloon on my task bar advising against leaving automatic updates disabled, which, of course, I did not turn off myself. When I right clicked the balloon and was taken to the security center, I noticed the firewall was disabled too. I managed to switch the firewall on again, but could not activate automatic updates.

I found it suspicious that when I opened the settings window through control panel to amend my settings for automatic updates, it was switched on, however the red X on the task bar still remained. I finally managed to sort it when I selected disable, then re-enabled it. Now both the settings and task bar show it as active and on.

Along with that, I got a number of Internet Explorer windows opening on their own and pop-up messages alerting me to install anti-virus software. I've heard about these things before and how they will switch the buttons. i.e. ok means cancel and cancel means ok. I hit Ctrl + Alt + Delete and closed the window from there rather than select either option. I also disconnected from the Internet at that point to avoid the malware from connecting to any other sites.

I originally tried to remove the malware through using AVG 8 and Ad-Aware, but both programmes had trouble even being able to keep all the files in either the vault or in quarantine. Thus the few files that were left, simply re-made the files that had been removed. I looked for advice on how to remove virtumonde, and people seem to be saying it requires software which is dedicated to removing virtumonde. Over the last couple of days I have tried following advice on my own on how to remove this with various programmes (VirtumundoBeGone, VundoFix and Malwarebytes' Anti-Malware). None of them managed to completely remove it, although Malwarebytes' Anti-Malware had got to the point were only two files were left that it couldn't remove.

From the night I got it, I had various advertising pop-ups which seem to have now stopped.. Not sure if it's a good thing or not that it appears not to be active. Possibly it is working in the background and I am unaware of what it's really doing.

I apologize for the long post, but I am desperate to get rid of this, so I hope I've provided all the information needed.

Also, just for your interest and in case it is of any relevance, here is a screenshot of the viruses I have put in the vault since I got this infection: http://img395.imageshack.us/my.php?image=75953135me0.jpg

Thank you in advance for any help given. I appreciate it.


DDS (Version 1.1.0) - NTFSx86
Run by HP_Administrator at 16:47:25.10 on 28/12/2008
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.1015.261 [GMT 0:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
FW: Norton Internet Worm Protection *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft LifeCam\MSCamSvc.exe
C:\Program Files\Sandboxie\SbieSvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\vVX3000.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\lexpps.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\HP\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Sandboxie\SandboxieRpcSs.exe
C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe
C:\WINDOWS\system32\cleanmgr.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=64&bd=PAVILION&pf=desktop
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=64&bd=PAVILION&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=64&bd=PAVILION&pf=desktop
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: {3429e074-279c-c0c8-b264-ea8ef0ca5883}: {3885ac0f-e8ae-462b-8c0c-c972470e9243} - c:\windows\system32\yaqpjd.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SandboxieControl] "c:\program files\sandboxie\SbieCtrl.exe"
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
mRun: [DMAScheduler] "c:\program files\hp digitalmedia archive\DMAScheduler.exe"
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [PCDrProfiler]
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [Reminder] "c:\windows\creator\Remind_XP.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [VX3000] c:\windows\vVX3000.exe
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\hp_adm~1\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\hp_adm~1\startm~1\programs\startup\pinmclnk.lnk - c:\hp\bin\cloaker.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: avgrsstx.dll yaqpjd.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_adm~1\applic~1\mozilla\firefox\profiles\we7g6wew.default\
FF - plugin: c:\program files\google\google updater\2.4.1368.5602\npCIDetect13.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-7-7 97928]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-7-7 26824]
R2 aawservice;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" [2008-9-10 611664]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\adobe\photoshop elements 7.0\PhotoshopElementsFileAgent.exe [2008-9-16 163840]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-9 875288]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-9 231704]
R2 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-7-7 76040]
R2 ezDRMClientSvc;DRM Service;c:\windows\system32\svchost.exe -k netsvcs [2004-8-10 14336]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 SbieDrv;SbieDrv;\??\c:\program files\sandboxie\SbieDrv.sys [2008-3-5 93184]
S2 DigiChat 5.1 Server;DigiChat 5.1 Server;"c:\program files\digichat 5.1\dc_server_service.exe" "c:\program files\DigiChat 5.1" []
S2 DigiChat_4.0_Server;DigiChat 4.0 Server;c:\progra~1\digich~1.0\DIGICH~2.EXE -zglaxservice DigiChat_4.0_Server []

=============== Created Last 30 ================


==================== Find3M ====================

2008-12-13 06:40 3,593,216 a------- c:\windows\system32\dllcache\mshtml.dll
2008-10-24 11:10 453,632 a------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 13:01 283,648 a------- c:\windows\system32\gdi32.dll
2008-10-23 13:01 283,648 a------- c:\windows\system32\dllcache\gdi32.dll
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-16 13:11 70,656 a------- c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 13:11 13,824 a------- c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 16:57 332,800 a------- c:\windows\system32\dllcache\netapi32.dll
2008-10-15 07:06 633,632 a------- c:\windows\system32\dllcache\iexplore.exe
2008-10-15 07:04 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2008-10-03 10:15 247,326 a------- c:\windows\system32\strmdll.dll
2008-10-03 10:15 247,326 a------- c:\windows\system32\dllcache\strmdll.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-08-02 10:10 2,828 a--sh--- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2008-08-02 10:10 88 ---shr-- c:\docume~1\alluse~1\applic~1\7C046E08D3.sys
2008-07-10 15:37 23 -------- c:\documents and settings\hp_administrator\jagex_runescape_preferences.dat
2008-03-26 21:43 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2007-08-23 15:20 82 a------- c:\docume~1\alluse~1\applic~1\SUMQU0C1-FE20-APII-YE7M-BEDSDWMY5R6A.dat

============= FINISH: 16:48:13.79 ===============

Download GMER Rootkit Scanner from here.

• Extract the contents of the zipped file to the desktop.
• Double click GMER.exe and if you are asked if you want to allow gmer.sys driver to load, please allow it to do so.
• If it gives you a warning about rootkit activity and asks if you want to run scan, please click on NO.
• In the right panel you will see several boxes that have been checked. Uncheck the following the following checkboxes:
  • Sections
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
• Now click on the Scan button and wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in ark.txt and save it to your desktop.

Please post the contents of the ark.txt as your next reply.

The file was too large to attach here, so I have uploaded it to an external website.

http://www.mediafire.com/?sharekey=aa159db...2db6fb9a8902bda

Edited by AnthonyC, 06 January 2009 - 02:37 PM.

Please visit the following link and use the instructions there to post a ComboFix log as a reply to this topic:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

After running ComboFix, please post the ComboFix log as a reply to this

Thank you for your support so far.

A problem which I was having just recently where Google searches were re-directed seems to have been sorted out after running this. That's good.

Here's the ComboFix log.

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
c:\windows\system32\d3d9caps.dat
c:\documents and settings\All Users\Application Data\7C046E08D3.sys
c:\documents and settings\All Users\Application Data\ezsid.dat
c:\documents and settings\All Users\Application Data\SUMQU0C1-FE20-APII-YE7M-BEDSDWMY5R6A.dat
C:\Windows\System32\yaqpjd.dll
c:\windows\Tasks\oizwbtue.job

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"="avgrsstx.dll"

Save this as the txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply[/b]. Please do not attach the log, simply post it in the reply.

I'm not 100% sure if ComboFix has removed what was in the code as when it opened after I moved the CFScript into it, the programme asked me if I wanted to update, and upon clicking 'Yes,' the programme restarted. Would this stop it from carrying out what the code told it to? If yes, I'll run another scan.

ComboFix 09-01-07.02 - HP_Administrator 2009-01-08 15:53:15.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.488 [GMT 0:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Administrator\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
FW: Norton Internet Worm Protection *disabled*
* Created a new restore point

FILE ::
c:\documents and settings\All Users\Application Data\7C046E08D3.sys
c:\documents and settings\All Users\Application Data\ezsid.dat
c:\documents and settings\All Users\Application Data\SUMQU0C1-FE20-APII-YE7M-BEDSDWMY5R6A.dat
c:\windows\system32\d3d9caps.dat
c:\windows\System32\yaqpjd.dll
c:\windows\Tasks\oizwbtue.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\7C046E08D3.sys
c:\documents and settings\All Users\Application Data\ezsid.dat
c:\documents and settings\All Users\Application Data\SUMQU0C1-FE20-APII-YE7M-BEDSDWMY5R6A.dat
c:\windows\system32\d3d9caps.dat
c:\windows\Tasks\oizwbtue.job

.
((((((((((((((((((((((((( Files Created from 2008-12-08 to 2009-01-08 )))))))))))))))))))))))))))))))
.

2009-01-06 17:00 . 2009-01-06 17:00 250 --a------ c:\windows\gmer.ini
2008-12-28 16:12 . 2008-12-28 16:37 <DIR> d-------- c:\windows\system32\NtmsData
2008-12-24 16:04 . 2008-12-24 16:04 <DIR> d-------- C:\VundoFix Backups
2008-12-24 15:01 . 2008-12-24 15:00 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-24 15:01 . 2008-12-24 15:00 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-24 11:34 . 2008-12-24 11:34 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-24 11:34 . 2008-12-24 11:34 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2008-12-24 11:34 . 2008-12-24 11:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-24 11:34 . 2008-12-03 19:53 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-24 11:34 . 2008-12-03 19:53 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-23 20:08 . 2008-12-23 20:08 <DIR> d-------- c:\program files\Lavasoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-07 21:45 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Skype
2009-01-07 21:24 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-01-07 17:30 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\skypePM
2008-12-24 15:00 --------- d-----w c:\program files\Java
2008-12-23 20:09 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-23 20:07 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-23 19:22 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\HPAppData
2008-12-21 15:22 --------- d-----w c:\program files\Common Files\Adobe
2008-12-21 15:10 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Download Manager
2008-12-20 17:19 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Sandbox
2008-12-13 06:40 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-12-12 16:05 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-06 11:12 --------- d-----w c:\documents and settings\All Users\Application Data\HPSSUPPLY
2008-12-06 10:57 --------- d-----w c:\program files\Common Files\Skype
2008-12-06 00:00 --------- d-----w c:\documents and settings\All Users\Application Data\WEBREG
2008-12-05 23:59 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\HP
2008-12-05 23:49 --------- d-----w c:\documents and settings\All Users\Application Data\HP Product Assistant
2008-12-05 23:49 --------- d-----w c:\documents and settings\All Users\Application Data\HP
2008-12-05 23:48 --------- d-----w c:\program files\Common Files\Hewlett-Packard
2008-11-26 17:53 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\LimeWire
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 13:01 283,648 ----a-w c:\windows\system32\dllcache\gdi32.dll
2008-10-16 14:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 14:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 14:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 14:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 14:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 14:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 14:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 13:11 70,656 ----a-w c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 13:11 13,824 ----a-w c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 16:57 332,800 ----a-w c:\windows\system32\dllcache\netapi32.dll
2008-10-15 07:06 633,632 ----a-w c:\windows\system32\dllcache\iexplore.exe
2008-10-15 07:04 161,792 ----a-w c:\windows\system32\dllcache\ieakui.dll
2008-08-02 10:10 2,828 --sha-w c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2008-07-10 15:37 23 ------w c:\documents and settings\HP_Administrator\jagex_runescape_preferences.dat
.

((((((((((((((((((((((((((((( snapshot@2009-01-07_22.01.29.95 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-08 15:38:54 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_570.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2008-03-05 417280]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-13 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-02-22 143360]
"DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-04-13 90112]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 249856]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2004-12-14 663552]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"VX3000"="c:\windows\vVX3000.exe" [2006-06-29 707376]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2006-06-29 269104]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-09-21 180269]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-24 136600]
"ftutil2"="ftutil2.dll" [2004-06-07 c:\windows\system32\ftutil2.dll]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-21 c:\windows\RTHDCPL.EXE]

c:\documents and settings\Anthony\Start Menu\Programs\Startup\
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-09-21 27136]

c:\documents and settings\Guest\Start Menu\Programs\Startup\
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-09-21 27136]

c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-09-21 27136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"= wdmaud.sys

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Administrator^Start Menu^Programs^Startup^LivePerson Expert Messenger.lnk]
path=c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\LivePerson Expert Messenger.lnk
backup=c:\windows\pss\LivePerson Expert Messenger.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Adobe\\Photoshop Elements 7.0\\AdobePhotoshopElementsMediaServer.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-07-07 97928]
R3 SbieDrv;SbieDrv;c:\program files\Sandboxie\SbieDrv.sys [2008-03-05 93184]
R4 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [2008-09-16 163840]
R4 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-07-09 875288]
R4 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-07-09 231704]
R4 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-07-07 76040]
R4 ezDRMClientSvc;DRM Service;c:\windows\system32\svchost.exe -k netsvcs [2004-08-10 14336]
S4 DigiChat 5.1 Server;DigiChat 5.1 Server;"c:\program files\DigiChat 5.1\DC_Server_Service.exe" "c:\program files\DigiChat 5.1" --> c:\program files\DigiChat 5.1\DC_Server_Service.exe [?]
S4 DigiChat_4.0_Server;DigiChat 4.0 Server;c:\progra~1\DIGICH~1.0\DIGICH~2.EXE -zglaxservice DigiChat_4.0_Server --> c:\progra~1\DIGICH~1.0\DIGICH~2.EXE -zglaxservice DigiChat_4.0_Server [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ezDRMClientSvc
.
Contents of the 'Scheduled Tasks' folder

2009-01-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=64&bd=PAVILION&pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=64&bd=PAVILION&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=64&bd=PAVILION&pf=desktop
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

c:\windows\Downloaded Program Files\Manager.exe - c:\windows\Downloaded Program Files\DownloadManagerV2.ocx
O16 -: {4871A87A-BFDD-4106-8153-FFDE2BAC2967}
hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
c:\windows\Downloaded Program Files\DownloadManagerV2.inf

c:\windows\Downloaded Program Files\MJPEGRender.ocx - O16 -: {96816368-C1E3-414D-A193-63C3CC921990}
hxxp://hhof-inverness.remotemanager.co.uk/common/activex/MJPEGRender.ocx
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\we7g6wew.default\
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-08 15:56:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(952)
c:\windows\system32\avgrsstx.dll

- - - - - - - > 'lsass.exe'(1040)
c:\windows\system32\avgrsstx.dll
.
Completion time: 2009-01-08 15:59:51
ComboFix-quarantined-files.txt 2009-01-08 15:58:34
ComboFix2.txt 2009-01-07 22:03:45

Pre-Run: 123,955,924,992 bytes free
Post-Run: 123,943,288,832 bytes free

226 --- E O F --- 2008-12-19 09:47:00

Nope..the cfscript worked fine. Your log looks clean now too. How does the computer feel to you?

Okay. I have a some questions for you.

"FILE ::
c:\documents and settings\All Users\Application Data\7C046E08D3.sys
c:\documents and settings\All Users\Application Data\ezsid.dat
c:\documents and settings\All Users\Application Data\SUMQU0C1-FE20-APII-YE7M-BEDSDWMY5R6A.dat
c:\windows\system32\d3d9caps.dat
►c:\windows\System32\yaqpjd.dll◄
c:\windows\Tasks\oizwbtue.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\7C046E08D3.sys
c:\documents and settings\All Users\Application Data\ezsid.dat
c:\documents and settings\All Users\Application Data\SUMQU0C1-FE20-APII-YE7M-BEDSDWMY5R6A.dat
c:\windows\system32\d3d9caps.dat
c:\windows\Tasks\oizwbtue.job"

Under "FILE ::" are listed the files you asked ComboFix to find and delete, yes?

Why is the file c:\windows\System32\yaqpjd.dll not listed under Other Deletions? Does that mean it has not been removed?

The computer seems fine just now. For about the past week the malware wasn't doing anything apart from changing Google searches which has now been sorted. Of course the chances are it was running in the background and taking note of everything typed.

I did a full scan with AdAware, Malwarebtyes' Anti-Malware and AVG and they all came back completely clean.

Can you please confirm for me that the bottom MRU is fine? I was just a bit unsure because it's in the registry:
http://img65.imageshack.us/my.php?image=adawarehe5.jpg

Is it safe to now remove all files from quarantine and the virus vault for these programmes? Just want to make sure it won't place them back where they were on the computer and then this whole problem would start again.

I am on a wireless network and I want to know if malware can send itself onto other machines through the router. I am only receiving a connection - the router is not connected to this computer.

Why is the file c:\windows\System32\yaqpjd.dll not listed under Other Deletions? Does that mean it has not been removed?

The file did not exist. This was just a leftover registry entry pointing to a non-existant file.

Can you please confirm for me that the bottom MRU is fine? I was just a bit unsure because it's in the registry:
http://img65.imageshack.us/my.php?image=adawarehe5.jpg

Is it safe to now remove all files from quarantine and the virus vault for these programmes? Just want to make sure it won't place them back where they were on the computer and then this whole problem would start again

The mru is fine and you can go ahead and clean out your quarantines.

I am on a wireless network and I want to know if malware can send itself onto other machines through the router. I am only receiving a connection - the router is not connected to this computer.

I do not believe these are network worms, so you should be ok in that respect.

Let's uninstall ComboFix

Please navigate to, and delete the following:

• Click on : Start >> Run...
• Type: Combofix /u and hit Enter

Now that your clean:

Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and reenable system restore here for your particular Windows Version:

Managing Windows Millenium System Restore

or

Windows XP System Restore Guide

or

Windows Vista System Restore Guide


Renable system restore with instructions from tutorial above


Next,

This process will clean out your Temp files and your Temporary Internet Files. Please do both steps:

Step 1:Delete Temp Files
To clean out your temp files, click on Start and then run, and type %temp% and press the ok button.

This should open up the temp directory that your machine uses. Please delete all files that are found there. If you get an error when deleting a file, skip that file and delete all the others. If you had trouble deleting a file, reboot into Safe Mode and follow this step again. You should now be able to delete all the files.

Step 2: Delete Temporary Internet Files
Now I want you to open up Internet Explorer, and click on the Tools menu and then Internet Options. At the General tab, which should be the first tab you are currently on, click on the Delete Files button and put a checkmark in Delete offline content. Then press the OK button. This may take quite a while, so do not be alarmed with how long it takes. When it is done, your Temporary Internet Files will now be deleted.

Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet

I am closing this topic. Please message a moderator if you need it reopened.

Glad I was able to help and if there any other problems related to your computer please feel free to post them in the appropriate forum. Though we help people with spyware and viruses here at BC, we also help people with other computer problems! Do not forget to tell your friends about us!