13 replies to this topic

[coda2]

Hello,
Help would be appreciated with the Virtumonde Trojan which I am confident my son has acquired through the Facebook website. Our PC has been virus / trojan free for some 18 months. Our operating system is XP and the only recent software change has been upgrading to IE v7 which appears to coincide with the Trojan / virus. Our system has AVG anti-spyware 7.5 and Macafee Virus Scan 7.1 both of which have detected Virtumode but fail get rid of.

AVG also identifies malware Downloader.conhook.hl _c0038AO.dat

I have run hijackthis and attach the report for any advice and action.

Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
F2 - REG:system.ini: Shell=explorer.exe "
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4C3E0BE6-8C19-4FD6-9141-77CE719D23A6} - C:\WINDOWS\system32\mllmk.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\xazmxner.dll
O2 - BHO: {615cc1f2-cd30-0da8-bd14-d90986abffdd} - {ddffba68-909d-41db-8ad0-03dc2f1cc516} - C:\WINDOWS\system32\djwtnfhr.dll (file missing)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\xazmxner.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [d8a5faf1] rundll32.exe "C:\WINDOWS\system32\gjwxjssi.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\WINDOWS\system32\__c00388A0.dat
O20 - Winlogon Notify: xazmxner - C:\WINDOWS\SYSTEM32\xazmxner.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

--
End of file - 5544 bytes

Regards
Mike

[Noviciate]

1) You will need to disable Spybot's Tea Timer function, if it is running, as it may interfere with this fix. - this is a two step process.
First step:

• Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
• If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
• If you have Version 1.4, Click on Exit Spybot S&D Resident

Second step, For Either Version :

• Open Spybot S&D
• Click Mode, choose Advanced Mode
• Go To the bottom of the Vertical Panel on the Left, Click Tools
• then, also in left panel, click Resident shows a red/white shield.
• If your firewall raises a question, say OK
• In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
• OK any prompts.
• Use File, Exit to terminate Spybot
• Reboot your machine for the changes to take effect.

2) Download Combofix by sUBs from here and save it to your Desktop.

• Double click combo.exe to run it and follow the prompts.
• Please Note: This may require the PC to be rebooted so close any programs you have open before you start.
• When the tool has finished, it will produce a log C:\ComboFix.txt - copy and paste it into your next reply.
• Post a fresh HJT log as well.
• Let me know how the PC is behaving.

Please Note:

• Do not mouse click in the combofix window while it is running - this may cause your system to hang/crash.
• Disable Script Blocking if you have NAV installed, and your version has this option, as it will interfere with the normal working of this tool.
• Should any security program warnings appear, ignore them as they are false-positives - this tool isn't malicious.

3) Run HJT and click on Open the Misc Tools section.

• Click Open Uninstall Manager...
• Click Save list... and save it to your Desktop.
• Copy and paste the file uninstall_list.txt into your next reply.

[coda2]

Hi
Apologies for the delay in responding below is the combo log as requested and the hijackthis log. Sysmptoms still remain I'm afraid, system tray pops ups, PC running slow etc.

ComboFix 07-11-08.1 - Administrator 2007-11-18 20:39:30.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.262 [GMT 0:00]
Running from: C:\Documents and Settings\Administrator\Desktop\Security Programs\ComboFix.exe
* Created a new restore point
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Administrator\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Administrator\Favorites\Online Security Guide.lnk
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\ddaba.dll
C:\WINDOWS\system32\ddayy.dll
C:\WINDOWS\system32\gebyw.dll
C:\WINDOWS\system32\jkhhh.dll
C:\WINDOWS\system32\jkkji.dll
C:\WINDOWS\system32\kmllm.ini
C:\WINDOWS\system32\kmllm.ini2
C:\WINDOWS\system32\mljgd.dll
C:\WINDOWS\system32\mllmk.dll
C:\WINDOWS\system32\mllmn.dll
C:\WINDOWS\system32\mtdqcmqt.dll
C:\WINDOWS\system32\rimdnvof.dll
C:\WINDOWS\system32\ssqrq.dll
C:\WINDOWS\system32\vtsqq.dll
C:\WINDOWS\system32\vtstu.dll
C:\WINDOWS\system32\vturr.dll
C:\WINDOWS\system32\xazmxner.dllbox

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2007-10-18 to 2007-11-18 )))))))))))))))))))))))))))))))
.

2007-11-18 20:37 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-18 16:46 <DIR> d-------- C:\Program Files\InterMute
2007-11-16 20:37 85,056 --a------ C:\WINDOWS\system32\gjwxjssi.dll
2007-11-16 18:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-16 17:00 78,283 --a------ C:\WINDOWS\system32\hhoubbrc.dll
2007-11-13 09:24 145,984 --a------ C:\WINDOWS\system32\yfhedaxk.dll
2007-11-13 09:24 145,984 --a------ C:\WINDOWS\system32\xazmxner.dll
2007-11-12 16:26 313,496 --a------ C:\WINDOWS\system32\geedd.dll
2007-11-12 15:26 313,496 --a------ C:\WINDOWS\system32\awvtr.dll
2007-11-12 11:26 313,496 --a------ C:\WINDOWS\system32\mlljj.dll
2007-11-12 09:26 313,496 --a------ C:\WINDOWS\system32\ssqro.dll
2007-11-12 06:26 313,496 --a------ C:\WINDOWS\system32\ddcyy.dll
2007-11-11 20:26 316,400 --a------ C:\WINDOWS\system32\geebc.dll
2007-11-11 18:47 314,948 --a------ C:\WINDOWS\system32\jkhhg.dll
2007-11-11 17:54 <DIR> d--h----- C:\WINDOWS\PIF
2007-11-11 04:30 313,496 --a------ C:\WINDOWS\system32\pmkhh.dll
2007-11-10 20:30 313,496 --a------ C:\WINDOWS\system32\ddabc.dll
2007-11-10 19:30 313,496 --a------ C:\WINDOWS\system32\geede.dll
2007-11-09 21:37 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-11-09 21:36 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-11-09 20:28 314,948 --a------ C:\WINDOWS\system32\jkhfg.dll
2007-11-09 13:12 314,948 --a------ C:\WINDOWS\system32\ddccy.dll
2007-11-08 16:20 35,328 --a------ C:\WINDOWS\system32\iifebby.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-29 16:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-09-21 20:21 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Canon
2006-08-15 19:42 31,952 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2003-08-27 13:19 36,963 ----a-r C:\Program Files\Common Files\SM1updtr.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4C3E0BE6-8C19-4FD6-9141-77CE719D23A6}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-11-13 09:24 145984 --a------ C:\WINDOWS\system32\xazmxner.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ddffba68-909d-41db-8ad0-03dc2f1cc516}]
C:\WINDOWS\system32\djwtnfhr.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\xazmxner.dll [2007-11-13 09:24 145984]

[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2003-09-29 14:10]
"SM1BG"="C:\WINDOWS\SM1BG.EXE" [2003-08-27 13:20]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 00:51]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 00:50]
"d8a5faf1"="C:\WINDOWS\system32\gjwxjssi.dll" [2007-11-16 20:37]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 11:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xazmxner]
xazmxner.dll 2007-11-13 09:24 145984 C:\WINDOWS\system32\xazmxner.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\mllmk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk
backup=C:\WINDOWS\pss\Bluetooth Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

R1 Cinemsup;Cinemsup;C:\WINDOWS\system32\drivers\Cinemsup.sys
R1 DVDVRRdr_xp;DVDVRRdr_xp;C:\WINDOWS\system32\drivers\DVDVRRdr_xp.sys
R1 UDFReadr;UDFReadr;C:\WINDOWS\system32\drivers\UDFReadr.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-18 15:08:11 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-18 20:47:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-18 20:49:26 - machine was rebooted
.
--- E O F ---

[Noviciate]

Post a fresh HJT log as well.

Run HJT and click on Open the Misc Tools section.

• Click Open Uninstall Manager...
• Click Save list... and save it to your Desktop.
• Copy and paste the file uninstall_list.txt into your next reply.

Let me have the rest of what I asked for, and i'll get back to you when i've had time to work through all the information.

[coda2]

Hi
Doing my best HJT log file below only this time I have used V.1.99.1 as advised by the site - I unwittingky used V2 for the first log posted. Please advise if you wish me to repeat everything.

Mike

Logfile of HijackThis v1.99.1
Scan saved at 20:12:10, on 19/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthisv1.99.1.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4C3E0BE6-8C19-4FD6-9141-77CE719D23A6} - (no file)
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\xazmxner.dll
O2 - BHO: {615cc1f2-cd30-0da8-bd14-d90986abffdd} - {ddffba68-909d-41db-8ad0-03dc2f1cc516} - C:\WINDOWS\system32\djwtnfhr.dll (file missing)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\xazmxner.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [d8a5faf1] rundll32.exe "C:\WINDOWS\system32\gjwxjssi.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O20 - Winlogon Notify: xazmxner - C:\WINDOWS\SYSTEM32\xazmxner.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

[coda2]

HJT Uninstall Adobe Download Manager 2.0 (Remove Only) Adobe Reader 7.0.8 Apple Software Update ArcSoft PhotoImpression 4 AVG Anti-Spyware 7.5 Canon CanoScan Toolbox 4.5 Canon PIXMA iP4000 Canon Utilities Easy-PhotoPrint Canon Utilities Easy-PrintToolBox CD-LabelPrint CWClient Cypress USB Mass Storage Driver Installation Digimax L50 Digimax Reader Digimax Viewer 2.1 DVD Decrypter (Remove Only) DVD Shrink 3.1.7 Easy-WebPrint HijackThis 1.99.1 Hotfix for Windows XP (KB915865) iPod for Windows 2005-09-23 iTunes Macromedia Flash Player 8 McAfee VirusScan Enterprise Microsoft Internationalized Domain Names Mitigation APIs Microsoft National Language Support Downlevel APIs Microsoft Office XP Professional with FrontPage Napster Nokia Connectivity Cable Driver Nokia PC Suite QuickTime Realtek AC'97 Audio Roxio Burn Engine Roxio Easy Media Creator 7 ScanSoft OmniPage Pro 14.0 Spybot - Search & Destroy 1.4 TOSHIBA Bluetooth Stack for Apache by CSR USB Storage Adapter FX (SM1) Windows Internet Explorer 7

[Noviciate]

Your latest HJT log shows that you haven't downloaded the file, but are running it from your Temporary Internet Files folder while it is zipped.
You need to download a copy to your Desktop, or anywhere else you wish, unzip it and then use it. It needs to be unzipped as HJT makes backups of what it removes to enable mistakes to be rectified.
http://ralphcaddell....tion_wizard.htm

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Once you have done the above, copy and paste the following into Notepad (Start > All Programs > Accessories > Notepad):

File::
C:\WINDOWS\system32\gjwxjssi.dll
C:\WINDOWS\system32\hhoubbrc.dll
C:\WINDOWS\system32\yfhedaxk.dll
C:\WINDOWS\system32\xazmxner.dll
C:\WINDOWS\system32\geedd.dll
C:\WINDOWS\system32\awvtr.dll
C:\WINDOWS\system32\mlljj.dll
C:\WINDOWS\system32\ssqro.dll
C:\WINDOWS\system32\ddcyy.dll
C:\WINDOWS\system32\geebc.dll
C:\WINDOWS\system32\jkhhg.dll
C:\WINDOWS\system32\pmkhh.dll
C:\WINDOWS\system32\ddabc.dll
C:\WINDOWS\system32\geede.dll
C:\WINDOWS\system32\jkhfg.dll
C:\WINDOWS\system32\ddccy.dll
C:\WINDOWS\system32\iifebby.dll
C:\WINDOWS\SYSTEM32\xazmxner.dll

Save it to your Desktop with the following filename: CFScript
Drag and drop CFScript.txt onto your copy of Combofix and let it do it's thing.
Let me have the log produced, as before.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Run HijackThis as you did to generate a log, but this time click on 'Do a system scan only'.
Place a checkmark in the boxes to the left of the following entries, by clicking on them:

O2 - BHO: (no name) - {4C3E0BE6-8C19-4FD6-9141-77CE719D23A6} - (no file)
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\xazmxner.dll
O2 - BHO: {615cc1f2-cd30-0da8-bd14-d90986abffdd} - {ddffba68-909d-41db-8ad0-03dc2f1cc516} - C:\WINDOWS\system32\djwtnfhr.dll (file missing)

O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\xazmxner.dll

O4 - HKLM\..\Run: [d8a5faf1] rundll32.exe "C:\WINDOWS\system32\gjwxjssi.dll",b

O20 - Winlogon Notify: xazmxner - C:\WINDOWS\SYSTEM32\xazmxner.dll

CLOSE ALL OPEN WINDOWS AND BROWSERS - EXCEPT HJT and click on Fix checked

Let me have a fresh HJT log as well.

[coda2]

Hi Possible problem when I dragged the script file onto the combo icon in that I received a message informing me that the program had expired followed by a window confirming abort! Shall I download the combo program again? Mike

[coda2]

Update The combo icon has disappeared so I downloaded the program once more. I then dragged the script file onto the combo icon and received the symptoms as before plus the combo.exe has automatically uninstalled itself! The combo program icon is within a folder on the desktop - same location as the script.txt file. Mike

[Noviciate]

Combofix has a time limit setting to prevent an old version causing problems. You will need to get hold of a different version and complete the instructions - you'll need to be quick though as this one is going to go the same way shortly: CF linky

[coda2]

Apologies for the inactivity due to business committments. This evening I have powered up the PC and I received in the in-tray the usual yellow triangle/pop-up/balloon associated with the Virtumonde Trojan.

On boot up AVG and McAfee start and each updates themselves on a daily basis. Guess what the McAfee program found the Virtumonde Trojan / Virus but this time the file was deleted. Last Thursday when I was infected the program identifiewd the Trojan but was unable to do anything with it ie Move/Clean Failed.

I suspect McAfee programmers have worked on this Trojan and the update very recently released. My PC has no symptoms whatsoever. I have re-run AVG for spyware and McAfee plus CW shredder and Spybot.

Whilst the PC is running fine with regard to speed and no other symptoms Spybot when scanning still finds the virtumonde virus. Despite the fix in Spybot repeated scans detects Virtumonde every time whilst McAfee does not- weird!

Attached is my latest HJK log.

Just running Spybot now will post the scan finding prior to the Fix and will post in about 20mins.

Please advise on how to proceed.

Once again many thanks for your input to date!

Mike


Logfile of HijackThis v1.99.1
Scan saved at 19:00:32, on 22/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\Security Programs\hijackthisv1.99.1\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4C3E0BE6-8C19-4FD6-9141-77CE719D23A6} - (no file)
O2 - BHO: {615cc1f2-cd30-0da8-bd14-d90986abffdd} - {ddffba68-909d-41db-8ad0-03dc2f1cc516} - C:\WINDOWS\system32\djwtnfhr.dll (file missing)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [d8a5faf1] rundll32.exe "C:\WINDOWS\system32\gjwxjssi.dll",b
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O20 - Winlogon Notify: xazmxner - xazmxner.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

Edited by coda2, 22 November 2007 - 01:19 PM.

[Noviciate]

Did you carry out the CFScript step from my earlier post?

[coda2]

No I didn't run the Combofix as everything appears to be okay. Below is the Spybot results Virtumonde: Settings (Registry key, nothing done) HKEY_USERS\S-1-5-21-1205901748-3138897192-501072724-500\Software\Microsoft\aldd --- Spybot - Search & Destroy version: 1.4 (build: 20050523) --- 2005-05-31 blindman.exe (1.0.0.1) 2005-05-31 SpybotSD.exe (1.4.0.3) 2005-05-31 TeaTimer.exe (1.4.0.2) 2007-11-18 unins000.exe (51.41.0.0) 2005-05-31 Update.exe (1.4.0.0) 2007-05-23 advcheck.dll (1.5.3.0) 2005-05-31 aports.dll (2.1.0.0) 2005-05-31 borlndmm.dll (7.0.4.453) 2005-05-31 delphimm.dll (7.0.4.453) 2005-05-31 SDHelper.dll (1.4.0.0) 2007-07-31 Tools.dll (2.1.2.0) 2005-05-31 UnzDll.dll (1.73.1.1) 2005-05-31 ZipDll.dll (1.73.2.0) 2007-11-14 Includes\Cookies.sbi (*) 2007-10-31 Includes\Dialer.sbi (*) 2007-11-14 Includes\DialerC.sbi (*) 2007-11-07 Includes\Hijackers.sbi (*) 2007-11-14 Includes\HijackersC.sbi (*) 2007-10-04 Includes\Keyloggers.sbi (*) 2007-11-14 Includes\KeyloggersC.sbi (*) 2004-05-12 Includes\LSP.sbi (*) 2007-11-07 Includes\Malware.sbi (*) 2007-11-14 Includes\MalwareC.sbi (*) 2007-10-24 Includes\PUPS.sbi (*) 2007-11-14 Includes\PUPSC.sbi (*) 2007-11-14 Includes\Revision.sbi (*) 2007-05-30 Includes\Security.sbi (*) 2007-11-14 Includes\SecurityC.sbi (*) 2007-11-07 Includes\Spybots.sbi (*) 2007-11-14 Includes\SpybotsC.sbi (*) 2007-11-06 Includes\Tracks.uti 2007-11-14 Includes\Trojans.sbi (*) 2007-11-14 Includes\TrojansC.sbi (*) 2007-06-06 Plugins\TCPIPAddress.dll

[Noviciate]

1) Run HijackThis as you did to generate a log, but this time click on 'Do a system scan only'.
Place a checkmark in the boxes to the left of the following entries, by clicking on them:

O2 - BHO: (no name) - {4C3E0BE6-8C19-4FD6-9141-77CE719D23A6} - (no file)
O2 - BHO: {615cc1f2-cd30-0da8-bd14-d90986abffdd} - {ddffba68-909d-41db-8ad0-03dc2f1cc516} - C:\WINDOWS\system32\djwtnfhr.dll (file missing)

O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)

O4 - HKLM\..\Run: [d8a5faf1] rundll32.exe "C:\WINDOWS\system32\gjwxjssi.dll",b

O20 - Winlogon Notify: xazmxner - xazmxner.dll (file missing)

CLOSE ALL OPEN WINDOWS AND BROWSERS - EXCEPT HJT and click on Fix checked

2) Should you wish to run the CFScript to delete any of the malicious files that the list contains that may still be on your computer, you will need a new copy of ComboFix, which is available here.

3) Once you have completed either one or both of the above, I want you to run your PC as normal for a few days and when you are happy that everything is fine, do the following:

Disable System Restore,
Reboot your PC,
Re-enable System Restore,
Create a Restore Point - this will give a clean one should you need it in the future.
A tutorial for System Restore is available here.

The reason for waiting is that if removing the malware has caused a problem, which it occasionally does, you can put your PC back to how it was before the fix. This will re-install the malware, but an infected PC is better than an expensive paperweight!

Some bedtime reading: This is a very good tutorial about keeping your computer safe and secure on the internet.