VX2 Infections

3 posters

WiredWX Christian Hobby Weather Tools :: GeekPolice tech support archive :: Technical Support

EzuLa/Virtumonde/VX2 Infections18th December 2008, 6:25 pm

A neighbor of mine came to me asking for help with her computer yesterday, stating that it was acting extremely slow and would no longer let her connect to the internet/would connect, but wouldn't let her browse much, if at all. I ran Ad Aware 2008 and got at least a starting point for what was wrong, which is what I'm posting about. Here's the initial HijackThis log that I just took from her computer. Any help would be appreciated.

-----

Logfile of HijackThis v1.99.1
Scan saved at 1:21:21 PM, on 12/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
c:\Program Files\Microsoft Money\System\urlmap.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/index.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.ramgo.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: CATLEvents Object - {3EC8E271-FAB9-418a-8A8E-65AEB4029E64} - C:\DOCUME~1\Owner\LOCALS~1\Temp\pic.dat (file missing)
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet4_80.dll (file missing)
O2 - BHO: CATLEvents Object - {60112085-E1CE-4e0e-823A-EBB1AD98804C} - C:\DOCUME~1\Owner\LOCALS~1\Temp\pic.dat (file missing)
O2 - BHO: (no name) - {9E703FD4-AA5C-4767-96C9-D26C375D553A} - c:\windows\system32\deskmong.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: (no name) - {BB5EFE2C-734E-4E26-B1D0-B435E62061B3} - C:\WINDOWS\system32\bthciu.dll
O2 - BHO: (no name) - {EB5A4725-72E7-44F9-A452-322F472324F9} - C:\WINDOWS\System32\iloidc.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: (no name) - {3D0BDAB3-12F4-471C-8966-E35A2C6C7DE7} - (no file)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet4_80.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: sslpwghq - C:\WINDOWS\SYSTEM32\deskmong.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe

Re: EzuLa/Virtumonde/VX2 Infections18th December 2008, 7:42 pm

Hello.

You have a pretty nasty infection, the infection is old, very old infact, but still nasty.
Before we can even attempt cleaning, we need to try and get net connection working and atleast stop the malware from launching at startup.

Please be very careful with this next tool

Please download LSPfix from here:
http://www.downloads.subratam.org/lspfix.zip
Unzip it to the desktop and run it. Check "I know what I'm doing", and then select each instance of "newdotnet4_80.dll" in the left-hand panel and click >> to move it to the right-hand panel. Then click Finish to allow LSPfix to rebuild the LSP chain.

Then that should get the internet going again, now read here and post a Hijack This log from the new version of Hijack This. Your current version you are using is old and has a few bugs in it, which could lead mistakes.

http://www.geekpolice.net/malware-removal-support-hijackthis-logs-f11/read-this-before-posting-t3821.htm

Re: EzuLa/Virtumonde/VX2 Infections18th December 2008, 7:58 pm

Okay. I ran the LSPfix software and downloaded the new version of HT. Here's the new log:

-----

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:57:17 PM, on 12/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Documents and Settings\Owner\Desktop\Hijack(GP)This.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/index.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.ramgo.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: CATLEvents Object - {3EC8E271-FAB9-418a-8A8E-65AEB4029E64} - C:\DOCUME~1\Owner\LOCALS~1\Temp\pic.dat (file missing)
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet4_80.dll (file missing)
O2 - BHO: CATLEvents Object - {60112085-E1CE-4e0e-823A-EBB1AD98804C} - C:\DOCUME~1\Owner\LOCALS~1\Temp\pic.dat (file missing)
O2 - BHO: (no name) - {9E703FD4-AA5C-4767-96C9-D26C375D553A} - c:\windows\system32\deskmong.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: (no name) - {BB5EFE2C-734E-4E26-B1D0-B435E62061B3} - C:\WINDOWS\system32\bthciu.dll
O2 - BHO: (no name) - {EB5A4725-72E7-44F9-A452-322F472324F9} - C:\WINDOWS\System32\iloidc.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: (no name) - {3D0BDAB3-12F4-471C-8966-E35A2C6C7DE7} - (no file)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: sslpwghq - C:\WINDOWS\SYSTEM32\deskmong.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe

--
End of file - 5434 bytes

Re: EzuLa/Virtumonde/VX2 Infections18th December 2008, 7:59 pm

Open HijackThis
Choose "Do a system scan only"
Check the boxes in front of these lines:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: CATLEvents Object - {3EC8E271-FAB9-418a-8A8E-65AEB4029E64} - C:\DOCUME~1\Owner\LOCALS~1\Temp\pic.dat (file missing)
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet4_80.dll (file missing)
O2 - BHO: CATLEvents Object - {60112085-E1CE-4e0e-823A-EBB1AD98804C} - C:\DOCUME~1\Owner\LOCALS~1\Temp\pic.dat (file missing)
O2 - BHO: (no name) - {9E703FD4-AA5C-4767-96C9-D26C375D553A} - c:\windows\system32\deskmong.dll
O2 - BHO: (no name) - {BB5EFE2C-734E-4E26-B1D0-B435E62061B3} - C:\WINDOWS\system32\bthciu.dll
O2 - BHO: (no name) - {EB5A4725-72E7-44F9-A452-322F472324F9} - C:\WINDOWS\System32\iloidc.dll (file missing)
O3 - Toolbar: (no name) - {3D0BDAB3-12F4-471C-8966-E35A2C6C7DE7} - (no file)
O20 - Winlogon Notify: sslpwghq - C:\WINDOWS\SYSTEM32\deskmong.dll
Press "Fix Checked"
Close Hijack This.

Delete these files in bold:
c:\windows\system32\deskmong.dll
C:\WINDOWS\system32\bthciu.dll
C:\WINDOWS\Nail.exe

Download combofix from here, use the top links - combofix.exe
Double click on ComboFix.exe.
Follow the prompts. NOTE:
ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
Allow ComboFix to download the Recovery Console.
Accept the End-User License Agreement.
The Recovery Console will be installed.
You will this next prompt that asks if you want to continue the malware scan, select yes
Allow combofix to run
Post C:\combofix.txt back here.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Re: EzuLa/Virtumonde/VX2 Infections18th December 2008, 8:08 pm

I ran HT and fixed the selected items, but I was unable to delete the three items told. The .dlls gave me the "access denied - file in use or insufficient privileges" message, and the .exe didn't seem to be in the folder, even with hidden files on. I also can't run ComboFix on the offending computer because I don't have an internet connection for it at present. Suggestions?

Re: EzuLa/Virtumonde/VX2 Infections18th December 2008, 8:18 pm

Do you have a USB thumb driver we can use?

Re: EzuLa/Virtumonde/VX2 Infections18th December 2008, 8:23 pm

I do - how much of a risk for infection is there by switching it between computers, by the way?

Re: EzuLa/Virtumonde/VX2 Infections18th December 2008, 8:29 pm

If were careful, none.

Plug the thumb drive into this clean computer you are posting to here from, then do this:

Please download Flash_Disinfector from HERE

First, download it to your desktop.
Now double click it to run it and will tell it you what to do when you open it.
It will temporarily kill explorer.exe and your desktop will go blank.
Let Flash_Disinfector do it's job and it will restart explorer.exe for you.
It will make a dummy autorun.inf in the root of every drive.
You can now delete Flash_Disinfector.exe.

Re: EzuLa/Virtumonde/VX2 Infections18th December 2008, 8:43 pm

Okay, it popped up and said Done. What next?

Re: EzuLa/Virtumonde/VX2 Infections18th December 2008, 8:44 pm

Now you can use the thumb drive to transfer combofix onto the infected machine.

Re: EzuLa/Virtumonde/VX2 Infections18th December 2008, 8:46 pm

Should I go ahead with it since I can't download the recovery console onto it?

Re: EzuLa/Virtumonde/VX2 Infections18th December 2008, 8:47 pm

Yes, choose not to install the console and do a scan without the console.

Re: EzuLa/Virtumonde/VX2 Infections18th December 2008, 9:04 pm

I tried running ComboFix on the computer, but it gave me a message when it started to open that said "Windows cannot open the specified device, path, or file," referring to 32788R22FWJFW\hidec.exe, and wouldn't run.

Re: EzuLa/Virtumonde/VX2 Infections18th December 2008, 9:07 pm

Okay, I not wasting anytime here, this infection is rather annoying to start with, I don't want it to bring anymore friends onto this machine.

1. Please download The Avenger by Swandog46 to your Desktop
Link: HERE.

Click on Avenger.zip to open the file
Extract avenger.exe to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\Nail.exe
c:\windows\system32\deskmong.dll
C:\WINDOWS\system32\bthciu.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

Under "Input script here:", paste in the script from the quote box above.
Leave the ticked box "Scan for rootkit" ticked.
Then tick "Disable any rootkits found"
Now click on the Execute to begin execution of the script.
Answer "Yes" twice when prompted.

The Avenger will automatically do the following:
It will Restart your computer.
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply.

Re: EzuLa/Virtumonde/VX2 Infections18th December 2008, 9:22 pm

Here's the Avenger log.

-----

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Error: file "C:\WINDOWS\Nail.exe" not found!
Deletion of file "C:\WINDOWS\Nail.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: could not open file "c:\windows\system32\deskmong.dll"
Deletion of file "c:\windows\system32\deskmong.dll" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)

Error: could not open file "C:\WINDOWS\system32\bthciu.dll"
Deletion of file "C:\WINDOWS\system32\bthciu.dll" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)

Completed script processing.

*******************

Finished! Terminate.

Re: EzuLa/Virtumonde/VX2 Infections18th December 2008, 9:24 pm

Not this again.
We need to get CF going, can you rename combofix to combo-gp-fix.exe and try running it?

Re: EzuLa/Virtumonde/VX2 Infections18th December 2008, 9:27 pm

It's still giving me the same error as before. No luck there.

Re: EzuLa/Virtumonde/VX2 Infections18th December 2008, 9:53 pm

Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open. Please post the contents of both log.txt (<< will be maximized) and info.txt (<< will be minimized)

Re: EzuLa/Virtumonde/VX2 Infections18th December 2008, 10:35 pm

Here's log.txt.

Logfile of random's system information tool 1.05 (written by random/random)
Run by Owner at 2008-12-18 17:32:58
Microsoft Windows XP Home Edition Service Pack 2
System drive C: has 48 GB (68%) free of 72 GB
Total RAM: 512 MB (50% free)

HijackThis download failed

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [2001-03-02 37808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2008-12-15 455960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9E703FD4-AA5C-4767-96C9-D26C375D553A}]
c:\windows\system32\deskmong.dll [2001-08-17 104960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
AVG Security Toolbar - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2008-12-15 2055960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BB5EFE2C-734E-4E26-B1D0-B435E62061B3}]
C:\WINDOWS\system32\bthciu.dll [2004-08-04 88064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}]
c:\Program Files\Microsoft Money\System\mnyviewer.dll [2001-07-25 143420]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
ID
{A057A204-BACC-4D26-9990-79A187E2698E} - AVG Security Toolbar - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2008-12-15 2055960]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"PinnacleDriverCheck"=C:\WINDOWS\system32\PSDrvCheck.exe [2004-03-10 406016]
"OM_Monitor"=C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe [2005-07-19 40960]
"Symantec PIF AlertEng"=C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe [2007-03-12 517768]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"OM_Monitor"=C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe [2005-07-19 57344]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2003-08-05 1578160]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\9312075.exe]
C:\WINDOWS\System32\9312075.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
C:\PROGRA~1\AVG\AVG8\avgtray.exe [2008-12-15 1235736]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
- []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\checktime]
c:\program files\HPSelect\Frontend\ct.exe [2001-08-13 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cip]
C:\WINDOWS\Web\cip.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddbmyqi]
C:\WINDOWS\System32\vgltjeme.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KAZAA]
C:\Program Files\KaZaA\Kazaa.exe /SYSTRAY []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
???
? []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe [2002-07-09 28672]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe [2006-01-17 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
c:\Program Files\Microsoft Money\System\Money Express.exe [2001-07-25 184376]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe [2003-08-05 1578160]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nflzltnijqbj]
C:\WINDOWS\system32\nflzltnijqbj.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe [2004-04-13 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe [2005-04-13 36975]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\windows auto update]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Symantec Core LC"=2
"LiveUpdate Notice Service"=2
"LiveUpdate"=3

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sslpwghq]
C:\WINDOWS\system32\deskmong.dll [2001-08-17 104960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-02-15 236928]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\procexp90.Sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\KaZaA\kazaa.exe"="C:\Program Files\KaZaA\kazaa.exe:*:Disabled:Kazaa Media Desktop"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Disabled:Windows Messenger"
"C:\WINDOWS\SYSTEM32\syscpy.exe"="C:\WINDOWS\SYSTEM32\syscpy.exe:*:Disabled:syscpy"
"C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Disabled:LimeWire"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\Program Files\Yahoo!\Messenger\YServer.exe"="C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\Program Files\AVG\AVG8\avgemc.exe"="C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"C:\Program Files\AVG\AVG8\avgnsx.exe"="C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

======List of files/folders created in the last 1 months======

2008-12-18 17:33:00 ----D---- C:\Program Files\trend micro
2008-12-18 17:32:58 ----D---- C:\rsit
2008-12-18 16:27:22 ----A---- C:\WINDOWS\system32\CF16355.exe
2008-12-18 16:26:56 ----D---- C:\32788R22FWJFW
2008-12-18 16:18:39 ----D---- C:\Avenger
2008-12-18 16:18:39 ----A---- C:\avenger.txt
2008-12-18 16:04:32 ----A---- C:\WINDOWS\system32\CF11897.exe
2008-12-18 16:03:12 ----A---- C:\Start_.cmd
2008-12-18 16:03:11 ----A---- C:\WINDOWS\system32\CF11600.exe
2008-12-18 16:02:55 ----A---- C:\Bug.txt
2008-12-18 16:02:52 ----A---- C:\WINDOWS\system32\cmd.execf
2008-12-17 16:40:16 ----D---- C:\Program Files\Lavasoft
2008-12-17 16:40:14 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-12-17 16:38:54 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2008-12-16 21:07:00 ----D---- C:\WINDOWS\pss
2008-12-15 21:26:11 ----A---- C:\WINDOWS\system32\avgrsstx.dll
2008-12-15 21:25:54 ----D---- C:\Documents and Settings\Owner\Application Data\AVGTOOLBAR
2008-12-13 18:11:19 ----HD---- C:\$AVG8.VAULT$
2008-12-13 17:13:08 ----D---- C:\Program Files\AVG
2008-12-13 17:13:08 ----D---- C:\Documents and Settings\All Users\Application Data\avg8
2008-12-13 01:02:41 ----HDC---- C:\WINDOWS\$NtUninstallKB955839$
2008-12-13 01:02:20 ----HDC---- C:\WINDOWS\$NtUninstallKB954600$
2008-12-13 01:02:01 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$
2008-11-20 09:24:04 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$

======List of files/folders modified in the last 1 months======

2008-12-18 17:33:06 ----D---- C:\WINDOWS\Temp
2008-12-18 17:33:00 ----D---- C:\WINDOWS\SYSTEM32
2008-12-18 17:33:00 ----AD---- C:\Program Files
2008-12-18 17:32:54 ----D---- C:\WINDOWS\Prefetch
2008-12-18 16:22:00 ----SHD---- C:\System Volume Information
2008-12-18 16:20:58 ----A---- C:\WINDOWS\ModemLog_Lucent Win Modem.txt
2008-12-18 16:18:39 ----D---- C:\WINDOWS\system32\drivers
2008-12-18 16:18:13 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-12-18 13:06:47 ----D---- C:\WINDOWS\system32\CatRoot2
2008-12-18 13:06:43 ----D---- C:\WINDOWS
2008-12-17 20:04:20 ----RASH---- C:\BOOT.INI
2008-12-17 20:04:20 ----A---- C:\WINDOWS\win.ini
2008-12-17 20:04:20 ----A---- C:\WINDOWS\System.ini
2008-12-17 19:59:24 ----D---- C:\Program Files\Hewlett-Packard
2008-12-17 19:59:22 ----D---- C:\WINDOWS\system32\AppCert
2008-12-17 17:47:57 ----HD---- C:\Program Files\InstallShield Installation Information
2008-12-17 17:37:18 ----SD---- C:\WINDOWS\Tasks
2008-12-17 16:41:17 ----SHD---- C:\WINDOWS\Installer
2008-12-17 16:38:54 ----D---- C:\Program Files\Common Files
2008-12-17 16:32:24 ----D---- C:\Program Files\Greeting Card Creator 32
2008-12-17 16:32:11 ----D---- C:\WINDOWS\ShellNew
2008-12-17 16:30:38 ----D---- C:\Documents and Settings\Owner\Application Data\Lavasoft
2008-12-17 16:30:37 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-12-17 16:27:03 ----D---- C:\WINDOWS\INF
2008-12-16 21:28:04 ----D---- C:\WINDOWS\HELP
2008-12-15 22:13:37 ----D---- C:\WINDOWS\system32\Restore
2008-12-15 22:13:16 ----D---- C:\WINDOWS\Minidump
2008-12-15 21:22:37 ----SD---- C:\Documents and Settings\Owner\Application Data\Microsoft
2008-12-15 16:14:19 ----D---- C:\Program Files\LimeWire
2008-12-13 19:42:02 ----D---- C:\Program Files\NewDotNet
2008-12-13 18:45:34 ----D---- C:\Program Files\KaZaA
2008-12-13 17:13:05 ----D---- C:\WINDOWS\WinSxS
2008-12-13 17:03:34 ----D---- C:\Program Files\Common Files\Symantec Shared
2008-12-13 17:00:31 ----D---- C:\Program Files\Symantec
2008-12-13 17:00:28 ----D---- C:\Program Files\Norton AntiVirus
2008-12-13 17:00:14 ----D---- C:\Documents and Settings\All Users\Application Data\Symantec
2008-12-13 16:54:37 ----D---- C:\Documents and Settings\Owner\Application Data\Symantec
2008-12-13 01:02:25 ----A---- C:\WINDOWS\imsins.BAK
2008-12-13 01:02:22 ----RSHD---- C:\WINDOWS\system32\dllcache
2008-12-13 01:02:14 ----HD---- C:\WINDOWS\$hf_mig$
2008-12-11 18:09:56 ----A---- C:\WINDOWS\hpqcopy.INI

Re: EzuLa/Virtumonde/VX2 Infections18th December 2008, 10:38 pm

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AFS2K;AFS2k; C:\WINDOWS\system32\drivers\AFS2K.sys [2004-10-07 35840]
R1 AvgLdx86;AVG AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2008-12-15 97928]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2008-12-15 26824]
R1 cdrbsdrv;cdrbsdrv; C:\WINDOWS\system32\drivers\cdrbsdrv.sys [2004-03-08 13567]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2001-08-17 12032]
R2 AvgTdiX;AVG8 Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2008-12-15 76040]
R2 symlcbrd;symlcbrd; \??\C:\WINDOWS\system32\drivers\symlcbrd.sys []
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\System32\DRIVERS\arp1394.sys [2004-08-04 60800]
R3 ASAPIW2k;ASAPIW2K; C:\WINDOWS\system32\drivers\ASAPIW2k.sys [2004-03-11 11264]
R3 E100B;Intel(R) PRO Adapter Driver; C:\WINDOWS\System32\DRIVERS\e100b325.sys [2001-08-17 117760]
R3 ltmodem5;LT Modem Driver; C:\WINDOWS\System32\DRIVERS\ltmdmnt.sys [2003-03-31 625537]
R3 ms_mpu401;Microsoft MPU-401 MIDI UART Driver; C:\WINDOWS\system32\drivers\msmpu401.sys [2001-08-17 2944]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\System32\DRIVERS\nic1394.sys [2004-08-04 61824]
R3 nv;nv; C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2001-09-27 702777]
R3 pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2001-09-16 13716]
R3 Ps2;PS2; C:\WINDOWS\System32\DRIVERS\PS2.sys [2001-06-04 14112]
R3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2001-09-24 463848]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2004-08-04 20480]
S1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2004-08-04 36096]
S1 P3;Intel PentiumIII Processor Driver; C:\WINDOWS\System32\DRIVERS\p3.sys [2004-08-04 42496]
S3 Dot4 HPH09;Dot4 HPH09; C:\WINDOWS\System32\DRIVERS\hphid409.sys [2001-08-23 50704]
S3 dot4;MS IEEE-1284.4 Driver; C:\WINDOWS\System32\DRIVERS\Dot4.sys [2004-08-04 207360]
S3 Dot4Print HPH09;Print Class Driver for IEEE-1284.4 HPH09; C:\WINDOWS\System32\DRIVERS\hphipr09.sys [2001-08-23 15984]
S3 Dot4Print;Print Class Driver for IEEE-1284.4; C:\WINDOWS\System32\DRIVERS\Dot4Prt.sys [2001-08-17 12928]
S3 Dot4Storage HPH09;Storage Class Driver for IEEE-1284.4 (HPH09); C:\WINDOWS\System32\Drivers\hphs2k09.sys [2001-08-23 50211]
S3 Dot4Usb HPH09;Dot4Usb HPH09; C:\WINDOWS\System32\drivers\hphius09.sys [2001-08-23 18864]
S3 dot4usb;Dot4USB Filter Dot4USB Filter; C:\WINDOWS\System32\DRIVERS\dot4usb.sys [2001-08-17 23808]
S3 Freedom;FREEDOM Miniport; C:\WINDOWS\System32\DRIVERS\FREEDOM.SYS []
S3 i81x;i81x; C:\WINDOWS\System32\DRIVERS\i81xnt5.sys [2001-08-08 158140]
S3 iAimFP0;iAimFP0; C:\WINDOWS\System32\DRIVERS\wADV01nt.sys [2001-08-08 12479]
S3 iAimFP1;iAimFP1; C:\WINDOWS\System32\DRIVERS\wADV02NT.sys [2001-08-08 12031]
S3 iAimFP2;iAimFP2; C:\WINDOWS\System32\DRIVERS\wADV05NT.sys [2001-08-08 11679]
S3 iAimFP3;iAimFP3; C:\WINDOWS\System32\DRIVERS\wSiINTxx.sys [2001-08-08 11999]
S3 iAimFP4;iAimFP4; C:\WINDOWS\System32\DRIVERS\wVchNTxx.sys [2001-08-08 19359]
S3 iAimTV0;iAimTV0; C:\WINDOWS\System32\DRIVERS\wATV01nt.sys [2001-08-08 29215]
S3 iAimTV1;iAimTV1; C:\WINDOWS\System32\DRIVERS\wATV02NT.sys [2001-08-08 19199]
S3 iAimTV3;iAimTV3; C:\WINDOWS\System32\DRIVERS\wATV04nt.sys [2001-08-08 33503]
S3 iAimTV4;iAimTV4; C:\WINDOWS\System32\DRIVERS\wCh7xxNT.sys [2001-08-08 23519]
S3 nv4;nv4; C:\WINDOWS\System32\DRIVERS\nv4.sys [2001-08-17 731648]
S3 S3SavageNB;S3SavageNB; C:\WINDOWS\System32\DRIVERS\s3gnbm.sys [2001-10-12 114816]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2004-08-04 31616]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\System32\DRIVERS\usbscan.sys [2004-08-04 15104]
S3 WpdUsb;WpdUsb; C:\WINDOWS\System32\Drivers\wpdusb.sys [2005-01-28 18944]
S4 SYMTDI;SYMTDI; - []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-09-10 611664]
R2 Automatic LiveUpdate Scheduler;Automatic LiveUpdate Scheduler; C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe [2006-01-19 100032]
R2 avg8emc;AVG8 E-mail Scanner; C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-12-15 875288]
R2 avg8wd;AVG8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-12-15 231704]
R2 dwrpsdxa;Remote Access Auto Connection Support; C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
R2 NVSvc;NVIDIA Driver Helper Service; C:\WINDOWS\System32\nvsvc32.exe [2001-09-27 57344]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]
S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2004-08-04 267776]
S3 Pml Driver;Pml Driver; C:\WINDOWS\System32\HPHipm09.exe [2001-08-23 77824]
S4 LiveUpdate Notice Service;LiveUpdate Notice Service; C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe [2007-03-12 517768]
S4 LiveUpdate;LiveUpdate; C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE [2006-01-19 2041536]
S4 Symantec Core LC;Symantec Core LC; C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe [2007-08-19 1174152]

-----------------EOF-----------------

-----

Here's the beginning of info.txt.

-----

info.txt logfile of random's system information tool 1.05 2008-12-18 17:33:18

======Uninstall list======

-->C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
-->c:\WINDOWS\System32\\MSIEXEC.EXE /x {8214CC02-6271-4DC8-B8DD-779933450264}
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
ACDSee-->C:\PROGRA~1\ACDSYS~1\ACDSee\UNWISE.EXE C:\PROGRA~1\ACDSYS~1\ACDSee\INSTALL.LOG
Ad-Aware-->MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Acrobat 5.0-->C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player 9 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
AVG 8.0-->C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
HijackThis 2.0.2-->"C:\Documents and Settings\Owner\Desktop\HijackThis.exe" /uninstall
Hotfix for Windows Media Format SDK (KB902344)-->"C:\WINDOWS\$NtUninstallKB902344$\spuninst\spuninst.exe"
Hotfix for Windows Media Format SDK (KB910998)-->"C:\WINDOWS\$NtUninstallKB910998$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
hp instant support-->C:\PROGRA~1\HEWLET~1\HPINST~1\Uninstall.exe CeS
HP Learning Adventure-->c:\program files\HPSelect\Frontend\uninstall.exe
HP Photo and Imaging 1.0 - Scanjet 2300c Series-->MsiExec.exe /I{9D18465E-8B80-4AC1-8ABB-B42978B171E3}
HP Photo and Imaging 1.1 - Photosmart Cameras-->MsiExec.exe /X{766D34D4-1424-4428-9BE0-90D8E5D65E92}
HP Photo Imaging Software-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Uninstall.isu" -c"C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\hpiunCX.dll
HP Photo Printing Software-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Printing\Uninstall.isu" -c"C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Printing\hpiunPC.dll
hp photosmart printer series (Remove only)-->C:\Program Files\hp photosmart\printer\hphuni03.exe
HP RecordNow-->MsiExec.exe /I{8214CC02-6271-4DC8-B8DD-779933450264}
HP Share-to-Web-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{748F4870-8350-11D3-B0BF-080009FB4A19}\Setup.exe" --MAIN -l9
ImageMixer VCD/DVD2 for OLYMPUS-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1F51A0CA-2BDD-474E-BB90-C7FA8EA78F52}\Setup.exe" -l0x9 UNINSTALL

Inactive HP Printer Drivers (Remove only)-->RunDll32 hpuninst.dll,InstallHinfSection UninstDefault 132 prntunin.inf
InterVideo WinDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C1939820-A945-11D4-86F6-0001031E5712}\setup.exe" REMOVEALL
J2SE Runtime Environment 5.0 Update 3-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150030}
Java 2 Runtime Environment Standard Edition v1.3-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\JavaSoft\JRE\1.3\Uninst.isu"
KazooStudio-->C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Kazoo3D\KazooStudio\Uninst.isu" -c"C:\Program Files\Kazoo3D\KazooStudio\UnInst.dll"
Lernout & Hauspie TruVoice American English TTS Engine-->RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\tv_enua.inf, Uninstall
LiveUpdate 3.0 (Symantec Corporation)-->"C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
LiveUpdate Notice (Symantec Corporation)-->MsiExec.exe /X{DBA4DB9D-EE51-4944-A419-98AB1F1249C8}
Microsoft Money 2002 System Pack-->MsiExec.exe /I{CF5193F7-6B37-11D5-B7D2-00AA00A204F1}
Microsoft Money 2002-->MsiExec.exe /I{E7298FD5-1386-11D5-8D6C-0050DAD32D95}
Microsoft Picture It! Photo Premium 7.0-->MsiExec.exe /I{369B36BE-3D64-4641-9AEA-808D436FE133}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Works 6.0-->MsiExec.exe /I{A1B7B9B3-E1D2-41CA-9B4A-F18DC2710704}
Microsoft Works and Money 2002 Setup Launcher-->C:\Program Files\Microsoft Works and Money 2002\Setup\Launcher.exe \hp\tmp\src\
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
Musicmatch

Jukebox-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8EF1122E-E90C-4EE9-AB0C-7FDE2BA42C26}\setup.exe" -l0x9 -uninst
My Photo Center-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\ArcSoft\My Photo Center\Uninst.isu"
NVIDIA Windows 2000/XP Display Drivers-->rundll32.exe C:\WINDOWS\System32\nvinstnt.dll,NvUninstallNT4 nvhp.inf
oggcodecs 0.71.0946-->C:\Program Files\illiminable\oggcodecs\uninst.exe
OLYMPUS Master-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{BA820A24-704B-428D-9904-71A10DAC1372} /l1033 /zUNINSTALL
PC-Doctor for Windows-->C:\WINDOWS\UNWISE.EXE C:\PROGRA~1\PC-DOC~1\INSTALL.LOG
Pinnacle Instant PhotoAlbum-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A835519A-4EFC-4554-9D61-0BB4FC54D81B}\Setup.exe" -l0x9 UNINSTALL
Python 1.5 combined Win32 extensions-->C:\PROGRA~1\Python\UNWISE~1.EXE C:\PROGRA~1\Python\W32INST.LOG
Python 1.5.2 (final)-->C:\PROGRA~1\Python\UNWISE.EXE C:\PROGRA~1\Python\INSTALL.LOG
qidion - Toolbar-->regsvr32 /u /s "C:\WINDOWS\qi32.dll"
Quicken Financial Center-->C:\PROGRA~1\QUICKE~1\rem\UNWISE.EXE /s C:\PROGRA~1\QUICKE~1\rem\INSTALL.LOG
QuickTime-->C:\WINDOWS\unvise32qt.exe C:\WINDOWS\System32\QuickTime\Uninstall.log
RCA SMV Video Converter-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{03FB0ED6-F37C-49A9-BBC5-AAE30E111E4C}\setup.exe" -l0x9 -remove
S3 Gamma-->s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3 Gamma'
S3 Savage4 Family Display Switch2 Utility-->S3Uninst.exe -reg 5 HKLM\SOFTWARE\S3\S3Uninst\S3Switch2
Search Assistant Uninstall-->regsvr32 /s /u C:\WINDOWS\System32\iloidc.dll

Re: EzuLa/Virtumonde/VX2 Infections18th December 2008, 10:40 pm

Security Update for Step By Step Interactive Training (KB898458)-->"C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723)-->"C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB911564)-->"C:\WINDOWS\$NtUninstallKB911564$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP10$\spuninst\spuninst.exe"
Security Update for Windows Media Player 6.4 (KB925398)-->"C:\WINDOWS\$NtUninstallKB925398_WMP64$\spuninst\spuninst.exe"
Security Update for Windows Media Player 9 (KB911565)-->"C:\WINDOWS\$NtUninstallKB911565$\spuninst\spuninst.exe"
Security Update for Windows Media Player 9 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 9 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP9$\spuninst\spuninst.exe"
Security Update for Windows XP (KB883939)-->"C:\WINDOWS\$NtUninstallKB883939$\spuninst\spuninst.exe"
Security Update for Windows XP (KB890046)-->"C:\WINDOWS\$NtUninstallKB890046$\spuninst\spuninst.exe"
Security Update for Windows XP (KB893756)-->"C:\WINDOWS\$NtUninstallKB893756$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896358)-->"C:\WINDOWS\$NtUninstallKB896358$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896422)-->"C:\WINDOWS\$NtUninstallKB896422$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896423)-->"C:\WINDOWS\$NtUninstallKB896423$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896424)-->"C:\WINDOWS\$NtUninstallKB896424$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896428)-->"C:\WINDOWS\$NtUninstallKB896428$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896688)-->"C:\WINDOWS\$NtUninstallKB896688$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899587)-->"C:\WINDOWS\$NtUninstallKB899587$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899588)-->"C:\WINDOWS\$NtUninstallKB899588$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899591)-->"C:\WINDOWS\$NtUninstallKB899591$\spuninst\spuninst.exe"
Security Update for Windows XP (KB900725)-->"C:\WINDOWS\$NtUninstallKB900725$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901017)-->"C:\WINDOWS\$NtUninstallKB901017$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901214)-->"C:\WINDOWS\$NtUninstallKB901214$\spuninst\spuninst.exe"
Security Update for Windows XP (KB902400)-->"C:\WINDOWS\$NtUninstallKB902400$\spuninst\spuninst.exe"
Security Update for Windows XP (KB903235)-->"C:\WINDOWS\$NtUninstallKB903235$\spuninst\spuninst.exe"
Security Update for Windows XP (KB904706)-->"C:\WINDOWS\$NtUninstallKB904706$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905414)-->"C:\WINDOWS\$NtUninstallKB905414$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905749)-->"C:\WINDOWS\$NtUninstallKB905749$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905915)-->"C:\WINDOWS\$NtUninstallKB905915$\spuninst\spuninst.exe"
Security Update for Windows XP (KB908519)-->"C:\WINDOWS\$NtUninstallKB908519$\spuninst\spuninst.exe"
Security Update for Windows XP (KB908531)-->"C:\WINDOWS\$NtUninstallKB908531$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911280)-->"C:\WINDOWS\$NtUninstallKB911280$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911562)-->"C:\WINDOWS\$NtUninstallKB911562$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911567)-->"C:\WINDOWS\$NtUninstallKB911567$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911927)-->"C:\WINDOWS\$NtUninstallKB911927$\spuninst\spuninst.exe"
Security Update for Windows XP (KB912812)-->"C:\WINDOWS\$NtUninstallKB912812$\spuninst\spuninst.exe"
Security Update for Windows XP (KB912919)-->"C:\WINDOWS\$NtUninstallKB912919$\spuninst\spuninst.exe"
Security Update for Windows XP (KB913446)-->"C:\WINDOWS\$NtUninstallKB913446$\spuninst\spuninst.exe"
Security Update for Windows XP (KB913580)-->"C:\WINDOWS\$NtUninstallKB913580$\spuninst\spuninst.exe"
Security Update for Windows XP (KB914388)-->"C:\WINDOWS\$NtUninstallKB914388$\spuninst\spuninst.exe"
Security Update for Windows XP (KB914389)-->"C:\WINDOWS\$NtUninstallKB914389$\spuninst\spuninst.exe"
Security Update for Windows XP (KB916281)-->"C:\WINDOWS\$NtUninstallKB916281$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917159)-->"C:\WINDOWS\$NtUninstallKB917159$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917344)-->"C:\WINDOWS\$NtUninstallKB917344$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917422)-->"C:\WINDOWS\$NtUninstallKB917422$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917953)-->"C:\WINDOWS\$NtUninstallKB917953$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918118)-->"C:\WINDOWS\$NtUninstallKB918118$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918439)-->"C:\WINDOWS\$NtUninstallKB918439$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918899)-->"C:\WINDOWS\$NtUninstallKB918899$\spuninst\spuninst.exe"
Security Update for Windows XP (KB919007)-->"C:\WINDOWS\$NtUninstallKB919007$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920213)-->"C:\WINDOWS\$NtUninstallKB920213$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920214)-->"C:\WINDOWS\$NtUninstallKB920214$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920670)-->"C:\WINDOWS\$NtUninstallKB920670$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920683)-->"C:\WINDOWS\$NtUninstallKB920683$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920685)-->"C:\WINDOWS\$NtUninstallKB920685$\spuninst\spuninst.exe"
Security Update for Windows XP (KB921398)-->"C:\WINDOWS\$NtUninstallKB921398$\spuninst\spuninst.exe"
Security Update for Windows XP (KB921503)-->"C:\WINDOWS\$NtUninstallKB921503$\spuninst\spuninst.exe"
Security Update for Windows XP (KB921883)-->"C:\WINDOWS\$NtUninstallKB921883$\spuninst\spuninst.exe"
Security Update for Windows XP (KB922616)-->"C:\WINDOWS\$NtUninstallKB922616$\spuninst\spuninst.exe"
Security Update for Windows XP (KB922760)-->"C:\WINDOWS\$NtUninstallKB922760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB922819)-->"C:\WINDOWS\$NtUninstallKB922819$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923191)-->"C:\WINDOWS\$NtUninstallKB923191$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923414)-->"C:\WINDOWS\$NtUninstallKB923414$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923689)-->"C:\WINDOWS\$NtUninstallKB923689$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923694)-->"C:\WINDOWS\$NtUninstallKB923694$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923980)-->"C:\WINDOWS\$NtUninstallKB923980$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924191)-->"C:\WINDOWS\$NtUninstallKB924191$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924270)-->"C:\WINDOWS\$NtUninstallKB924270$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924496)-->"C:\WINDOWS\$NtUninstallKB924496$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924667)-->"C:\WINDOWS\$NtUninstallKB924667$\spuninst\spuninst.exe"
Security Update for Windows XP (KB925454)-->"C:\WINDOWS\$NtUninstallKB925454$\spuninst\spuninst.exe"
Security Update for Windows XP (KB925486)-->"C:\WINDOWS\$NtUninstallKB925486$\spuninst\spuninst.exe"
Security Update for Windows XP (KB925902)-->"C:\WINDOWS\$NtUninstallKB925902$\spuninst\spuninst.exe"
Security Update for Windows XP (KB926255)-->"C:\WINDOWS\$NtUninstallKB926255$\spuninst\spuninst.exe"
Security Update for Windows XP (KB926436)-->"C:\WINDOWS\$NtUninstallKB926436$\spuninst\spuninst.exe"
Security Update for Windows XP (KB927779)-->"C:\WINDOWS\$NtUninstallKB927779$\spuninst\spuninst.exe"
Security Update for Windows XP (KB927802)-->"C:\WINDOWS\$NtUninstallKB927802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB928090)-->"C:\WINDOWS\$NtUninstallKB928090$\spuninst\spuninst.exe"
Security Update for Windows XP (KB928255)-->"C:\WINDOWS\$NtUninstallKB928255$\spuninst\spuninst.exe"
Security Update for Windows XP (KB928843)-->"C:\WINDOWS\$NtUninstallKB928843$\spuninst\spuninst.exe"
Security Update for Windows XP (KB929123)-->"C:\WINDOWS\$NtUninstallKB929123$\spuninst\spuninst.exe"
Security Update for Windows XP (KB929969)-->"C:\WINDOWS\$NtUninstallKB929969$\spuninst\spuninst.exe"
Security Update for Windows XP (KB930178)-->"C:\WINDOWS\$NtUninstallKB930178$\spuninst\spuninst.exe"
Security Update for Windows XP (KB931261)-->"C:\WINDOWS\$NtUninstallKB931261$\spuninst\spuninst.exe"
Security Update for Windows XP (KB931768)-->"C:\WINDOWS\$NtUninstallKB931768$\spuninst\spuninst.exe"
Security Update for Windows XP (KB931784)-->"C:\WINDOWS\$NtUninstallKB931784$\spuninst\spuninst.exe"
Security Update for Windows XP (KB932168)-->"C:\WINDOWS\$NtUninstallKB932168$\spuninst\spuninst.exe"
Security Update for Windows XP (KB933566)-->"C:\WINDOWS\$NtUninstallKB933566$\spuninst\spuninst.exe"
Security Update for Windows XP (KB933729)-->"C:\WINDOWS\$NtUninstallKB933729$\spuninst\spuninst.exe"
Security Update for Windows XP (KB935839)-->"C:\WINDOWS\$NtUninstallKB935839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB935840)-->"C:\WINDOWS\$NtUninstallKB935840$\spuninst\spuninst.exe"
Security Update for Windows XP (KB936021)-->"C:\WINDOWS\$NtUninstallKB936021$\spuninst\spuninst.exe"
Security Update for Windows XP (KB937143)-->"C:\WINDOWS\$NtUninstallKB937143$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938127)-->"C:\WINDOWS\$NtUninstallKB938127$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938829)-->"C:\WINDOWS\$NtUninstallKB938829$\spuninst\spuninst.exe"
Security Update for Windows XP (KB939653)-->"C:\WINDOWS\$NtUninstallKB939653$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941202)-->"C:\WINDOWS\$NtUninstallKB941202$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941568)-->"C:\WINDOWS\$NtUninstallKB941568$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941644)-->"C:\WINDOWS\$NtUninstallKB941644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941693)-->"C:\WINDOWS\$NtUninstallKB941693$\spuninst\spuninst.exe"
Security Update for Windows XP (KB942615)-->"C:\WINDOWS\$NtUninstallKB942615$\spuninst\spuninst.exe"
Security Update for Windows XP (KB943055)-->"C:\WINDOWS\$NtUninstallKB943055$\spuninst\spuninst.exe"
Security Update for Windows XP (KB943460)-->"C:\WINDOWS\$NtUninstallKB943460$\spuninst\spuninst.exe"
Security Update for Windows XP (KB943485)-->"C:\WINDOWS\$NtUninstallKB943485$\spuninst\spuninst.exe"
Security Update for Windows XP (KB944338)-->"C:\WINDOWS\$NtUninstallKB944338$\spuninst\spuninst.exe"
Security Update for Windows XP (KB944533)-->"C:\WINDOWS\$NtUninstallKB944533$\spuninst\spuninst.exe"
Security Update for Windows XP (KB944653)-->"C:\WINDOWS\$NtUninstallKB944653$\spuninst\spuninst.exe"
Security Update for Windows XP (KB945553)-->"C:\WINDOWS\$NtUninstallKB945553$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946026)-->"C:\WINDOWS\$NtUninstallKB946026$\spuninst\spuninst.exe"
Security Update for Windows XP (KB947864)-->"C:\WINDOWS\$NtUninstallKB947864$\spuninst\spuninst.exe"
Security Update for Windows XP (KB948590)-->"C:\WINDOWS\$NtUninstallKB948590$\spuninst\spuninst.exe"
Security Update for Windows XP (KB948881)-->"C:\WINDOWS\$NtUninstallKB948881$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950749)-->"C:\WINDOWS\$NtUninstallKB950749$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950759)-->"C:\WINDOWS\$NtUninstallKB950759$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953838)-->"C:\WINDOWS\$NtUninstallKB953838$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956390)-->"C:\WINDOWS\$NtUninstallKB956390$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"

Re: EzuLa/Virtumonde/VX2 Infections18th December 2008, 10:41 pm

Shockwave-->C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\Install.log
Sonic Foundry Super Duper Music Looper XPress-->MsiExec.exe /I{7B4BB888-B44E-4B91-BEE9-FE14B312B58C}
Studio-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Pinnacle\Studio\Studio7.isu" -a -cC:\WINDOWS\Studio7.dll
Symantec KB-DocID:2003093015493306-->MsiExec.exe /I{08C5815C-2C6E-44f8-8748-0E61BC9AFB68}
Tcl 8.0.5 for Windows-->C:\PROGRA~1\Tcl\UNWISE.EXE C:\PROGRA~1\Tcl\INSTALL.LOG
Update for Windows XP (KB894391)-->"C:\WINDOWS\$NtUninstallKB894391$\spuninst\spuninst.exe"
Update for Windows XP (KB896727)-->"C:\WINDOWS\$NtUninstallKB896727$\spuninst\spuninst.exe"
Update for Windows XP (KB898461)-->"C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Update for Windows XP (KB900485)-->"C:\WINDOWS\$NtUninstallKB900485$\spuninst\spuninst.exe"
Update for Windows XP (KB910437)-->"C:\WINDOWS\$NtUninstallKB910437$\spuninst\spuninst.exe"
Update for Windows XP (KB916595)-->"C:\WINDOWS\$NtUninstallKB916595$\spuninst\spuninst.exe"
Update for Windows XP (KB920872)-->"C:\WINDOWS\$NtUninstallKB920872$\spuninst\spuninst.exe"
Update for Windows XP (KB922582)-->"C:\WINDOWS\$NtUninstallKB922582$\spuninst\spuninst.exe"
Update for Windows XP (KB927891)-->"C:\WINDOWS\$NtUninstallKB927891$\spuninst\spuninst.exe"
Update for Windows XP (KB929338)-->"C:\WINDOWS\$NtUninstallKB929338$\spuninst\spuninst.exe"
Update for Windows XP (KB930916)-->"C:\WINDOWS\$NtUninstallKB930916$\spuninst\spuninst.exe"
Update for Windows XP (KB931836)-->"C:\WINDOWS\$NtUninstallKB931836$\spuninst\spuninst.exe"
Update for Windows XP (KB933360)-->"C:\WINDOWS\$NtUninstallKB933360$\spuninst\spuninst.exe"
Update for Windows XP (KB936357)-->"C:\WINDOWS\$NtUninstallKB936357$\spuninst\spuninst.exe"
Update for Windows XP (KB938828)-->"C:\WINDOWS\$NtUninstallKB938828$\spuninst\spuninst.exe"
Update for Windows XP (KB942763)-->"C:\WINDOWS\$NtUninstallKB942763$\spuninst\spuninst.exe"
Update for Windows XP (KB942840)-->"C:\WINDOWS\$NtUninstallKB942840$\spuninst\spuninst.exe"
Update for Windows XP (KB946627)-->"C:\WINDOWS\$NtUninstallKB946627$\spuninst\spuninst.exe"
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
WildTangent Web Driver-->C:\WINDOWS\wt\updater\wcmdmgr.exe -uninstall wtwebdriver
Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803$\spuninst\spuninst.exe"
Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Player 10-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Messenger 5.0-->MsiExec.exe /I{ABEB838C-A1A7-4C5D-B7E1-8B4314B10138}
Windows SR 3.0-->C:\WINDOWS\UnstSA3.exe
Windows XP Hotfix - KB834707-->C:\WINDOWS\$NtUninstallKB834707$\spuninst\spuninst.exe
Windows XP Hotfix - KB867282-->C:\WINDOWS\$NtUninstallKB867282$\spuninst\spuninst.exe
Windows XP Hotfix - KB873333-->C:\WINDOWS\$NtUninstallKB873333$\spuninst\spuninst.exe
Windows XP Hotfix - KB873339-->C:\WINDOWS\$NtUninstallKB873339$\spuninst\spuninst.exe
Windows XP Hotfix - KB885250-->C:\WINDOWS\$NtUninstallKB885250$\spuninst\spuninst.exe
Windows XP Hotfix - KB885835-->C:\WINDOWS\$NtUninstallKB885835$\spuninst\spuninst.exe
Windows XP Hotfix - KB885836-->C:\WINDOWS\$NtUninstallKB885836$\spuninst\spuninst.exe
Windows XP Hotfix - KB886185-->C:\WINDOWS\$NtUninstallKB886185$\spuninst\spuninst.exe
Windows XP Hotfix - KB887742-->C:\WINDOWS\$NtUninstallKB887742$\spuninst\spuninst.exe
Windows XP Hotfix - KB888113-->C:\WINDOWS\$NtUninstallKB888113$\spuninst\spuninst.exe
Windows XP Hotfix - KB888302-->C:\WINDOWS\$NtUninstallKB888302$\spuninst\spuninst.exe
Windows XP Hotfix - KB890047-->C:\WINDOWS\$NtUninstallKB890047$\spuninst\spuninst.exe
Windows XP Hotfix - KB890175-->C:\WINDOWS\$NtUninstallKB890175$\spuninst\spuninst.exe
Windows XP Hotfix - KB890859-->"C:\WINDOWS\$NtUninstallKB890859$\spuninst\spuninst.exe"
Windows XP Hotfix - KB890923-->"C:\WINDOWS\$NtUninstallKB890923$\spuninst\spuninst.exe"
Windows XP Hotfix - KB891781-->C:\WINDOWS\$NtUninstallKB891781$\spuninst\spuninst.exe
Windows XP Hotfix - KB893066-->"C:\WINDOWS\$NtUninstallKB893066$\spuninst\spuninst.exe"
Windows XP Hotfix - KB893086-->"C:\WINDOWS\$NtUninstallKB893086$\spuninst\spuninst.exe"
Windows XP Service Pack 2-->C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe
WordPerfect Office 2002 Try Before You Buy-->C:\WINDOWS\Corel\uninst32.exe
WordPerfect Office 2002 Try Before You Buy-->MsiExec.exe /I{29D88826-2AB9-11D5-8854-00902761A46D}

=====HijackThis Backups=====

O2 - BHO: CATLEvents Object - {3EC8E271-FAB9-418a-8A8E-65AEB4029E64} - C:\DOCUME~1\Owner\LOCALS~1\Temp\pic.dat (file missing)
O2 - BHO: (no name) - {9E703FD4-AA5C-4767-96C9-D26C375D553A} - c:\windows\system32\deskmong.dll
O2 - BHO: CATLEvents Object - {60112085-E1CE-4e0e-823A-EBB1AD98804C} - C:\DOCUME~1\Owner\LOCALS~1\Temp\pic.dat (file missing)
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet4_80.dll (file missing)
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {BB5EFE2C-734E-4E26-B1D0-B435E62061B3} - C:\WINDOWS\system32\bthciu.dll
O20 - Winlogon Notify: sslpwghq - C:\WINDOWS\SYSTEM32\deskmong.dll
O3 - Toolbar: (no name) - {3D0BDAB3-12F4-471C-8966-E35A2C6C7DE7} - (no file)
O2 - BHO: (no name) - {EB5A4725-72E7-44F9-A452-322F472324F9} - C:\WINDOWS\System32\iloidc.dll (file missing)

======Security center information======

AV: AVG Anti-Virus (outdated)

System event log

Computer Name: YOUR-W92P4BHLZG
Event Code: 6005
Message: The Event log service was started.

Record Number: 2057
Source Name: EventLog
Time Written: 20081103192045.000000-300
Event Type: information
User:

Computer Name: YOUR-W92P4BHLZG
Event Code: 6009
Message: Microsoft (R) Windows (R) 5.01. 2600 Service Pack 2 Uniprocessor Free.

Record Number: 2056
Source Name: EventLog
Time Written: 20081103192045.000000-300
Event Type: information
User:

Computer Name: YOUR-W92P4BHLZG
Event Code: 6006
Message: The Event log service was stopped.

Record Number: 2055
Source Name: EventLog
Time Written: 20081101140343.000000-240
Event Type: information
User:

Computer Name: YOUR-W92P4BHLZG
Event Code: 19
Message: Installation Successful: Windows successfully installed the following update: Security Update for Windows XP (KB954211)

Record Number: 2054
Source Name: Windows Update Agent
Time Written: 20081101140334.000000-240
Event Type: information
User:

Computer Name: YOUR-W92P4BHLZG
Event Code: 4377
Message: Windows XP Hotfix KB954211 was installed.

Record Number: 2053
Source Name: NtServicePack
Time Written: 20081101140333.000000-240
Event Type: information
User: NT AUTHORITY\SYSTEM

Application event log

Computer Name: YOUR-W92P4BHLZG
Event Code: 101
Message: Information Level: error

Internet connection not detected.

Record Number: 37654
Source Name: Automatic LiveUpdate Scheduler
Time Written: 20081117204506.000000-300
Event Type: error
User: NT AUTHORITY\SYSTEM

Computer Name: YOUR-W92P4BHLZG
Event Code: 101
Message: Information Level: success

Rolling back the schedule; execution will occur at approximately 8:45 PM.

Record Number: 37653
Source Name: Automatic LiveUpdate Scheduler
Time Written: 20081117204006.000000-300
Event Type: information
User: NT AUTHORITY\SYSTEM

Computer Name: YOUR-W92P4BHLZG
Event Code: 101
Message: Information Level: error

Internet connection not detected.

Record Number: 37652
Source Name: Automatic LiveUpdate Scheduler
Time Written: 20081117204006.000000-300
Event Type: error
User: NT AUTHORITY\SYSTEM

Computer Name: YOUR-W92P4BHLZG
Event Code: 101
Message: Information Level: success

Rolling back the schedule; execution will occur at approximately 8:40 PM.

Record Number: 37651
Source Name: Automatic LiveUpdate Scheduler
Time Written: 20081117203506.000000-300
Event Type: information
User: NT AUTHORITY\SYSTEM

Computer Name: YOUR-W92P4BHLZG
Event Code: 101
Message: Information Level: error

Internet connection not detected.

Record Number: 37650
Source Name: Automatic LiveUpdate Scheduler
Time Written: 20081117203506.000000-300
Event Type: error
User: NT AUTHORITY\SYSTEM

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program files\PC-Doctor for Windows XP\WINDSAPI
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 1 Stepping 2, GenuineIntel
"PROCESSOR_REVISION"=0102
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"FP_NO_HOST_CHECK"=NO

-----------------EOF-----------------

Re: EzuLa/Virtumonde/VX2 Infections18th December 2008, 10:51 pm

Okay, lets try something alittle different this time.

Now open a new notepad file.
Input this into the notepad file:

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9E703FD4-AA5C-4767-96C9-D26C375D553A}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BB5EFE2C-734E-4E26-B1D0-B435E62061B3}]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\9312075.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cip]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddbmyqi]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KAZAA]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nflzltnijqbj]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\windows auto update]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sslpwghq]
Save this as fix.reg, save it to your desktop.
Double click fix.reg to run it.
Select yes to the registry merge prompt.

Rename whatever name combofix has now to Combo-Fix.exe.

Then press Start > Run
type this in:
"%userprofile%\Desktop\Combo-Fix.exe" /killall
Press enter
====

If that doesn't work, download combofix from one of the bottom links from the combofix download page in my combofix instructions and try running that.

Re: EzuLa/Virtumonde/VX2 Infections18th December 2008, 11:28 pm

Unfortunately, it's still giving me the same issue with hidec.exe, it seems.

Re: EzuLa/Virtumonde/VX2 Infections18th December 2008, 11:49 pm

Hello.
Sorry, but I admit defeat on this.
I had another user with this rootkit that protects the vundo, and I only just managed to beat it because we got CF running. I doubt I would of won without that.

I would rather you go for formatting, the rootkit is well hidden.

Re: EzuLa/Virtumonde/VX2 Infections18th December 2008, 11:54 pm

Okay, then. I'll take your advice for it. I've not formatted a computer before myself, but I have someone who can help me with it. I do appreciate the help, even if it didn't work.

Re: EzuLa/Virtumonde/VX2 Infections19th December 2008, 12:01 am

These links may help you.

When should do a reformat and reinstallation of my OS
Where to backup your files
How to backup your files in Windows XP
Restoring your backups

Re: EzuLa/Virtumonde/VX2 Infections24th January 2009, 10:11 am

Since this issue is resolved, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.

EzuLa/Virtumonde/VX2 Infections

descriptionEzuLa/Virtumonde/VX2 Infections18th December 2008, 6:25 pm

descriptionRe: EzuLa/Virtumonde/VX2 Infections18th December 2008, 7:42 pm

descriptionRe: EzuLa/Virtumonde/VX2 Infections18th December 2008, 7:58 pm

descriptionRe: EzuLa/Virtumonde/VX2 Infections18th December 2008, 7:59 pm

descriptionRe: EzuLa/Virtumonde/VX2 Infections18th December 2008, 8:08 pm

descriptionRe: EzuLa/Virtumonde/VX2 Infections18th December 2008, 8:18 pm

descriptionRe: EzuLa/Virtumonde/VX2 Infections18th December 2008, 8:23 pm

descriptionRe: EzuLa/Virtumonde/VX2 Infections18th December 2008, 8:29 pm

descriptionRe: EzuLa/Virtumonde/VX2 Infections18th December 2008, 8:43 pm

descriptionRe: EzuLa/Virtumonde/VX2 Infections18th December 2008, 8:44 pm

descriptionRe: EzuLa/Virtumonde/VX2 Infections18th December 2008, 8:46 pm

descriptionRe: EzuLa/Virtumonde/VX2 Infections18th December 2008, 8:47 pm

descriptionRe: EzuLa/Virtumonde/VX2 Infections18th December 2008, 9:04 pm

descriptionRe: EzuLa/Virtumonde/VX2 Infections18th December 2008, 9:07 pm

descriptionRe: EzuLa/Virtumonde/VX2 Infections18th December 2008, 9:22 pm

descriptionRe: EzuLa/Virtumonde/VX2 Infections18th December 2008, 9:24 pm

descriptionRe: EzuLa/Virtumonde/VX2 Infections18th December 2008, 9:27 pm

descriptionRe: EzuLa/Virtumonde/VX2 Infections18th December 2008, 9:53 pm

descriptionRe: EzuLa/Virtumonde/VX2 Infections18th December 2008, 10:35 pm

descriptionRe: EzuLa/Virtumonde/VX2 Infections18th December 2008, 10:38 pm

descriptionRe: EzuLa/Virtumonde/VX2 Infections18th December 2008, 10:40 pm

descriptionRe: EzuLa/Virtumonde/VX2 Infections18th December 2008, 10:41 pm

descriptionRe: EzuLa/Virtumonde/VX2 Infections18th December 2008, 10:51 pm

descriptionRe: EzuLa/Virtumonde/VX2 Infections18th December 2008, 11:28 pm

descriptionRe: EzuLa/Virtumonde/VX2 Infections18th December 2008, 11:49 pm

descriptionRe: EzuLa/Virtumonde/VX2 Infections18th December 2008, 11:54 pm

descriptionRe: EzuLa/Virtumonde/VX2 Infections19th December 2008, 12:01 am

descriptionRe: EzuLa/Virtumonde/VX2 Infections24th January 2009, 10:11 am

descriptionRe: EzuLa/Virtumonde/VX2 Infections