Thread: Constant popups/slow pc - Virtumonde infection
View Single Post
Old 01-07-2008, 10:30 PM   #2 (permalink)
PAHUNTER21
Registered User
 
Join Date: Jan 2008
Posts: 12
OS: WinXP SP2


Re: Constant popups/slow pc - Virtumonde infection
Ok I was able to run VundoFix and remove a few files. I am now able to run DSS. Here is the output.

Deckard's System Scanner v20071014.68
Run by Angela on 2008-01-08 00:23:45
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------



-- Last 2 Restore Point(s) --
2: 2008-01-08 01:49:30 UTC - RP2 - Deckard's System Scanner Restore Point
1: 2008-01-06 02:21:34 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 511 MiB (512 MiB recommended).


-- HijackThis (run as Angela.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:24:44 AM, on 1/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\mfhvgowg.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\VMware\VMware Server\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Angela\Desktop\dss.exe
C:\Program Files\VMware\VMware Server\vmserverdWin32.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Angela.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F3 - REG:win.ini: load=C:\WINDOWS\system32\gebyv.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {73538613-EF18-4628-8EB6-BD2F5F870216} - C:\WINDOWS\system32\gebyv.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: {365d642b-3313-b70a-2154-90d4c70dd839} - {938dd07c-4d09-4512-a07b-3133b246d563} - C:\WINDOWS\system32\ytaibnhy.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {CA4F0D8D-5F2B-4F16-838A-8D52249EAB21} - C:\WINDOWS\system32\vtuurop.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon03.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\BDMCON~1.EXE
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [75a17511] rundll32.exe "C:\WINDOWS\system32\yxrydtuy.dll",b
O4 - HKCU\..\Run: [Tbsa] "C:\WINDOWS\RACLE~1\regsvr32.exe" -vt ndrv
O4 - HKCU\..\Run: [Puin] "C:\Documents and Settings\Angela\My Documents\s?stem\?ti2evxx.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1142796829733
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...00/mcfscan.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\mfhvgowg.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware Registration Service (vmserverdWin32) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmserverdWin32.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 8237 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 VMnetBridge (VMware Bridge Protocol) - c:\windows\system32\drivers\vmnetbridge.sys <Not Verified; VMware, Inc.; VMware bridge driver (32-bit)>
R2 VMnetuserif (VMware Network Application Interface) - c:\windows\system32\drivers\vmnetuserif.sys <Not Verified; VMware, Inc.; VMware network application interface driver (32-bit)>
R2 vmx86 (VMware vmx86) - c:\windows\system32\drivers\vmx86.sys <Not Verified; VMware, Inc.; VMware kernel driver>
R2 vstor2 (Vstor2 Virtual Storage Driver) - c:\program files\common files\vmware\vmware virtual image editing\vstor2.sys <Not Verified; VMware, Inc.; VMware Virtual Machine Importer>

S3 BDFsDrv - c:\program files\softwin\bitdefender10\bdfsdrv.sys (file missing)
S3 BDRsDrv - c:\program files\softwin\bitdefender10\bdrsdrv.sys (file missing)
S3 SDTHOOK - c:\windows\system32\drivers\sdthook.sys <Not Verified; Panda Software; Panda® Antivirus>
S3 sscdbus (SAMSUNG USB Composite Device driver (WDM)) - c:\windows\system32\drivers\sscdbus.sys <Not Verified; MCCI; SAMSUNG USB Composite Device>
S3 sscdmdfl (SAMSUNG CDMA Modem Filter) - c:\windows\system32\drivers\sscdmdfl.sys <Not Verified; MCCI; SAMSUNG CDMA Modem Filter Driver>
S3 sscdmdm (SAMSUNG CDMA Modem Drivers) - c:\windows\system32\drivers\sscdmdm.sys <Not Verified; MCCI; SAMSUNG CDMA Modem>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 DomainService - c:\windows\system32\mfhvgowg.exe /service <Not Verified; ; DDC>
R2 VMAuthdService (VMware Authorization Service) - c:\program files\vmware\vmware server\vmware-authd.exe <Not Verified; VMware, Inc.; VMware Server>
R2 VMnetDHCP (VMware DHCP Service) - c:\windows\system32\vmnetdhcp.exe <Not Verified; VMware, Inc.; VMware Server>
R2 vmount2 (VMware Virtual Mount Manager Extended) - "c:\program files\common files\vmware\vmware virtual image editing\vmount2.exe" <Not Verified; VMware, Inc.; VMware Virtual Machine Importer>
R2 vmserverdWin32 (VMware Registration Service) - c:\program files\vmware\vmware server\vmserverdwin32.exe <Not Verified; VMware, Inc.; VMware Server>
R2 VMware NAT Service - c:\windows\system32\vmnat.exe <Not Verified; VMware, Inc.; VMware Server>

S3 hpqwmi (HP WMI Interface) - c:\program files\hpq\shared\hpqwmi.exe <Not Verified; Hewlett-Packard Development Company, L.P.; hpqwmi Module>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2007-12-08 and 2008-01-08 -----------------------------

2008-01-08 00:04:09 0 d-------- C:\VundoFix Backups
2008-01-07 20:43:15 118784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL <Not Verified; Microsoft Corporation; MSSTDFMT Object Library>
2008-01-07 20:43:14 0 d-------- C:\Program Files\SpywareBlaster
2008-01-07 19:47:44 44928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS <Not Verified; Panda Software; Panda® Antivirus>
2008-01-07 19:46:26 8576 --a------ C:\WINDOWS\system32\drivers\mkqlwktpdijl.sys <Not Verified; Panda Software International; RKPavProc Driver>
2008-01-07 19:33:16 0 d-------- C:\Program Files\Trend Micro
2008-01-07 16:56:05 74304 -----n--- C:\WINDOWS\system32\mfhvgowg.exe <Not Verified; ; DDC>
2008-01-06 23:45:51 0 d-------- C:\WINDOWS\BDOSCAN8
2008-01-06 22:53:00 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-01-06 20:49:37 0 d-------- C:\WINDOWS\McAfee.com
2008-01-05 20:28:49 0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2008-01-05 20:28:07 0 d-------- C:\Documents and Settings\Administrator\.housecall6.6
2008-01-05 20:26:59 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2008-01-05 20:25:52 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2008-01-05 20:25:04 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-01-05 20:25:04 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-01-05 20:25:04 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-01-05 20:25:04 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-01-05 20:25:04 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-01-05 20:25:04 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-01-05 20:25:04 0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-01-05 20:25:04 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-01-05 20:25:04 0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-01-05 20:25:04 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-01-05 20:25:04 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-01-05 20:25:04 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-01-05 20:25:04 0 d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-01-05 20:25:04 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-01-05 20:25:04 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-01-05 20:25:04 0 d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-01-05 20:25:03 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-01-05 17:48:09 0 d-------- C:\Documents and Settings\Angela\Application Data\Bitdefender
2008-01-05 17:22:00 81984 --a------ C:\WINDOWS\system32\bdod.bin
2008-01-05 17:21:07 0 d-------- C:\Documents and Settings\Angela\.housecall6.6
2008-01-05 17:15:29 0 d-------- C:\Documents and Settings\All Users\Application Data\BitDefender
2008-01-05 14:49:50 0 d-------- C:\WINDOWS\?racle
2008-01-05 11:12:09 40448 -----n--- C:\WINDOWS\system32\vtuurop.dll
2008-01-05 11:12:06 2 --a------ C:\WINDOWS\system32\wnsapisv.exe
2008-01-05 11:11:53 0 d-------- C:\WINDOWS\system32\s?stem32


-- Find3M Report ---------------------------------------------------------------

2008-01-07 20:09:31 0 d-------- C:\Program Files\Google
2008-01-07 20:08:54 0 d-------- C:\Program Files\Common Files\LightScribe
2008-01-07 00:18:42 0 d-------- C:\Program Files\QuickTime
2008-01-07 00:15:20 0 d-------- C:\Program Files\Messenger
2008-01-07 00:14:27 0 d-------- C:\Program Files\iTunes
2008-01-05 17:12:00 0 d-------- C:\Program Files\Common Files
2007-12-02 21:55:12 0 d-------- C:\Documents and Settings\Angela\Application Data\OpenOffice.org2
2007-10-25 10:26:48 53248 --a------ C:\WINDOWS\bdoscandel.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{73538613-EF18-4628-8EB6-BD2F5F870216}]
C:\WINDOWS\system32\gebyv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{938dd07c-4d09-4512-a07b-3133b246d563}]
C:\WINDOWS\system32\ytaibnhy.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CA4F0D8D-5F2B-4F16-838A-8D52249EAB21}]
01/05/2008 11:12 AM 40448 --------- C:\WINDOWS\system32\vtuurop.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" []
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" []
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" []
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" []
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" []
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" []
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" []
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" []
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe" []
"HPHmon03"="C:\WINDOWS\system32\hphmon03.exe" []
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" []
"BDMCon"="C:\PROGRA~1\Softwin\BITDEF~1\BDMCON~1.EXE" []
"BDAgent"="C:\Program Files\Softwin\BitDefender10\bdagent.exe" []
"75a17511"="C:\WINDOWS\system32\yxrydtuy.dll" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Tbsa"="C:\WINDOWS\RACLE~1\regsvr32.exe" []
"Puin"="C:\Documents and Settings\Angela\My Documents\s?stem\?ti2evxx.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{CA4F0D8D-5F2B-4F16-838A-8D52249EAB21}"= C:\WINDOWS\system32\vtuurop.dll [01/05/2008 11:12 AM 40448]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=sockspy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\gebyv


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{61137052-5388-11dc-b728-005056c00008}]
AutoRun\command- E:\JDSecure\Windows\JDSecure20.exe




-- End of Deckard's System Scanner: finished at 2008-01-08 00:26:12 ------------
Attached Files
File Type: txt extra.txt (15.6 KB, 4 views)
Last edited by PAHUNTER21; 01-07-2008 at 10:57 PM.
PAHUNTER21 is offline