Thread: Virtumonde, malware, internet adware, popups, redirection
View Single Post
Old 11-18-2008, 05:19 AM   #3 (permalink)
trekrobyn
Registered User
 
Join Date: Nov 2008
Posts: 8
OS: xp


Re: Virtumonde, malware, internet adware, popups, redirection
Ok - followed your instructions. THANK YOU SO MUCH for your time and help. Right now, it all looks okay - no popups, and the icon tray at the bottom right looks back to normal. But, I haven't done anything else with the computer until I get an "all-clear" from you...

The only part that I wasn't sure about - when the computer rebooted, Spybot turned back on (with Tea Timer I think) and kept asking me about accepting or denying registry changes and browser helper objects. In the end, I accepted them all, and everything still seems to be running okay... I hope this wasn't a mistake!

Here is the log from combofix:

ComboFix 08-11-17.01 - Marc Perlin 2008-11-18 6:50:53.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.453 [GMT -5:00]
Running from: c:\documents and settings\Marc Perlin\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Marc Perlin\Application Data\gadcom
c:\documents and settings\Marc Perlin\Application Data\gadcom\gadcom.exe
c:\documents and settings\Marc Perlin\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\system32\ampuokbb.dll
c:\windows\system32\cklduv.dll
c:\windows\system32\drivers\fad.sys
c:\windows\system32\dsgjvwda.dll
c:\windows\system32\efcYSkif.dll
c:\windows\system32\eLlSBJlm.ini
c:\windows\system32\eLlSBJlm.ini2
c:\windows\system32\hlxgcrgr.dll
c:\windows\system32\mlJBSlLe.dll
c:\windows\system32\msansspc.dll
c:\windows\system32\mzoeef.dll
c:\windows\system32\rgrcgxlh.ini
c:\windows\system32\sbrtdkpu.dll
c:\windows\system32\yayvwxuV.dll
c:\windows\system32\yrrjra.dll
c:\windows\wiaserviv.log

.
((((((((((((((((((((((((( Files Created from 2008-10-18 to 2008-11-18 )))))))))))))))))))))))))))))))
.

2008-11-17 09:45 . 2008-11-17 09:45 126 --a------ c:\documents and settings\Marc Perlin\delself.bat
2008-11-17 09:35 . 2008-11-17 09:35 35,328 --a------ c:\windows\system32\kwuishpf.exe
2008-11-16 21:53 . 2008-11-16 21:53 552 --a------ c:\windows\system32\d3d8caps.dat
2008-11-15 18:00 . 2008-11-15 18:00 250 --a------ c:\windows\gmer.ini
2008-11-15 17:51 . 2008-11-15 17:51 <DIR> d-------- c:\program files\Trend Micro
2008-11-15 14:55 . 2008-11-15 15:33 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-15 14:55 . 2008-11-15 16:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-18 12:03 --------- d-----w c:\program files\Symantec AntiVirus
2008-11-15 19:09 --------- d-----w c:\documents and settings\Marc Perlin\Application Data\HPAppData
2008-10-09 12:33 --------- d-----w c:\program files\Java
2008-09-06 04:30 241,704 ------w c:\windows\system32\dllcache\wgaLogon.dll
2008-09-06 04:29 917,032 ------w c:\windows\system32\dllcache\WgaTray.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TivoTransfer"="c:\program files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" [2008-03-17 1193472]
"TivoNotify"="c:\program files\TiVo\Desktop\TiVoNotify.exe" [2008-03-17 393728]
"TivoServer"="c:\program files\TiVo\Desktop\TiVoServer.exe" [2008-03-17 1876480]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShowLOMControl"="1 (0x1)" [X]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-12 344064]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-12-15 839680]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-26 53248]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-03-30 169472]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 66680]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2004-03-12 124128]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 81920]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-04-05 180269]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 563984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-07-25 2027792]

c:\documents and settings\Marc Perlin\Start Menu\Programs\Startup\
DING!.lnk - c:\my downloads\Ding\Ding.exe [2006-06-22 462848]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-03-30 24576]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-05-11 73728]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-08-05 67128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 17:08 110592 c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=

R2 TivoBeacon2;TiVo Beacon;"c:\program files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe" /service [2008-03-17 868864]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\DRIVERS\gtipci21.sys [2006-03-30 87936]
S3 Wdm1;USB Bridge Cable Driver;c:\windows\system32\Drivers\usbbc.sys [2006-09-21 15576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
HPService REG_MULTI_SZ HPSLPSVC

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a95269ce-c9ce-11dc-8158-00166f51cf40}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-11-17 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-02-10 15:27]
.
- - - - ORPHANS REMOVED - - - -

BHO-{2695C193-E756-4BF2-8F5D-D9E41B4430DB} - c:\windows\system32\mlJBSlLe.dll
BHO-{A63E645F-13BD-45ED-B15F-6E8C1BD57279} - c:\windows\system32\efcYSkif.dll
BHO-{B4D5DA60-457E-4FB6-BA34-E32777D37752} - (no file)
ShellExecuteHooks-{A63E645F-13BD-45ED-B15F-6E8C1BD57279} - c:\windows\system32\efcYSkif.dll


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Marc Perlin\Application Data\Mozilla\Firefox\Profiles\yutbtddt.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.comcast.net/home/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-18 07:00:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: c:\windows\explorer.exe
-> c:\progra~1\Google\GOOGLE~1\GOA66E~1.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\system32\scardsvr.exe
c:\windows\system32\BAsfIpM.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Dell\OpenManage\Client\Iap.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\wdfmgr.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\program files\Apoint\hidfind.exe
c:\program files\Apoint\ApntEx.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopIndex.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
c:\windows\system32\wscntfy.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
c:\windows\system32\msiexec.exe
.
**************************************************************************
.
Completion time: 2008-11-18 7:11:13 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-18 12:10:51

Pre-Run: 21,062,258,688 bytes free
Post-Run: 20,712,157,184 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

195 --- E O F --- 2008-11-15 15:36:10
trekrobyn is offline