Tech Support Forum - View Single Post - Virtumonde, malware, internet adware, popups, redirection

trekrobyn · 11-18-2008, 06:52 PM

ComboFix run again, submitted the requested file.

One question - when I dragged the script.txt into combofix, it asked if I wanted to download the newest version of Combofix. In this case, I did not choose to do so, since I had downloaded this version only this morning, and figured that this was what you were operating from when you gave me the advice.

If I should re-do this, and do it with the most updated version of Combofix available, please advise.

Meanwhile, here is the log produced by Combofix tonight.

Thank you so much for your amazingly prompt responses - I am so relieved to have someone working so diligently to help me!

ComboFix 08-11-17.01 - Marc Perlin 2008-11-18 20:42:51.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.436 [GMT -5:00]
Running from: c:\documents and settings\Marc Perlin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Marc Perlin\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\documents and settings\Marc Perlin\delself.bat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Marc Perlin\delself.bat
c:\windows\system32\kwuishpf.exe

.
((((((((((((((((((((((((( Files Created from 2008-10-19 to 2008-11-19 )))))))))))))))))))))))))))))))
.

2008-11-18 07:05 . 2008-11-18 07:05 <DIR> d-------- c:\windows\LastGood
2008-11-16 21:53 . 2008-11-16 21:53 552 --a------ c:\windows\system32\d3d8caps.dat
2008-11-15 18:00 . 2008-11-15 18:00 250 --a------ c:\windows\gmer.ini
2008-11-15 17:51 . 2008-11-15 17:51 <DIR> d-------- c:\program files\Trend Micro
2008-11-15 14:55 . 2008-11-15 15:33 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-15 14:55 . 2008-11-15 16:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-19 01:40 --------- d-----w c:\program files\Symantec AntiVirus
2008-11-15 19:09 --------- d-----w c:\documents and settings\Marc Perlin\Application Data\HPAppData
2008-10-09 12:33 --------- d-----w c:\program files\Java
2008-09-06 04:30 241,704 ------w c:\windows\system32\dllcache\wgaLogon.dll
2008-09-06 04:29 917,032 ------w c:\windows\system32\dllcache\WgaTray.exe
.

((((((((((((((((((((((((((((( snapshot@2008-11-18_ 7.09.49.04 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TivoTransfer"="c:\program files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" [2008-03-17 1193472]
"TivoNotify"="c:\program files\TiVo\Desktop\TiVoNotify.exe" [2008-03-17 393728]
"TivoServer"="c:\program files\TiVo\Desktop\TiVoServer.exe" [2008-03-17 1876480]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShowLOMControl"="1 (0x1)" [X]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-12 344064]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-12-15 839680]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-26 53248]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-03-30 169472]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 66680]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2004-03-12 124128]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 81920]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-04-05 180269]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 563984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-07-25 2027792]

c:\documents and settings\Marc Perlin\Start Menu\Programs\Startup\
DING!.lnk - c:\my downloads\Ding\Ding.exe [2006-06-22 462848]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-03-30 24576]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-05-11 73728]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-08-05 67128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 17:08 110592 c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=

R2 TivoBeacon2;TiVo Beacon;"c:\program files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe" /service [2008-03-17 868864]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\DRIVERS\gtipci21.sys [2006-03-30 87936]
S3 Wdm1;USB Bridge Cable Driver;c:\windows\system32\Drivers\usbbc.sys [2006-09-21 15576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
HPService REG_MULTI_SZ HPSLPSVC

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a95269ce-c9ce-11dc-8158-00166f51cf40}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-11-17 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-02-10 15:27]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-18 20:44:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-18 20:46:31
ComboFix-quarantined-files.txt 2008-11-19 01:46:21
ComboFix2.txt 2008-11-18 12:11:17

Pre-Run: 20,894,707,712 bytes free
Post-Run: 20,882,010,112 bytes free

125 --- E O F --- 2008-11-15 15:36:10

11-18-2008, 06:52 PM	#7 (permalink)
trekrobyn Registered User Join Date: Nov 2008 Posts: 8 OS: xp	Re: Virtumonde, malware, internet adware, popups, redirection ComboFix run again, submitted the requested file. One question - when I dragged the script.txt into combofix, it asked if I wanted to download the newest version of Combofix. In this case, I did not choose to do so, since I had downloaded this version only this morning, and figured that this was what you were operating from when you gave me the advice. If I should re-do this, and do it with the most updated version of Combofix available, please advise. Meanwhile, here is the log produced by Combofix tonight. Thank you so much for your amazingly prompt responses - I am so relieved to have someone working so diligently to help me! ComboFix 08-11-17.01 - Marc Perlin 2008-11-18 20:42:51.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.436 [GMT -5:00] Running from: c:\documents and settings\Marc Perlin\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Marc Perlin\Desktop\CFScript.txt * Created a new restore point FILE :: c:\documents and settings\Marc Perlin\delself.bat . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Marc Perlin\delself.bat c:\windows\system32\kwuishpf.exe . ((((((((((((((((((((((((( Files Created from 2008-10-19 to 2008-11-19 ))))))))))))))))))))))))))))))) . 2008-11-18 07:05 . 2008-11-18 07:05 <DIR> d-------- c:\windows\LastGood 2008-11-16 21:53 . 2008-11-16 21:53 552 --a------ c:\windows\system32\d3d8caps.dat 2008-11-15 18:00 . 2008-11-15 18:00 250 --a------ c:\windows\gmer.ini 2008-11-15 17:51 . 2008-11-15 17:51 <DIR> d-------- c:\program files\Trend Micro 2008-11-15 14:55 . 2008-11-15 15:33 <DIR> d-------- c:\program files\Spybot - Search & Destroy 2008-11-15 14:55 . 2008-11-15 16:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-11-19 01:40 --------- d-----w c:\program files\Symantec AntiVirus 2008-11-15 19:09 --------- d-----w c:\documents and settings\Marc Perlin\Application Data\HPAppData 2008-10-09 12:33 --------- d-----w c:\program files\Java 2008-09-06 04:30 241,704 ------w c:\windows\system32\dllcache\wgaLogon.dll 2008-09-06 04:29 917,032 ------w c:\windows\system32\dllcache\WgaTray.exe . ((((((((((((((((((((((((((((( snapshot@2008-11-18_ 7.09.49.04 ))))))))))))))))))))))))))))))))))))))))) . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TivoTransfer"="c:\program files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" [2008-03-17 1193472] "TivoNotify"="c:\program files\TiVo\Desktop\TiVoNotify.exe" [2008-03-17 393728] "TivoServer"="c:\program files\TiVo\Desktop\TiVoServer.exe" [2008-03-17 1876480] "MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ShowLOMControl"="1 (0x1)" [X] "Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-12 344064] "Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-12-15 839680] "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-26 53248] "UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592] "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-03-30 169472] "dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 66680] "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2004-03-12 124128] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 221184] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 81920] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-04-05 180269] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152] "hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896] "LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 563984] "LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-07-25 2027792] c:\documents and settings\Marc Perlin\Start Menu\Programs\Startup\ DING!.lnk - c:\my downloads\Ding\Ding.exe [2006-06-22 462848] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696] Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-03-30 24576] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360] HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-05-11 73728] Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-08-05 67128] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless] 2004-09-07 17:08 110592 c:\program files\Intel\Wireless\Bin\LgNotify.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"= R2 TivoBeacon2;TiVo Beacon;"c:\program files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe" /service [2008-03-17 868864] R3 GTIPCI21;GTIPCI21;c:\windows\system32\DRIVERS\gtipci21.sys [2006-03-30 87936] S3 Wdm1;USB Bridge Cable Driver;c:\windows\system32\Drivers\usbbc.sys [2006-09-21 15576] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc HPService REG_MULTI_SZ HPSLPSVC [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a95269ce-c9ce-11dc-8158-00166f51cf40}] \Shell\AutoRun\command - E:\LaunchU3.exe -a . Contents of the 'Scheduled Tasks' folder 2008-11-17 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Windows Defender\MpCmdRun.exe [2006-02-10 15:27] . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-18 20:44:48 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2008-11-18 20:46:31 ComboFix-quarantined-files.txt 2008-11-19 01:46:21 ComboFix2.txt 2008-11-18 12:11:17 Pre-Run: 20,894,707,712 bytes free Post-Run: 20,882,010,112 bytes free 125 --- E O F --- 2008-11-15 15:36:10