Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Virtumonde Infected.

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Virtumonde Infected.

Unread postby robmix » January 25th, 2008, 10:02 pm

Spybot can't delete it. AT&T Security Suite doesn't even know it's there. Please Help!

Logfile of HijackThis v1.99.1
Scan saved at 7:46:14 PM, on 1/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AT&T\AT&T Internet Security Suite\Fws.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\sitotwsa.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\AT&T\AT&T Internet Security Suite\Rps.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AT&T\Internet Security Wizard\ISWComHandler.exe
C:\Program Files\AT&T\AT&T Internet Security Suite\rpsupdaterR.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AT&T\Internet Security Wizard\ISW.exe
C:\Program Files\HiJack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: {23e62466-94a4-54da-1e94-c7ba8dfe8133} - {3318efd8-ab7c-49e1-ad45-4a4966426e32} - C:\WINDOWS\system32\hjhbwrcd.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\AT&T\AT&T Internet Security Suite\pkR.dll
O2 - BHO: (no name) - {3E95BEF9-A11E-47F9-A93A-2BF4019E02FD} - C:\WINDOWS\system32\geedb.dll
O4 - HKLM\..\Run: [ISW.exe] "C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" /AUTORUN
O4 - HKLM\..\Run: [AT&T Internet Security Suite] "C:\Program Files\AT&T\AT&T Internet Security Suite\Rps.exe"
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\AT&T\AT&T Internet Security Suite\ZkRunOnceR.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [60d63f71] rundll32.exe "C:\WINDOWS\system32\sdbmdune.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O15 - Trusted Zone: http://www.apple.com
O15 - Trusted Zone: http://www.cyberwalker.com
O23 - Service: DomainService - - C:\WINDOWS\system32\sitotwsa.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: AT&T Internet Security Suite Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\AT&T\AT&T Internet Security Suite\rpsupdaterR.exe
O23 - Service: AT&T Internet Security Suite AT&T Firewall (RP_FWS) - AT&T - C:\Program Files\AT&T\AT&T Internet Security Suite\Fws.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
robmix
Active Member
 
Posts: 13
Joined: January 25th, 2008, 9:58 pm
Advertisement
Register to Remove

Re: Virtumonde Infected.

Unread postby DFW » January 27th, 2008, 4:23 am

Hello and wecome, My name is DFW and I will be assisting you with your malware issues .

Please be patient as I need some time to review your Hijackthis log and i will post back recommendations for repairs.
As I am still on training, everything that I post to you, must be checked by an Admin or Moderator. Thus, there may be a tiny bit of a delay between posts, but it shouldn't be too long.

  • Whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • Continue to respond to this thread until I give you the All Clean! If you have any question or you're stuck in there please reply it to me. I will try my best to help you!
  • Please bookmark or favourite this page. In case you need it as reference or etc.
User avatar
DFW
MRU Honors Grad Emeritus
 
Posts: 3229
Joined: September 28th, 2006, 12:23 pm
Location: UK

Re: Virtumonde Infected.

Unread postby DFW » January 27th, 2008, 3:14 pm

Hi robmix


First off please go to Add/Remove Programs and unistall HJT v1.99.1, now use the link below to download
and install the current version.


Download HJTInstall.exe to your Desktop.
  • Doubleclick HJTInstall.exe to install it.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis, please close it for now
  • Don't use the Analyse This button, its findings are dangerous if misinterpreted.
  • Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.



Now once HJT is installed please rename it


Use My Computer (Windows Explorer) to go to the HiJackThis folder
In your case, the HiJackThis folder will be: C:\Program Files\Trend Micro\HijackThis\
(double click C:, then double click Program Files, double click Trend Micro, then double click the HijackThis folder)
In the top menu, click View, Details
Right button-click on the file named HijackThis.exe and select Rename.
Type in the new filename as seemeknow.exe
Hit <Enter> and close MyComputer.




1.Download this combofix from one of the links below and save it to your desktop

Link 1
Link 2
Link 3

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note: Combofix should not be used without supervision



Please post back the Combofix Log, a new HJT Log.
User avatar
DFW
MRU Honors Grad Emeritus
 
Posts: 3229
Joined: September 28th, 2006, 12:23 pm
Location: UK

Re: Virtumonde Infected.

Unread postby robmix » January 27th, 2008, 11:13 pm

combofix starts, but stalls after 4 bars.
robmix
Active Member
 
Posts: 13
Joined: January 25th, 2008, 9:58 pm

Re: Virtumonde Infected.

Unread postby robmix » January 27th, 2008, 11:47 pm

OK, I got it to work. Had to disable AT&T Security Services for combofix to work.

ComboFix 08-01-23.1C - Robert Smith 2008-01-27 21:42:07.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.192 [GMT -6:00]
Running from: C:\Documents and Settings\Robert Smith\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\acabfxpq.ini
C:\WINDOWS\system32\atpwlpii.ini
C:\WINDOWS\system32\bdeeg.ini
C:\WINDOWS\system32\bdeeg.ini2
C:\WINDOWS\system32\bhtjwwkr.dll
C:\WINDOWS\system32\buoygxnq.dll
C:\WINDOWS\system32\bvoxlkqi.dll
C:\WINDOWS\system32\cbcnwtbf.dll
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\dhpwhghd.dll
C:\WINDOWS\system32\enudmbds.ini
C:\WINDOWS\system32\exmnhung.dll
C:\WINDOWS\system32\fgexifxi.dll
C:\WINDOWS\system32\fsphmgdp.ini
C:\WINDOWS\system32\geedb.dll
C:\WINDOWS\system32\giqrgodp.dll
C:\WINDOWS\system32\iiplwpta.dll
C:\WINDOWS\system32\jebnyulm.ini
C:\WINDOWS\system32\jnxlwvmi.dll
C:\WINDOWS\system32\krufmemq.ini
C:\WINDOWS\system32\kstrgyut.dll
C:\WINDOWS\system32\kyvjesxm.dll
C:\WINDOWS\system32\lhkdrugq.dll
C:\WINDOWS\system32\llhubxto.dll
C:\WINDOWS\system32\mcidwwup.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mluynbej.dll
C:\WINDOWS\system32\mrsawfva.dll
C:\WINDOWS\system32\nnhdgheu.dll
C:\WINDOWS\system32\omdcfept.dll
C:\WINDOWS\system32\otxbuhll.ini
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pdgmhpsf.dll
C:\WINDOWS\system32\qmemfurk.dll
C:\WINDOWS\system32\qpxfbaca.dll
C:\WINDOWS\system32\sdbmdune.dll
C:\WINDOWS\system32\sfpmukeh.dll
C:\WINDOWS\system32\sgfqgxpe.dll
C:\WINDOWS\system32\tbvjigxo.dll
C:\WINDOWS\system32\tjqnjqfj.dll
C:\WINDOWS\system32\tpefcdmo.ini
C:\WINDOWS\system32\vbxtgjuo.exe
C:\WINDOWS\system32\vhttwdny.dll
C:\WINDOWS\system32\wgihbvhi.dll
C:\WINDOWS\system32\wtgyvifm.dll
C:\WINDOWS\system32\wvvut.ini
C:\WINDOWS\system32\wvvut.ini2
C:\WINDOWS\system32\xgcejdde.dll
C:\WINDOWS\system32\xmpqcwxi.dll
C:\winlogon.exe
C:\x.dat
C:\z.dat

.
((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-28 )))))))))))))))))))))))))))))))
.

2008-01-27 21:22 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-27 20:22 . 2008-01-27 20:22 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-23 22:12 . 2008-01-25 04:54 1,131,351 --ahs---- C:\WINDOWS\system32\tuouedlv.ini
2008-01-21 22:09 . 2008-01-22 22:08 1,110,920 --ahs---- C:\WINDOWS\system32\iycmjiau.ini
2008-01-20 22:08 . 2008-01-21 22:08 1,091,152 --ahs---- C:\WINDOWS\system32\ydflcmfu.ini
2008-01-17 18:55 . 2008-01-18 21:09 1,527,593 --ahs---- C:\WINDOWS\system32\qnuqnkws.ini
2008-01-16 18:02 . 2008-01-17 18:51 1,591,224 --ahs---- C:\WINDOWS\system32\bjlelsxn.ini
2008-01-15 17:33 . 2008-01-16 17:58 1,706,481 --ahs---- C:\WINDOWS\system32\wscaqeii.ini
2008-01-14 17:32 . 2008-01-15 17:12 1,864,336 --ahs---- C:\WINDOWS\system32\igyeuvxr.ini
2008-01-13 19:52 . 2008-01-13 19:52 <DIR> d-------- C:\Program Files\LimeWire
2008-01-13 07:45 . 2008-01-14 17:28 1,872,164 --ahs---- C:\WINDOWS\system32\uxcwfmsc.ini
2008-01-10 17:47 . 2008-01-11 16:23 1,053,735 --ahs---- C:\WINDOWS\system32\lhykxhdc.ini
2008-01-09 17:37 . 2008-01-10 17:42 1,049,761 --ahs---- C:\WINDOWS\system32\aojedhti.ini
2008-01-08 17:45 . 2008-01-09 17:35 1,055,571 --ahs---- C:\WINDOWS\system32\ajdehnib.ini
2008-01-07 17:34 . 2008-01-08 17:44 1,055,322 --ahs---- C:\WINDOWS\system32\kftnubef.ini
2008-01-06 13:22 . 2008-01-07 17:30 1,044,035 --ahs---- C:\WINDOWS\system32\mkxfjoel.ini
2008-01-05 13:29 . 2008-01-06 13:10 1,043,878 --ahs---- C:\WINDOWS\system32\epvforwe.ini
2008-01-02 19:18 . 2008-01-27 21:36 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-02 19:18 . 2008-01-02 19:18 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-02 10:33 . 2008-01-03 10:54 1,038,656 --ahs---- C:\WINDOWS\system32\adygylmo.ini
2008-01-01 19:19 . 2007-03-06 13:24 55,296 --a------ C:\WINDOWS\system32\drivers\rp_skt32.sys
2008-01-01 19:18 . 2008-01-01 19:18 <DIR> d-------- C:\Program Files\Common Files\Authentium
2008-01-01 19:18 . 2007-04-19 11:24 48,384 --a------ C:\WINDOWS\system32\drivers\rp_pkt32.sys
2008-01-01 19:17 . 2008-01-01 19:17 <DIR> d-------- C:\Program Files\Raxco
2008-01-01 19:17 . 2008-01-01 19:25 <DIR> d-------- C:\Program Files\Common Files\Scanner
2008-01-01 19:17 . 2008-01-01 19:17 <DIR> d-------- C:\Program Files\CA
2008-01-01 19:15 . 2008-01-01 19:16 <DIR> d-------- C:\Program Files\AT&T
2008-01-01 18:53 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2007-12-31 23:11 . 2007-12-31 23:11 <DIR> d-------- C:\qrnt
2007-12-31 23:11 . 2007-12-31 23:11 <DIR> d-------- C:\CA
2007-12-31 08:42 . 2007-12-31 19:17 1,031,355 --ahs---- C:\WINDOWS\system32\naedjoaw.ini
2007-12-29 09:18 . 2007-12-30 14:11 77,891 --a------ C:\WINDOWS\system32\USRmlnkA .exe
2007-12-29 08:21 . 2007-12-30 19:36 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2007-12-29 08:18 . 2007-12-29 08:18 <DIR> d-------- C:\Program Files\ATT
2007-12-29 06:56 . 2007-12-29 06:56 <DIR> d-------- C:\WINDOWS\system32\ardCo18
2007-12-29 06:56 . 2007-12-29 06:56 <DIR> d-------- C:\Temp\cEeer12
2007-12-29 06:56 . 2007-12-29 06:56 134 --a------ C:\n.bat
2007-12-28 11:41 . 2007-12-28 11:41 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-27 13:58 --------- d-----w C:\Program Files\HiJack This
2008-01-24 00:39 --------- d-----w C:\Program Files\Windows Installer Clean Up
2008-01-03 01:17 --------- d-----w C:\Program Files\iTunes
2008-01-03 01:16 --------- d-----w C:\Program Files\iPod
2008-01-03 01:13 --------- d-----w C:\Program Files\QuickTime
2008-01-02 01:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-30 21:49 --------- d-----w C:\Program Files\Microsoft IntelliPoint
2007-12-29 03:57 --------- d-----w C:\Program Files\Yahoo!
2007-12-26 13:52 --------- d-----w C:\Program Files\AC3Filter
2007-12-26 13:18 --------- d-----w C:\Program Files\ahead
2007-12-26 13:13 --------- d-----w C:\Program Files\Common Files\Nero
2007-12-25 13:16 --------- d-----w C:\Program Files\Common Files\Voyetra
2007-12-22 15:22 --------- d-----w C:\Program Files\Canon
2007-12-22 15:18 --------- d-----w C:\Program Files\Common Files\NewSoft
2007-12-22 15:17 --------- d-----w C:\Program Files\Common Files\ScanSoft Shared
2007-12-22 15:17 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-22 15:16 --------- d-----w C:\Program Files\ScanSoft
2007-12-22 15:15 --------- d-----w C:\Program Files\Common Files\CANON
2007-12-22 15:11 --------- d--h--w C:\Program Files\CanonBJ
2007-12-20 10:54 --------- d-----w C:\Program Files\OfficeUpdate11
2007-12-20 10:54 --------- d-----w C:\Program Files\MP3Downloading
2007-12-20 10:54 --------- d-----w C:\Program Files\Microsoft AntiSpyware
2007-12-20 10:54 --------- d-----w C:\Program Files\Hewlett-Packard
2007-12-20 10:53 --------- d-----w C:\Program Files\Lexmark Fax Solutions
2007-12-20 10:53 --------- d-----w C:\Program Files\Common Files\AVSMedia
2007-12-20 10:53 --------- d-----w C:\Program Files\Apple Software Update
2007-12-20 10:53 --------- d-----w C:\Program Files\androidnews
2007-12-20 10:53 --------- d-----w C:\Program Files\Amazing DVD Player
2007-12-13 02:11 32,123 ----a-w C:\WINDOWS\PaperPortSave.reg
2007-12-13 02:11 --------- d-----w C:\Program Files\TweakNow RegCleaner Std
2007-12-13 02:09 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-12-13 01:56 --------- d-----w C:\Program Files\ATI Technologies
2007-12-12 11:42 --------- d-----w C:\Program Files\PrimaScan
2007-12-12 11:42 --------- d-----w C:\Program Files\Common Files\Panasonic
2007-11-24 18:28 654,920 ----a-w C:\mtinst.exe
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2004-12-16 18:50 8,273 ----a-w C:\Program Files\snylcd55.cat
2004-12-12 18:38 2,824 ----a-w C:\Program Files\HS75P_65.icm
2004-12-12 18:36 2,824 ----a-w C:\Program Files\HS75P_93.icm
2004-12-10 02:49 1,636 ----a-w C:\Program Files\SnyLCD55.inf
2004-05-19 15:16 20,854 ----a-w C:\Program Files\README-E.RTF
2007-08-24 03:14 21,382,176 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-08-24 03:14 980,000 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
.
Code: Select all
<pre>
----a-w            39,792 2007-12-31 01:36:39  C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w            45,056 2007-12-31 01:36:40  C:\Program Files\ATI Technologies\ATI.ACE\cli .exe
----a-w           368,706 2007-12-30 20:11:35  C:\Program Files\BroadJump\Client Foundation\CFD .exe
----a-w         1,603,152 2007-12-31 01:36:47  C:\Program Files\Canon\MyPrinter\BJMyPrt .exe
----a-w           644,696 2007-12-31 01:36:45  C:\Program Files\Canon\SolutionMenu\CNSLMAIN .exe
----a-w            65,536 2007-12-30 21:49:44  C:\Program Files\Common Files\Roxio Shared\System\EngUtil .exe
----a-w           210,472 2007-12-31 01:36:42  C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdupdate .exe
----a-w           267,064 2007-12-31 01:36:40  C:\Program Files\iTunes\iTunesHelper .exe
----a-w           132,496 2007-12-30 21:49:45  C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w           217,088 2007-12-30 21:49:45  C:\Program Files\Microsoft IntelliPoint\point32 .exe
----a-w            40,960 2007-12-30 21:49:44  C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart .exe
----a-w            57,344 2007-12-31 01:36:45  C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe
----a-w           286,720 2007-12-30 21:37:10  C:\Program Files\QuickTime\qttask             .exe
----a-w           286,720 2007-12-30 21:36:39  C:\Program Files\QuickTime\qttask            .exe
----a-w           286,720 2007-12-30 20:11:21  C:\Program Files\QuickTime\qttask           .exe
----a-w           286,720 2007-12-30 19:55:56  C:\Program Files\QuickTime\qttask          .exe
----a-w           286,720 2007-12-30 19:41:39  C:\Program Files\QuickTime\qttask         .exe
----a-w           286,720 2007-12-30 15:48:17  C:\Program Files\QuickTime\qttask        .exe
----a-w           286,720 2007-12-30 15:34:53  C:\Program Files\QuickTime\qttask       .exe
----a-w           286,720 2007-12-30 15:11:11  C:\Program Files\QuickTime\qttask      .exe
----a-w           286,720 2007-12-30 14:01:36  C:\Program Files\QuickTime\qttask     .exe
----a-w           286,720 2007-12-30 03:16:30  C:\Program Files\QuickTime\qttask    .exe
----a-w           286,720 2007-12-29 16:31:37  C:\Program Files\QuickTime\qttask   .exe
----a-w           286,720 2007-12-29 16:10:36  C:\Program Files\QuickTime\qttask  .exe
----a-w           286,720 2007-12-29 15:18:31  C:\Program Files\QuickTime\qttask .exe
----a-w            79,400 2007-12-30 22:02:58  C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4 .exe
----a-w         4,670,704 2007-12-30 20:02:58  C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
----a-w            15,360 2007-12-31 01:36:44  C:\WINDOWS\system32\ctfmon .exe
----a-w            77,891 2007-12-30 20:11:38  C:\WINDOWS\system32\USRmlnkA .exe
</pre>



-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISW.exe"="C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" [2007-05-03 13:12 2061816]
"-FreedomNeedsReboot"="C:\Program Files\AT&T\AT&T Internet Security Suite\ZkRunOnceR.exe" [2007-06-28 16:09 13552]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-11 10:56 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 12:10 267048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-05-29 19:34 5419008]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ :\WINDOWS\system32\srr

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"HydarVisionViewport"=viewport.exe
"BJCFD"=C:\Program Files\BroadJump\Client Foundation\CFD.exe
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"DeviceDiscovery"=C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
"NeroCheck"=C:\WINDOWS\system32\NeroCheck.exe
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
"HPDJ Taskbar Utility"=C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
"Mstask32driver"=Mstask32.exe
"USRpdA"=C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
"Security32 Loader"=security32.exe

R0 amdagpxp;AMD NB AGP Bus Filter;C:\WINDOWS\system32\DRIVERS\amdagpxp.sys [2001-12-11 14:52]
R2 ppsio2;PPDevice;C:\WINDOWS\system32\drivers\ppsio2.sys [1999-04-01 18:16]
R3 MN130;Microsoft(R) PCI Adapter MN-130;C:\WINDOWS\system32\DRIVERS\MN130-51.sys [2002-05-29 12:25]
R3 tbcspud;Santa Cruz Driver;C:\WINDOWS\system32\drivers\tbcspud.sys [2001-12-15 22:42]
R3 tbcwdm;Santa Cruz WDM Driver;C:\WINDOWS\system32\drivers\tbcwdm.sys [2001-12-16 03:27]
S2 IcRecUsb;IC Recorder Driver;C:\WINDOWS\system32\Drivers\IcRecUsb.sys [2001-10-01 22:37]
S3 Amps2prt;PS/2 Port Wheel Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\Amps2prt.sys [2000-11-03 20:37]
S3 cirrus;cirrus;C:\WINDOWS\system32\DRIVERS\cirrus.sys [2001-08-17 07:57]
S3 NUVision;NUVision II Video Service;C:\WINDOWS\system32\DRIVERS\nuvvid2.sys [2001-10-28 15:34]
S3 Radialpoint Security Services;AT&T Internet Security Suite;C:\WINDOWS\system32\dllhost.exe [2004-08-04 01:56]
S3 USR7900;U.S. Robotics 10/100 PCI NIC TX;C:\WINDOWS\system32\DRIVERS\USR7900.SYS [2001-12-03 09:41]
S3 USRpdA;U.S. Robotics 56K PCI Faxmodem Driver;C:\WINDOWS\system32\DRIVERS\USRpdA.sys [2001-08-17 15:28]
S3 vtdg46xx;vtdg46xx;C:\PROGRA~1\TURTLE~1\SANTAC~1\CONTRO~1\vtdg46xx.sys [2001-12-13 18:42]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-27 21:43:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs = ????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-27 21:45:00
ComboFix-quarantined-files.txt 2008-01-28 03:44:31
.
2008-01-09 11:23:59 --- E O F ---
robmix
Active Member
 
Posts: 13
Joined: January 25th, 2008, 9:58 pm

Re: Virtumonde Infected.

Unread postby DFW » January 30th, 2008, 11:14 am

Recovery Console

we need to install the Recovery Console on this computer
Due to the threat that current and future malware poses it is vital that you have some form of recovery console
this is very important it could save you later

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System

Image

the one for you is Windows XP Service Pack 2 (SP2)

Download the file & save it as it's originally named, next to ComboFix.exe.



Image


Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

Important
This is a precautionary measure. Please do not reboot the machine until we have reviewed the log
User avatar
DFW
MRU Honors Grad Emeritus
 
Posts: 3229
Joined: September 28th, 2006, 12:23 pm
Location: UK

Re: Virtumonde Infected.

Unread postby robmix » January 30th, 2008, 10:00 pm

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
robmix
Active Member
 
Posts: 13
Joined: January 25th, 2008, 9:58 pm

Re: Virtumonde Infected.

Unread postby DFW » February 2nd, 2008, 2:41 pm

Turn of your AT&T Internet Security Suite again


  • Now please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    File:: 
    C:\WINDOWS\system32\tuouedlv.ini
    C:\WINDOWS\system32\iycmjiau.ini
    C:\WINDOWS\system32\ydflcmfu.ini
    C:\WINDOWS\system32\qnuqnkws.ini
    C:\WINDOWS\system32\bjlelsxn.ini
    C:\WINDOWS\system32\wscaqeii.ini
    C:\WINDOWS\system32\igyeuvxr.ini
    C:\WINDOWS\system32\uxcwfmsc.ini
    C:\WINDOWS\system32\lhykxhdc.ini
    C:\WINDOWS\system32\aojedhti.ini
    C:\WINDOWS\system32\ajdehnib.ini
    C:\WINDOWS\system32\kftnubef.ini
    C:\WINDOWS\system32\mkxfjoel.ini
    C:\WINDOWS\system32\epvforwe.ini
    C:\WINDOWS\system32\adygylmo.ini
    C:\WINDOWS\system32\naedjoaw.ini
    C:\WINDOWS\system32\ctfmon .exe
    C:\WINDOWS\system32\vbzip10.dll
    C:\WINDOWS\system32\ardCo18
    C:\n.bat
    C:\qrnt
    
    
    RenV::
    ----a-w            39,792 2007-12-31 01:36:39  C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
    ----a-w            45,056 2007-12-31 01:36:40  C:\Program Files\ATI Technologies\ATI.ACE\cli .exe
    ----a-w           368,706 2007-12-30 20:11:35  C:\Program Files\BroadJump\Client Foundation\CFD .exe
    ----a-w         1,603,152 2007-12-31 01:36:47  C:\Program Files\Canon\MyPrinter\BJMyPrt .exe
    ----a-w           644,696 2007-12-31 01:36:45  C:\Program Files\Canon\SolutionMenu\CNSLMAIN .exe
    ----a-w            65,536 2007-12-30 21:49:44  C:\Program Files\Common Files\Roxio Shared\System\EngUtil .exe
    ----a-w           210,472 2007-12-31 01:36:42  C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdupdate .exe
    ----a-w           267,064 2007-12-31 01:36:40  C:\Program Files\iTunes\iTunesHelper .exe
    ----a-w           132,496 2007-12-30 21:49:45  C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
    ----a-w           217,088 2007-12-30 21:49:45  C:\Program Files\Microsoft IntelliPoint\point32 .exe
    ----a-w            40,960 2007-12-30 21:49:44  C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart .exe
    ----a-w            57,344 2007-12-31 01:36:45  C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe
    ----a-w           286,720 2007-12-29 15:18:31  C:\Program Files\QuickTime\qttask .exe
    ----a-w            79,400 2007-12-30 22:02:58  C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4 .exe
    ----a-w         4,670,704 2007-12-30 20:02:58  C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
    ----a-w            15,360 2007-12-31 01:36:44  C:\WINDOWS\system32\ctfmon .exe
    ----a-w            77,891 2007-12-30 20:11:38  C:\WINDOWS\system32\USRmlnkA .exe
    
    
    DirLook::
    C:\Temp
    
    
    
    

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.


    Image


  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.


CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



In your next reply, please post:Combofix log (C:\Combofix.txt) and A new HijackThis log
User avatar
DFW
MRU Honors Grad Emeritus
 
Posts: 3229
Joined: September 28th, 2006, 12:23 pm
Location: UK

Re: Virtumonde Infected.

Unread postby robmix » February 3rd, 2008, 3:26 am

ComboFix 08-01-23.1C - Robert Smith 2008-02-03 1:15:25.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.191 [GMT -6:00]
Running from: C:\Documents and Settings\Robert Smith\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Robert Smith\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\n.bat
C:\qrnt
C:\WINDOWS\system32\adygylmo.ini
C:\WINDOWS\system32\ajdehnib.ini
C:\WINDOWS\system32\aojedhti.ini
C:\WINDOWS\system32\ardCo18
C:\WINDOWS\system32\bjlelsxn.ini
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\epvforwe.ini
C:\WINDOWS\system32\igyeuvxr.ini
C:\WINDOWS\system32\iycmjiau.ini
C:\WINDOWS\system32\kftnubef.ini
C:\WINDOWS\system32\lhykxhdc.ini
C:\WINDOWS\system32\mkxfjoel.ini
C:\WINDOWS\system32\naedjoaw.ini
C:\WINDOWS\system32\qnuqnkws.ini
C:\WINDOWS\system32\tuouedlv.ini
C:\WINDOWS\system32\uxcwfmsc.ini
C:\WINDOWS\system32\vbzip10.dll
C:\WINDOWS\system32\wscaqeii.ini
C:\WINDOWS\system32\ydflcmfu.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\n.bat
C:\WINDOWS\system32\adygylmo.ini
C:\WINDOWS\system32\ajdehnib.ini
C:\WINDOWS\system32\aojedhti.ini
C:\WINDOWS\system32\bjlelsxn.ini
C:\WINDOWS\system32\epvforwe.ini
C:\WINDOWS\system32\igyeuvxr.ini
C:\WINDOWS\system32\iycmjiau.ini
C:\WINDOWS\system32\kftnubef.ini
C:\WINDOWS\system32\lhykxhdc.ini
C:\WINDOWS\system32\mkxfjoel.ini
C:\WINDOWS\system32\naedjoaw.ini
C:\WINDOWS\system32\qnuqnkws.ini
C:\WINDOWS\system32\tuouedlv.ini
C:\WINDOWS\system32\uxcwfmsc.ini
C:\WINDOWS\system32\vbzip10.dll
C:\WINDOWS\system32\wscaqeii.ini
C:\WINDOWS\system32\ydflcmfu.ini

.
((((((((((((((((((((((((( Files Created from 2008-01-03 to 2008-02-03 )))))))))))))))))))))))))))))))
.

2008-01-30 19:56 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-01-30 19:56 . 2004-09-21 17:25 211 --a------ C:\Boot.bak
2008-01-29 06:07 . 1999-12-17 09:13 86,016 --a------ C:\WINDOWS\unvise32.exe
2008-01-29 06:06 . 2008-01-29 06:07 <DIR> d-------- C:\Program Files\Master Tour Database
2008-01-27 21:22 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-27 20:22 . 2008-01-27 20:22 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-13 19:52 . 2008-01-13 19:52 <DIR> d-------- C:\Program Files\LimeWire
2008-01-10 15:27 . 2008-01-10 15:27 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-10 15:27 . 2008-01-10 15:27 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-03 07:15 --------- d-----w C:\Program Files\QuickTime
2008-02-03 07:15 --------- d-----w C:\Program Files\Microsoft IntelliPoint
2008-02-03 07:15 --------- d-----w C:\Program Files\iTunes
2008-01-29 00:57 --------- d-----w C:\Program Files\iPod
2008-01-27 13:58 --------- d-----w C:\Program Files\HiJack This
2008-01-24 00:39 --------- d-----w C:\Program Files\Windows Installer Clean Up
2008-01-02 01:25 --------- d-----w C:\Program Files\Common Files\Scanner
2008-01-02 01:18 --------- d-----w C:\Program Files\Common Files\Authentium
2008-01-02 01:17 --------- d-----w C:\Program Files\Raxco
2008-01-02 01:17 --------- d-----w C:\Program Files\CA
2008-01-02 01:16 --------- d-----w C:\Program Files\AT&T
2008-01-02 01:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-31 01:36 15,360 ----a-w C:\WINDOWS\system32\ctfmon.exe
2007-12-30 20:11 77,891 ----a-w C:\WINDOWS\system32\USRmlnkA.exe
2007-12-29 14:18 --------- d-----w C:\Program Files\ATT
2007-12-29 03:57 --------- d-----w C:\Program Files\Yahoo!
2007-12-26 13:52 --------- d-----w C:\Program Files\AC3Filter
2007-12-26 13:18 --------- d-----w C:\Program Files\ahead
2007-12-26 13:13 --------- d-----w C:\Program Files\Common Files\Nero
2007-12-25 13:16 --------- d-----w C:\Program Files\Common Files\Voyetra
2007-12-22 15:22 --------- d-----w C:\Program Files\Canon
2007-12-22 15:18 --------- d-----w C:\Program Files\Common Files\NewSoft
2007-12-22 15:17 --------- d-----w C:\Program Files\Common Files\ScanSoft Shared
2007-12-22 15:17 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-22 15:16 --------- d-----w C:\Program Files\ScanSoft
2007-12-22 15:15 --------- d-----w C:\Program Files\Common Files\CANON
2007-12-22 15:11 --------- d--h--w C:\Program Files\CanonBJ
2007-12-20 10:54 --------- d-----w C:\Program Files\OfficeUpdate11
2007-12-20 10:54 --------- d-----w C:\Program Files\MP3Downloading
2007-12-20 10:54 --------- d-----w C:\Program Files\Microsoft AntiSpyware
2007-12-20 10:54 --------- d-----w C:\Program Files\Hewlett-Packard
2007-12-20 10:53 --------- d-----w C:\Program Files\Lexmark Fax Solutions
2007-12-20 10:53 --------- d-----w C:\Program Files\Common Files\AVSMedia
2007-12-20 10:53 --------- d-----w C:\Program Files\Apple Software Update
2007-12-20 10:53 --------- d-----w C:\Program Files\androidnews
2007-12-20 10:53 --------- d-----w C:\Program Files\Amazing DVD Player
2007-12-13 02:11 32,123 ----a-w C:\WINDOWS\PaperPortSave.reg
2007-12-13 02:11 --------- d-----w C:\Program Files\TweakNow RegCleaner Std
2007-12-13 02:09 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-12-13 01:56 --------- d-----w C:\Program Files\ATI Technologies
2007-12-12 11:42 --------- d-----w C:\Program Files\PrimaScan
2007-12-12 11:42 --------- d-----w C:\Program Files\Common Files\Panasonic
2007-11-24 18:28 654,920 ----a-w C:\mtinst.exe
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2004-12-16 18:50 8,273 ----a-w C:\Program Files\snylcd55.cat
2004-12-12 18:38 2,824 ----a-w C:\Program Files\HS75P_65.icm
2004-12-12 18:36 2,824 ----a-w C:\Program Files\HS75P_93.icm
2004-12-10 02:49 1,636 ----a-w C:\Program Files\SnyLCD55.inf
2004-05-19 15:16 20,854 ----a-w C:\Program Files\README-E.RTF
2007-08-24 03:14 21,382,176 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-08-24 03:14 980,000 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
.
Code: Select all
<pre>
----a-w           286,720 2007-12-30 21:37:10  C:\Program Files\QuickTime\qttask             .exe
----a-w           286,720 2007-12-30 21:36:39  C:\Program Files\QuickTime\qttask            .exe
----a-w           286,720 2007-12-30 20:11:21  C:\Program Files\QuickTime\qttask           .exe
----a-w           286,720 2007-12-30 19:55:56  C:\Program Files\QuickTime\qttask          .exe
----a-w           286,720 2007-12-30 19:41:39  C:\Program Files\QuickTime\qttask         .exe
----a-w           286,720 2007-12-30 15:48:17  C:\Program Files\QuickTime\qttask        .exe
----a-w           286,720 2007-12-30 15:34:53  C:\Program Files\QuickTime\qttask       .exe
----a-w           286,720 2007-12-30 15:11:11  C:\Program Files\QuickTime\qttask      .exe
----a-w           286,720 2007-12-30 14:01:36  C:\Program Files\QuickTime\qttask     .exe
----a-w           286,720 2007-12-30 03:16:30  C:\Program Files\QuickTime\qttask    .exe
----a-w           286,720 2007-12-29 16:31:37  C:\Program Files\QuickTime\qttask   .exe
----a-w           286,720 2007-12-29 16:10:36  C:\Program Files\QuickTime\qttask  .exe
</pre>



(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Temp ----

2005-11-25 21:13 0 --a------ C:\Temp\EnhancedDataOutput.txt
2004-11-29 05:39 2841 --a------ C:\Temp\blspcerr.log


((((((((((((((((((((((((((((( snapshot_2008-01-27_21.43.59.87 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-28 03:23:25 1,425,408 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-02-03 07:14:49 1,429,504 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-28 03:23:25 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-02-03 07:14:49 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-28 03:23:26 8,163,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
+ 2008-02-03 07:14:50 8,183,808 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
- 2008-01-28 03:23:26 245,760 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-02-03 07:14:50 245,760 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-28 03:23:26 1,425,408 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-02-03 07:14:51 1,425,408 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-28 03:23:26 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-02-03 07:14:51 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-29 00:58:42 102,400 ----a-r C:\WINDOWS\Installer\{B85C4D19-6CEB-48CF-BD98-C887AC8C6F94}\iTunesIco.exe
- 2004-08-04 07:56:48 15,360 -c--a-w C:\WINDOWS\system32\dllcache\ctfmon.exe
+ 2007-12-31 01:36:44 15,360 -c--a-w C:\WINDOWS\system32\dllcache\ctfmon.exe
- 2001-08-18 04:37:00 77,891 -c--a-w C:\WINDOWS\system32\dllcache\usrmlnka.exe
+ 2007-12-30 20:11:38 77,891 -c--a-w C:\WINDOWS\system32\dllcache\usrmlnka.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2007-12-30 19:36 15360]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISW.exe"="C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" [2007-05-03 13:12 2061816]
"-FreedomNeedsReboot"="C:\Program Files\AT&T\AT&T Internet Security Suite\ZkRunOnceR.exe" [2007-06-28 16:09 13552]
"AT&T Internet Security Suite"="C:\Program Files\AT&T\AT&T Internet Security Suite\RPS.exe" [2007-06-28 16:09 310000]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-29 09:18 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-30 19:36 267064]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-05-29 19:34 5419008]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ :\WINDOWS\system32\srr

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"HydarVisionViewport"=viewport.exe
"BJCFD"=C:\Program Files\BroadJump\Client Foundation\CFD.exe
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"DeviceDiscovery"=C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
"NeroCheck"=C:\WINDOWS\system32\NeroCheck.exe
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
"HPDJ Taskbar Utility"=C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
"Mstask32driver"=Mstask32.exe
"USRpdA"=C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
"Security32 Loader"=security32.exe

R0 amdagpxp;AMD NB AGP Bus Filter;C:\WINDOWS\system32\DRIVERS\amdagpxp.sys [2001-12-11 14:52]
R2 ppsio2;PPDevice;C:\WINDOWS\system32\drivers\ppsio2.sys [1999-04-01 18:16]
R3 MN130;Microsoft(R) PCI Adapter MN-130;C:\WINDOWS\system32\DRIVERS\MN130-51.sys [2002-05-29 12:25]
R3 tbcspud;Santa Cruz Driver;C:\WINDOWS\system32\drivers\tbcspud.sys [2001-12-15 22:42]
R3 tbcwdm;Santa Cruz WDM Driver;C:\WINDOWS\system32\drivers\tbcwdm.sys [2001-12-16 03:27]
S2 IcRecUsb;IC Recorder Driver;C:\WINDOWS\system32\Drivers\IcRecUsb.sys [2001-10-01 22:37]
S3 Amps2prt;PS/2 Port Wheel Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\Amps2prt.sys [2000-11-03 20:37]
S3 cirrus;cirrus;C:\WINDOWS\system32\DRIVERS\cirrus.sys [2001-08-17 07:57]
S3 NUVision;NUVision II Video Service;C:\WINDOWS\system32\DRIVERS\nuvvid2.sys [2001-10-28 15:34]
S3 Radialpoint Security Services;AT&T Internet Security Suite;C:\WINDOWS\system32\dllhost.exe [2004-08-04 01:56]
S3 USR7900;U.S. Robotics 10/100 PCI NIC TX;C:\WINDOWS\system32\DRIVERS\USR7900.SYS [2001-12-03 09:41]
S3 USRpdA;U.S. Robotics 56K PCI Faxmodem Driver;C:\WINDOWS\system32\DRIVERS\USRpdA.sys [2001-08-17 15:28]
S3 vtdg46xx;vtdg46xx;C:\PROGRA~1\TURTLE~1\SANTAC~1\CONTRO~1\vtdg46xx.sys [2001-12-13 18:42]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-03 01:19:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs = ????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-03 1:20:57
ComboFix-quarantined-files.txt 2008-02-03 07:20:30
ComboFix2.txt 2008-01-28 03:45:00
.
2008-01-09 11:23:59 --- E O F ---
robmix
Active Member
 
Posts: 13
Joined: January 25th, 2008, 9:58 pm

Re: Virtumonde Infected.

Unread postby robmix » February 3rd, 2008, 3:28 am

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:27:04 AM, on 2/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AT&T\AT&T Internet Security Suite\Fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AT&T\AT&T Internet Security Suite\rpsupdaterR.exe
C:\Program Files\AT&T\Internet Security Wizard\ISW.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\seemeknow.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\AT&T\AT&T Internet Security Suite\pkR.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ISW.exe] "C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" /AUTORUN
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\AT&T\AT&T Internet Security Suite\ZkRunOnceR.exe"
O4 - HKLM\..\Run: [AT&T Internet Security Suite] C:\Program Files\AT&T\AT&T Internet Security Suite\RPS.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: AT&T Internet Security Suite Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\AT&T\AT&T Internet Security Suite\rpsupdaterR.exe
O23 - Service: AT&T Internet Security Suite AT&T Firewall (RP_FWS) - AT&T - C:\Program Files\AT&T\AT&T Internet Security Suite\Fws.exe

--
End of file - 4121 bytes
robmix
Active Member
 
Posts: 13
Joined: January 25th, 2008, 9:58 pm

Re: Virtumonde Infected.

Unread postby DFW » February 5th, 2008, 12:15 pm

You are running P2P filesharing programme's,.

Limewire


  • Many of these programmes come with unwanted components bundled with them.
  • If you wish to find out whether the one you're using does click here.

Please note: Even if you are using a "safe" P2P programme, it is only the programme that is safe.
You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.
I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them
http://forum.malwareremoval.com/viewtop ... e3e96420cc


My recommendation is you uninstall it.


Reconfigure Windows XP to show hidden files:
Double-click the My Computer icon on the Windows desktop.
Select the Tools menu and click Folder Options. Select the View Tab.

Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.




Now we need to do a search.
Start > Search > For Files and Folders.
Expand Search Options, check Advanced Options, check Search system folders, Search hidden files and folders, and Search Subfolders.
Paste this into the Search for files and folders named box:


Mstask32.exe

security32.exe


If any of these files are found please delete them.





Turn of your AT&T Internet Security Suite again


  • Now please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    
    RenV::
    ----a-w           286,720 2007-12-30 21:37:10  C:\Program Files\QuickTime\qttask             .exe
    ----a-w           286,720 2007-12-30 21:36:39  C:\Program Files\QuickTime\qttask            .exe
    ----a-w           286,720 2007-12-30 20:11:21  C:\Program Files\QuickTime\qttask           .exe
    ----a-w           286,720 2007-12-30 19:55:56  C:\Program Files\QuickTime\qttask          .exe
    ----a-w           286,720 2007-12-30 19:41:39  C:\Program Files\QuickTime\qttask         .exe
    ----a-w           286,720 2007-12-30 15:48:17  C:\Program Files\QuickTime\qttask        .exe
    ----a-w           286,720 2007-12-30 15:34:53  C:\Program Files\QuickTime\qttask       .exe
    ----a-w           286,720 2007-12-30 15:11:11  C:\Program Files\QuickTime\qttask      .exe
    ----a-w           286,720 2007-12-30 14:01:36  C:\Program Files\QuickTime\qttask     .exe
    ----a-w           286,720 2007-12-30 03:16:30  C:\Program Files\QuickTime\qttask    .exe
    ----a-w           286,720 2007-12-29 16:31:37  C:\Program Files\QuickTime\qttask   .exe
    ----a-w           286,720 2007-12-29 16:10:36  C:\Program Files\QuickTime\qttask  .exe
    
    
    Registry::
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Notification Packages"=hex(7):73,63,65,63,6c,69,00,00
    
    
    

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.


    Image


  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.


CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



In your next reply, please post:Combofix log (C:\Combofix.txt) and A new HijackThis log
User avatar
DFW
MRU Honors Grad Emeritus
 
Posts: 3229
Joined: September 28th, 2006, 12:23 pm
Location: UK

Re: Virtumonde Infected.

Unread postby robmix » February 5th, 2008, 6:06 pm

ComboFix 08-01-23.1C - Robert Smith 2008-02-05 16:02:08.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.195 [GMT -6:00]
Running from: C:\Documents and Settings\Robert Smith\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Robert Smith\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-01-05 to 2008-02-05 )))))))))))))))))))))))))))))))
.

2008-01-30 19:56 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-01-30 19:56 . 2004-09-21 17:25 211 --a------ C:\Boot.bak
2008-01-29 06:07 . 1999-12-17 09:13 86,016 --a------ C:\WINDOWS\unvise32.exe
2008-01-29 06:06 . 2008-01-29 06:07 <DIR> d-------- C:\Program Files\Master Tour Database
2008-01-27 21:22 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-27 20:22 . 2008-01-27 20:22 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-10 15:27 . 2008-01-10 15:27 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-10 15:27 . 2008-01-10 15:27 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-05 22:02 --------- d-----w C:\Program Files\QuickTime
2008-02-03 07:15 --------- d-----w C:\Program Files\Microsoft IntelliPoint
2008-02-03 07:15 --------- d-----w C:\Program Files\iTunes
2008-01-29 00:57 --------- d-----w C:\Program Files\iPod
2008-01-27 13:58 --------- d-----w C:\Program Files\HiJack This
2008-01-24 00:39 --------- d-----w C:\Program Files\Windows Installer Clean Up
2008-01-02 01:25 --------- d-----w C:\Program Files\Common Files\Scanner
2008-01-02 01:18 --------- d-----w C:\Program Files\Common Files\Authentium
2008-01-02 01:17 --------- d-----w C:\Program Files\Raxco
2008-01-02 01:17 --------- d-----w C:\Program Files\CA
2008-01-02 01:16 --------- d-----w C:\Program Files\AT&T
2008-01-02 01:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-31 01:36 15,360 ----a-w C:\WINDOWS\system32\ctfmon.exe
2007-12-30 20:11 77,891 ----a-w C:\WINDOWS\system32\USRmlnkA.exe
2007-12-29 14:18 --------- d-----w C:\Program Files\ATT
2007-12-29 03:57 --------- d-----w C:\Program Files\Yahoo!
2007-12-26 13:52 --------- d-----w C:\Program Files\AC3Filter
2007-12-26 13:18 --------- d-----w C:\Program Files\ahead
2007-12-26 13:13 --------- d-----w C:\Program Files\Common Files\Nero
2007-12-25 13:16 --------- d-----w C:\Program Files\Common Files\Voyetra
2007-12-22 15:22 --------- d-----w C:\Program Files\Canon
2007-12-22 15:18 --------- d-----w C:\Program Files\Common Files\NewSoft
2007-12-22 15:17 --------- d-----w C:\Program Files\Common Files\ScanSoft Shared
2007-12-22 15:17 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-22 15:16 --------- d-----w C:\Program Files\ScanSoft
2007-12-22 15:15 --------- d-----w C:\Program Files\Common Files\CANON
2007-12-22 15:11 --------- d--h--w C:\Program Files\CanonBJ
2007-12-20 10:54 --------- d-----w C:\Program Files\OfficeUpdate11
2007-12-20 10:54 --------- d-----w C:\Program Files\MP3Downloading
2007-12-20 10:54 --------- d-----w C:\Program Files\Microsoft AntiSpyware
2007-12-20 10:54 --------- d-----w C:\Program Files\Hewlett-Packard
2007-12-20 10:53 --------- d-----w C:\Program Files\Lexmark Fax Solutions
2007-12-20 10:53 --------- d-----w C:\Program Files\Common Files\AVSMedia
2007-12-20 10:53 --------- d-----w C:\Program Files\Apple Software Update
2007-12-20 10:53 --------- d-----w C:\Program Files\androidnews
2007-12-20 10:53 --------- d-----w C:\Program Files\Amazing DVD Player
2007-12-13 02:11 32,123 ----a-w C:\WINDOWS\PaperPortSave.reg
2007-12-13 02:11 --------- d-----w C:\Program Files\TweakNow RegCleaner Std
2007-12-13 02:09 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-12-13 01:56 --------- d-----w C:\Program Files\ATI Technologies
2007-12-12 11:42 --------- d-----w C:\Program Files\PrimaScan
2007-12-12 11:42 --------- d-----w C:\Program Files\Common Files\Panasonic
2007-11-24 18:28 654,920 ----a-w C:\mtinst.exe
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2004-12-16 18:50 8,273 ----a-w C:\Program Files\snylcd55.cat
2004-12-12 18:38 2,824 ----a-w C:\Program Files\HS75P_65.icm
2004-12-12 18:36 2,824 ----a-w C:\Program Files\HS75P_93.icm
2004-12-10 02:49 1,636 ----a-w C:\Program Files\SnyLCD55.inf
2004-05-19 15:16 20,854 ----a-w C:\Program Files\README-E.RTF
2007-08-24 03:14 21,382,176 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-08-24 03:14 980,000 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
.

((((((((((((((((((((((((((((( snapshot_2008-02-03_ 1.20.01.68 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-02-03 07:14:49 1,429,504 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-02-05 22:01:49 1,429,504 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-02-03 07:14:49 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-02-05 22:01:49 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-02-03 07:14:50 8,183,808 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
+ 2008-02-05 22:01:49 8,183,808 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
- 2008-02-03 07:14:50 245,760 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-02-05 22:01:49 245,760 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-02-03 07:14:51 1,425,408 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-02-05 22:01:50 1,425,408 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-02-03 07:14:51 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-02-05 22:01:50 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2007-12-30 19:36 15360]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISW.exe"="C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" [2007-05-03 13:12 2061816]
"-FreedomNeedsReboot"="C:\Program Files\AT&T\AT&T Internet Security Suite\ZkRunOnceR.exe" [2007-06-28 16:09 13552]
"AT&T Internet Security Suite"="C:\Program Files\AT&T\AT&T Internet Security Suite\RPS.exe" [2007-06-28 16:09 310000]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-29 10:10 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-30 19:36 267064]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-05-29 19:34 5419008]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"HydarVisionViewport"=viewport.exe
"BJCFD"=C:\Program Files\BroadJump\Client Foundation\CFD.exe
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"DeviceDiscovery"=C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
"NeroCheck"=C:\WINDOWS\system32\NeroCheck.exe
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
"HPDJ Taskbar Utility"=C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
"Mstask32driver"=Mstask32.exe
"USRpdA"=C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
"Security32 Loader"=security32.exe

R0 amdagpxp;AMD NB AGP Bus Filter;C:\WINDOWS\system32\DRIVERS\amdagpxp.sys [2001-12-11 14:52]
R2 ppsio2;PPDevice;C:\WINDOWS\system32\drivers\ppsio2.sys [1999-04-01 18:16]
R3 MN130;Microsoft(R) PCI Adapter MN-130;C:\WINDOWS\system32\DRIVERS\MN130-51.sys [2002-05-29 12:25]
R3 tbcspud;Santa Cruz Driver;C:\WINDOWS\system32\drivers\tbcspud.sys [2001-12-15 22:42]
R3 tbcwdm;Santa Cruz WDM Driver;C:\WINDOWS\system32\drivers\tbcwdm.sys [2001-12-16 03:27]
S2 IcRecUsb;IC Recorder Driver;C:\WINDOWS\system32\Drivers\IcRecUsb.sys [2001-10-01 22:37]
S3 Amps2prt;PS/2 Port Wheel Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\Amps2prt.sys [2000-11-03 20:37]
S3 cirrus;cirrus;C:\WINDOWS\system32\DRIVERS\cirrus.sys [2001-08-17 07:57]
S3 NUVision;NUVision II Video Service;C:\WINDOWS\system32\DRIVERS\nuvvid2.sys [2001-10-28 15:34]
S3 Radialpoint Security Services;AT&T Internet Security Suite;C:\WINDOWS\system32\dllhost.exe [2004-08-04 01:56]
S3 USR7900;U.S. Robotics 10/100 PCI NIC TX;C:\WINDOWS\system32\DRIVERS\USR7900.SYS [2001-12-03 09:41]
S3 USRpdA;U.S. Robotics 56K PCI Faxmodem Driver;C:\WINDOWS\system32\DRIVERS\USRpdA.sys [2001-08-17 15:28]
S3 vtdg46xx;vtdg46xx;C:\PROGRA~1\TURTLE~1\SANTAC~1\CONTRO~1\vtdg46xx.sys [2001-12-13 18:42]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-05 16:03:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs = ????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-05 16:05:03
ComboFix-quarantined-files.txt 2008-02-05 22:04:35
ComboFix2.txt 2008-02-03 07:20:58
ComboFix3.txt 2008-01-28 03:45:00
.
2008-01-09 11:23:59 --- E O F ---
robmix
Active Member
 
Posts: 13
Joined: January 25th, 2008, 9:58 pm

Re: Virtumonde Infected.

Unread postby DFW » February 6th, 2008, 3:21 am

Download FindFile by Atribune from >here<
  • Right click on it and extract the contents to your Desktop
  • Double click on FileFind.exe to open the program.
  • Copy and paste Mstask32.exe into the File: box.
  • Click on the Search button.
  • After a while, if any files are found, a list of file locations will appear in the List of Files: box.
  • Click on the Export button.
  • This will create a Notepad file named Export.txt located in the C:\ folder, copy and paste it to your next post please.


Next
Repeat for security32.exe
User avatar
DFW
MRU Honors Grad Emeritus
 
Posts: 3229
Joined: September 28th, 2006, 12:23 pm
Location: UK

Re: Virtumonde Infected.

Unread postby robmix » February 6th, 2008, 8:02 am

Both searches found no files.

FYI, when I shutdown my computer, I get a message saying that "UiPopupHidden" program can't close.
robmix
Active Member
 
Posts: 13
Joined: January 25th, 2008, 9:58 pm

Re: Virtumonde Infected.

Unread postby DFW » February 6th, 2008, 1:31 pm

The uipopuphidden message is not malware related but some how is related with Freedom AV, have you ever had Freedom Antivirus installed,
or is AT&T Internet Security Suite, which I belive is supplied by your internet supplier???, related to Freedom Antivirus in some way??

When did the uipopuphidden message start???



Turn of your AT&T Internet Security Suite again


  • Now please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
    "Security32 Loader"=-
    "Mstask32driver"=-
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] 
    "AppInit_DLLs"="" 
    
    

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.


    Image


  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.


CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



In your next reply, please post:Combofix log (C:\Combofix.txt)
User avatar
DFW
MRU Honors Grad Emeritus
 
Posts: 3229
Joined: September 28th, 2006, 12:23 pm
Location: UK
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 292 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware