Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde


  • This topic is locked This topic is locked
2 replies to this topic

#1 jankali

jankali

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:10:46 AM

Posted 23 August 2007 - 01:22 PM

I really need some help. My restaurant's register system's infected. I've run adaware and removed everything shown. I then ran Spybot and it came up with a ton of things including WinAntivirus2006, Virtumonde, etc..I just ran combofix.exe and here is the log. I'm working on downloading hijack this. Can anyone give me any ideas? I've contacted the company that sold me the register system and haven't heard baComboFix 07-08-17.2 - "Administrator" 2007-08-23 14:03:27.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.40 [GMT -4:00]
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\ADMINI~1\APPLIC~1.\winantispyware 2007
C:\DOCUME~1\ADMINI~1\APPLIC~1.\winantispyware 2007\Logs\update.log
C:\DOCUME~1\ADMINI~1\APPLIC~1\..\err.log
C:\DOCUME~1\ADMINI~1\APPLIC~1\install.dat
C:\DOCUME~1\ADMINI~1\APPLIC~1\WinAntiSpyware 2007\Logs\update.log
C:\DOCUME~1\ADMINI~1\APPLIC~1\WinTouch\wintouch.cfg
C:\DOCUME~1\ADMINI~1\APPLIC~1\WinTouch\WinTouch.exe
C:\DOCUME~1\ADMINI~1\APPLIC~1\WinTouch\WTUninstaller.exe
C:\DOCUME~1\ADMINI~1\MYDOCU~1.\scurit~1
C:\DOCUME~1\ADMINI~1\MYDOCU~1.\ssembl~1
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\salesmonitor
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\ProductCode
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiSpyware 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiSpyware 2007\Data\ProductCode
C:\Program Files\Common Files\winantispyware 2007
C:\Program Files\Common Files\WinAntiSpyware 2007\err.log
C:\Program Files\Common Files\winantispyware 2007\err.log
C:\Program Files\Common Files\WinAntiSpyware 2007\uwas7cw.exe
C:\Program Files\Common Files\winantispyware 2007\uwas7cw.exe
C:\Program Files\svhost
C:\Program Files\svhost\wr-1-0000077.exe
C:\Program Files\winantispyware 2007
C:\Program Files\winantispyware 2007\RTMonitor.dat\510921f61adf4bb5065aa0a4\23fd5d8c507c4f86b9e9a592\adfe08a9fd554b141960cc97\#data
C:\Program Files\WinAntiSpyware 2007\RTMonitor.dat\510921f61adf4bb5065aa0a4\23fd5d8c507c4f86b9e9a592\adfe08a9fd554b141960cc97\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\510921f61adf4bb5065aa0a4\23fd5d8c507c4f86b9e9a592\adfe08a9fd554b141960cc97\#internal
C:\Program Files\WinAntiSpyware 2007\RTMonitor.dat\510921f61adf4bb5065aa0a4\23fd5d8c507c4f86b9e9a592\adfe08a9fd554b141960cc97\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\510921f61adf4bb5065aa0a4\23fd5d8c507c4f86b9e9a592\adfe08a9fd554b141960cc97\#name
C:\Program Files\WinAntiSpyware 2007\RTMonitor.dat\510921f61adf4bb5065aa0a4\23fd5d8c507c4f86b9e9a592\adfe08a9fd554b141960cc97\#name
C:\Program Files\winpop
C:\Program Files\winpop\UnInstall.exe
C:\Program Files\ymbols~1
C:\Temp\fse
C:\WINDOWS\b104.exe
C:\WINDOWS\b138.exe
C:\WINDOWS\svhost.exe
C:\WINDOWS\system32\aougmdcn.dll
C:\WINDOWS\system32\bqnxwqse.dll
C:\WINDOWS\system32\byyhfrrm.dll
C:\WINDOWS\system32\dahdjhfx.dll
C:\WINDOWS\system32\drivers\fopn.sys
C:\WINDOWS\system32\esqwxnqb.ini
C:\WINDOWS\system32\f10WtR
C:\WINDOWS\system32\f10WtR\f10WtR1099.exe
C:\WINDOWS\system32\fhroivcm.dll
C:\WINDOWS\system32\mcviorhf.ini
C:\WINDOWS\system32\mrrfhyyb.ini
C:\WINDOWS\system32\ncdmguoa.ini
C:\WINDOWS\system32\onnmp.bak1
C:\WINDOWS\system32\onnmp.bak2
C:\WINDOWS\system32\onnmp.ini
C:\WINDOWS\system32\onnmp.ini2
C:\WINDOWS\system32\onnmp.tmp
C:\WINDOWS\system32\pferparg.exe
C:\WINDOWS\system32\pmnno.dll
C:\WINDOWS\system32\rautakhm.exe
C:\WINDOWS\system32\tdx.dll
C:\WINDOWS\system32\YrcOeGtv.exe
C:\WINDOWS\Tasks.\At1.job
C:\WINDOWS\Tasks.\At10.job
C:\WINDOWS\Tasks.\At11.job
C:\WINDOWS\Tasks.\At12.job
C:\WINDOWS\Tasks.\At13.job
C:\WINDOWS\Tasks.\At14.job
C:\WINDOWS\Tasks.\At15.job
C:\WINDOWS\Tasks.\At16.job
C:\WINDOWS\Tasks.\At17.job
C:\WINDOWS\Tasks.\At18.job
C:\WINDOWS\Tasks.\At19.job
C:\WINDOWS\Tasks.\At2.job
C:\WINDOWS\Tasks.\At20.job
C:\WINDOWS\Tasks.\At21.job
C:\WINDOWS\Tasks.\At22.job
C:\WINDOWS\Tasks.\At23.job
C:\WINDOWS\Tasks.\At24.job
C:\WINDOWS\Tasks.\At3.job
C:\WINDOWS\Tasks.\At4.job
C:\WINDOWS\Tasks.\At5.job
C:\WINDOWS\Tasks.\At6.job
C:\WINDOWS\Tasks.\At7.job
C:\WINDOWS\Tasks.\At8.job
C:\WINDOWS\Tasks.\At9.job
C:\WINDOWS\ZnBvcw\asappsrv.dll
C:\WINDOWS\ZnBvcw\command.exe


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CMDSERVICE
-------\LEGACY_FOPN
-------\LEGACY_NETWORK_MONITOR
-------\cmdService


((((((((((((((((((((((((( Files Created from 2007-07-23 to 2007-08-23 )))))))))))))))))))))))))))))))


2007-08-23 14:00 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-23 13:46 <DIR> d-------- C:\DOCUME~1\ADMINI~1\.housecall6.6
2007-08-21 16:45 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-21 15:25 <DIR> d--hs---- C:\WINDOWS\ZnBvcw
2007-08-21 15:24 43,542 --a------ C:\WINDOWS\system32\gebcyyv.dll
2007-08-21 15:23 <DIR> d-------- C:\Temp
2007-08-18 17:49 <DIR> d-------- C:\Program Files\WinBudget
2007-08-04 13:38 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MumboJumbo


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-23 12:27 --------- d-------- C:\Program Files\LogMeIn
2007-08-20 18:09 --------- d-------- C:\Program Files\Common Files\AOL
2005-07-29 20:24:26 472 --sha-r C:\WINDOWS\ZnBvcw\tB1SwT.vbs


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C84D8A0A-E708-42B6-90CA-9C30956A87C6}]
2007-08-21 15:24 43542 --a------ C:\WINDOWS\system32\gebcyyv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2006-12-21 22:10]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2006-12-21 22:10]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2006-12-21 22:10]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-12-21 22:10]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" []
"LogMeIn GUI"="C:\Program Files\LogMeIn\LogMeInSystray.exe" [2006-12-21 22:10]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54]
"svhost"="C:\WINDOWS\svhost.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Future P.O.S. Service Manager.lnk - C:\FPOS40\Bin\SVCMGR.exe [2005-11-14 17:09:56]
Future P.O.S..lnk - C:\FPOS40\Bin\FPOS.exe [2005-11-14 17:09:52]
Purge Old Data.lnk - C:\FPOS40\Bin\PURGEOLD.exe [2005-11-14 17:09:56]
Shortcut to CALLERID.exe.lnk - C:\FPOS40\Bin\CALLERID.exe [2005-11-14 17:09:51]
Windows Scheduler.lnk - C:\FPOS40\Bin\WINSCHED.exe [2005-11-14 17:09:57]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{C84D8A0A-E708-42B6-90CA-9C30956A87C6}"= C:\WINDOWS\system32\gebcyyv.dll [2007-08-21 15:24 43542]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebcyyv]
gebcyyv.dll 2007-08-21 15:24 43542 C:\WINDOWS\system32\gebcyyv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2006-10-06 21:56 11504 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=

R1 MMstub;MMstub Driver;C:\WINDOWS\system32\DRIVERS\MMstub.sys
R2 FPLogDB;Future P.O.S. 4.0 Logging;C:\WINDOWS\system32\LogSvc.EXE /SERVICECALL
R2 FPOSUpdate;Future P.O.S. 4.0 Update;C:\WINDOWS\system32\UpdEng2.EXE /SERVICECALL
R2 LMIInfo;LogMeIn Kernel Information Provider;\??\C:\Program Files\LogMeIn\RaInfo.sys
R2 monmouse;Monmouse Driver;C:\WINDOWS\system32\DRIVERS\monmouse.sys
R3 LMImirr;LMImirr;C:\WINDOWS\system32\DRIVERS\LMImirr.sys
R3 QSerBus;Quatech PCI/PCMCIA/ISA Multiport Serial Device Enumerator;C:\WINDOWS\system32\DRIVERS\qserbus.sys
R3 QSerFilt;Quatech PCI/PCMCIA/ISA Multiport Serial Filter Driver;C:\WINDOWS\system32\DRIVERS\qserfilt.sys
R3 QTSerial;Quatech Multiport Serial Driver;C:\WINDOWS\system32\DRIVERS\qtserial.sys


Contents of the 'Scheduled Tasks' folder
2007-08-15 12:46:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-23 14:14:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-23 14:16:38 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-23 14:16

--- E O F ---
ck from them. Thank you so much for any help.

BC AdBot (Login to Remove)

 


#2 jgweed

jgweed

  • Members
  • 28,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago, Il.
  • Local time:12:46 PM

Posted 23 August 2007 - 01:33 PM

Follow the steps in the BC Self-help Guide:
http://www.bleepingcomputer.com/forums/t/18610/how-to-remove-winfixer-virtumonde-msevents-trojanvundob/
This may quickly resolve your problem.

If it does not, then follow the Preparation Guide linked to below and post a HJT log for our Team to review:
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

Regards,
John
Whereof one cannot speak, thereof one should be silent.

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,483 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:46 PM

Posted 23 August 2007 - 10:47 PM

Your log is posted here.

After posting a log you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make may cause confusion for the member assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

To avoid confusing, I am closing this topic until you are cleared by the HJT Team. If you still need assistance after your log has been reviewed and you have been cleared, please PM me or another moderator and we will re-open this topic.

Thanks for your cooperation and good luck with your log.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users