Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde Infection That Won't Go Away


  • This topic is locked This topic is locked
14 replies to this topic

#1 btah

btah

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:10:18 PM

Posted 08 December 2007 - 01:19 PM

Hopefully I got the correct place to post this this time. Sorry to the person who had to correct me the first time.


I have been struggling with getting rid of the virtumonde issues on my PC.
I have used several tools that I have read about on this site. and some report that I am infected and some report that I am not. I ran through several tools and included information below about the results of each of them.

I appreciate any feedback that might be able to help me clean this up. Thank you in advance.


Ad-Aware SE
build 1.06r1
latest definitions
results:
MRU List (3 Object Total)
These objects do not pose a threat
I removed the objects




Spybot S&D
release 1.4
latest definitions
results:
It showed a virtumonde infection that I allowed it to fix. The log is below:

Spybot log:
Virtumonde: System Service (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DomainService


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-12-01 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-05-23 advcheck.dll (1.5.3.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2007-07-31 Tools.dll (2.1.2.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-12-05 Includes\Cookies.sbi (*)
2007-10-31 Includes\Dialer.sbi (*)
2007-12-05 Includes\DialerC.sbi (*)
2007-11-07 Includes\Hijackers.sbi (*)
2007-12-05 Includes\HijackersC.sbi (*)
2007-10-04 Includes\Keyloggers.sbi (*)
2007-12-05 Includes\KeyloggersC.sbi (*)
2007-11-07 Includes\Malware.sbi (*)
2007-12-05 Includes\MalwareC.sbi (*)
2007-10-24 Includes\PUPS.sbi (*)
2007-12-05 Includes\PUPSC.sbi (*)
2007-12-05 Includes\Revision.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-12-05 Includes\SecurityC.sbi (*)
2007-11-07 Includes\Spybots.sbi (*)
2007-12-05 Includes\SpybotsC.sbi (*)
2007-11-06 Includes\Tracks.uti
2007-11-28 Includes\Trojans.sbi (*)
2007-12-05 Includes\TrojansC.sbi (*)
2007-06-06 Plugins\TCPIPAddress.dll






VundoFix
version 6.7.0
results:

Done searching for files. No infected files were found.



VirtumundoBeGone
ran in safe mode with networking, here is the log that was created:

[12/08/2007, 9:48:31] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Owner\Desktop\VirtumundoBeGone(2).exe" )
[12/08/2007, 9:48:36] - Detected System Information:
[12/08/2007, 9:48:36] - Windows Version: 5.1.2600, Service Pack 2
[12/08/2007, 9:48:36] - Current Username: Owner (Admin)
[12/08/2007, 9:48:36] - Windows is in SAFE mode.
[12/08/2007, 9:48:36] - Searching for Browser Helper Objects:
[12/08/2007, 9:48:36] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[12/08/2007, 9:48:36] - BHO 2: {53707962-6F74-2D53-2644-206D7942484F} ()
[12/08/2007, 9:48:36] - WARNING: BHO has no default name. Checking for Winlogon reference.
[12/08/2007, 9:48:36] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[12/08/2007, 9:48:36] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[12/08/2007, 9:48:36] - BHO 3: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} (scriptproxy)
[12/08/2007, 9:48:36] - Finished Searching Browser Helper Objects
[12/08/2007, 9:48:36] - Finishing up...
[12/08/2007, 9:48:36] - Nothing found! Exiting...

no blue screen of death as I have see written several places as to be expected.




rebooted at this point and started in normal mode



I ran McAfee stinger and it found no issues.



I ran spybot again and if reported the following (same as before):




Virtumonde: System Service (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DomainService


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-12-01 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-05-23 advcheck.dll (1.5.3.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2007-07-31 Tools.dll (2.1.2.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-12-05 Includes\Cookies.sbi (*)
2007-10-31 Includes\Dialer.sbi (*)
2007-12-05 Includes\DialerC.sbi (*)
2007-11-07 Includes\Hijackers.sbi (*)
2007-12-05 Includes\HijackersC.sbi (*)
2007-10-04 Includes\Keyloggers.sbi (*)
2007-12-05 Includes\KeyloggersC.sbi (*)
2007-11-07 Includes\Malware.sbi (*)
2007-12-05 Includes\MalwareC.sbi (*)
2007-10-24 Includes\PUPS.sbi (*)
2007-12-05 Includes\PUPSC.sbi (*)
2007-12-05 Includes\Revision.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-12-05 Includes\SecurityC.sbi (*)
2007-11-07 Includes\Spybots.sbi (*)
2007-12-05 Includes\SpybotsC.sbi (*)
2007-11-06 Includes\Tracks.uti
2007-11-28 Includes\Trojans.sbi (*)
2007-12-05 Includes\TrojansC.sbi (*)
2007-06-06 Plugins\TCPIPAddress.dll



I didn't clean it up at this point, I think ran hijackthis and here is the log




hijackthis log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:17:03 PM, on 12/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\Explorer.EXE
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r5.attbi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r5.attbi.com;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Leadtek Research Inc. - (no file)

--
End of file - 4760 bytes




I then ran XoftSpySE which I believe I read about on this site under one of the posts, it showed several issues:
Vendor Type Object
Agent AOY Trojan registry key system\currentcontrolset\services\domainservice
Agent AOY Trojan registry key system\controlset001\services\domainservice
A bunch of stuff about Viewpoint
Vundo Trojan registry key software\microsoft\uniqdata

Since I don't own XoftSpySE, I didn't clean up based on this

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:18 PM

Posted 08 December 2007 - 02:33 PM

Hello btah,

Let's see what we can do about this :thumbsup:

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 btah

btah
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:10:18 PM

Posted 08 December 2007 - 02:45 PM

Doing this now. Will post as soon as finished.

Thanks.

#4 btah

btah
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:10:18 PM

Posted 08 December 2007 - 03:03 PM

combofix results:
ComboFix 07-12-09.1 - Owner 2007-12-08 13:46:22.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.574 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\x64

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-11-09 to 2007-12-09 )))))))))))))))))))))))))))))))
.

2007-12-06 22:21 . 2007-08-01 16:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-12-06 22:20 . 2007-12-06 22:29 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\HouseCall 6.6
2007-12-06 22:13 . 2007-12-06 22:13 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-06 20:49 . 2007-12-06 20:49 <DIR> d-------- C:\Program Files\XoftSpySE
2007-12-05 19:19 . 2007-12-05 19:19 <DIR> d-------- C:\Program Files\InterMute
2007-12-02 20:13 . 2007-12-02 20:13 1,583 --a------ C:\WINDOWS\system32\MRT.INI
2007-12-02 19:49 . 2007-07-09 07:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-12-02 18:55 . 2007-12-02 18:55 434,698 --ahs---- C:\WINDOWS\system32\ttvwa.bak2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-07 02:32 --------- d-----w C:\Program Files\Spyware Doctor
2007-12-03 03:02 --------- d-----w C:\Program Files\Microsoft Games
2007-12-03 02:21 --------- d-----w C:\Program Files\McAfee
2007-12-03 01:46 --------- d-----w C:\Program Files\Eusing Free Registry Cleaner
2006-12-16 09:10 87,608 ----a-w C:\Documents and Settings\Owner\Application Data\ezpinst.exe
2006-12-16 09:10 47,360 ----a-w C:\Documents and Settings\Owner\Application Data\pcouffin.sys
2006-09-23 01:43 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
2006-12-18 07:38 1,365,546 --sha-w C:\WINDOWS\system32\cbadd.bak1
2007-04-19 10:35 1,377,716 --sha-w C:\WINDOWS\system32\cbadd.bak2
2006-01-01 07:46 434,277 --sha-w C:\WINDOWS\system32\ttvwa.bak1
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2004-09-24 17:22]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 04:32]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2006-10-05 22:11]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2006-10-05 22:13]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2006-10-05 22:10]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
ckpNotify.dll 2004-07-13 21:14 24673 C:\WINDOWS\system32\ckpNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

R2 Scap;SecureClient Application Policy Module;C:\WINDOWS\system32\DRIVERS\Scap.sys
R2 VPN-1;VPN-1 Module;C:\WINDOWS\system32\drivers\vpn.sys
R3 FW1;SecuRemote Miniport;C:\WINDOWS\system32\DRIVERS\fw.sys
S2 BT848;WinFast TV2000 XP WDM Video Capture;C:\WINDOWS\system32\drivers\wf2kvcap.sys
S2 tv2ktunr;WinFast TV2000 XP WDM TVTuner;C:\WINDOWS\system32\drivers\wf2ktunr.sys
S2 Tv2kXbar;WinFast TV2000 XP WDM Crossbar;C:\WINDOWS\system32\drivers\wf2kxbar.sys
S3 BEFCMV3XP;Linksys BEFCMU10 EtherFast Cable Modem;C:\WINDOWS\system32\DRIVERS\BEFCM3XP.sys
S3 jfdcd;jfdcd;\??\C:\DOCUME~1\Owner\LOCALS~1\Temp\jfdcd.sys
S3 OMVA;VPN-1 SecureClient Adapter;C:\WINDOWS\system32\DRIVERS\OMVA.sys
S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys
S3 WFIOCTL;WFIOCTL;\??\C:\Program Files\WinFast\WFTVFM\WFIOCTL.SYS

.
Contents of the 'Scheduled Tasks' folder
"2007-04-17 10:43:17 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2007-04-17 10:43:18 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2007-12-09 19:53:26 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2007-12-07 02:49:08 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\DOCUME~1\Owner\LOCALS~1\Temp\foeeodjg1.dll
.
**************************************************************************

catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-09 13:53:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-09 13:54:47 - machine was rebooted
.
--- E O F ---





Hijack this results

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:02:28 PM, on 12/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis_v2.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r5.attbi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r5.attbi.com;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Leadtek Research Inc. - (no file)

--
End of file - 4893 bytes




Also, after combofix ran and rebooted the machine, McAfee gave me the following, not sure if this was expected or not. I have done nothing with this, it is still on my screen:
McAfee has detected a potentially unauthorized change to your computer.

Details
SystemGuard Name: Windows Shell Open Commands
Change: Registry Created

More Info
SystemGuard Description: Prevents changes to your Windows Shell (explore.exe) Open Commands. Shell Open Commands allow a specific program to run every time a certain type of file is run. For example, a worm might attempt to run automatically every time an .exe application is run.

Process: C:\WINDOWS\system32\reg.exe
Process Name: Registry Console Tool
Process Publisher: Microsoft Corporation
Affected Items: C:\WINDOWS\system32\rundll32.exe, HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dunfile\shell\open\command\A

If you did not expect this change, McAfee recommends that you block it. If you expected this change, allow it.


Thanks,
btah

#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:18 PM

Posted 08 December 2007 - 03:24 PM

ComboFix likely did this, so it's all right. Some AntiVirus programs tend to throw fits about some of the things ComboFix does, so it's no surprise.

Are you still having the alerts you mentioned in your first post?

Regards,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#6 btah

btah
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:10:18 PM

Posted 08 December 2007 - 03:34 PM

I'll run spybot again and see if it complains.

I will run it now and get back to you as soon as it finishes.

btah

#7 btah

btah
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:10:18 PM

Posted 08 December 2007 - 04:02 PM

Spybot says everything is fine.


XoftSpySE says:
Vundo Trojan Registry Kety software\microsoft\uniqdata




Is there still something hanging around?


btah

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:18 PM

Posted 08 December 2007 - 04:18 PM

Hello,

I don't think so, but we'll do a couple of things to be sure. :blink:

Your Java is way out of date, which leaves your computer vulnerable.

Updating Java
  • Download the latest version of Java Runtime Environment (JRE) 6u3.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.
Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.

Click Start Menu > Run > type (or copy and paste)

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it ( something you'll remember) and click Create, when the confirmation screen shows the restore point has been created click Close.

Next goto Start Menu > Run > type

cleanmgr

Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.

To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.

Now see if there are any complaints. :thumbsup:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 btah

btah
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:10:18 PM

Posted 08 December 2007 - 05:32 PM

Did all the steps from the last post, XoftSpySE says:
Vundo Trojan Registry Key software\microsoft\uniqdata

still exists. Other than that, everything is running smoothly. I don't know anything about XoftSpySE and whether I should listen to it or not. If from your experience everything seems fine, I'll go with that.

It seems that running the combofix finally solved the issue. Can you tell exactly what it did to clean things up?

If this was your computer, would you feel comfortable the trojan is gone based on what you have seen and had me do?

Thanks again,
btah

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:18 PM

Posted 08 December 2007 - 05:46 PM

Hello,

I really think it's just an orphaned registry key, and that the threat is gone. We can run one more program if you like, and it will detect anything in the registry that might not be right :

Download the trial version of Spy Sweeper from
Here


Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper) Also, make sure you do NOT accept the Ask Toolbar.

You will be prompted to check for updated definitions, please do so.
(This may take several minutes)

Click on Options > Sweep Options and check Sweep all Folders on Selected drives. Check Local Disc C. Under What to Sweep, check every box.

Click on Sweep and allow it to fully scan your system.

When the sweep has finished, click Remove. Click Select All and then Next

From 'Results', select the Session Log tab. Click Save to File and save the log somewhere convenient.

Exit Spy Sweeper.

Restart your computer, and then please copy and paste the SpySweeper log into this thread.

Other than that, I really think you're all right. :thumbsup:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 btah

btah
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:10:18 PM

Posted 08 December 2007 - 06:15 PM

Have to step out for the evening. I will post the results later tonight. However, spy sweeper is saying that
adware found: virtumonde


Thanks for all the help.
btah

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:18 PM

Posted 08 December 2007 - 06:30 PM

Have a great evening! :thumbsup:

Regards,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 btah

btah
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:10:18 PM

Posted 08 December 2007 - 08:24 PM

I let spysweeper clean up, the following is the log. I then ran spybot again and it was clean. Thanks again for all of your help, it is very much appreciated. I will check back to see if you see anything odd, but it looks like with your expertise, we got rid of it. Enjoy your holidays. btah.


6:43 PM: Removal process completed. Elapsed time 00:00:01
6:43 PM: Quarantining All Traces: virtumonde
6:43 PM: Removal process initiated
5:24 PM: Traces Found: 1
5:24 PM: Custom Sweep has completed. Elapsed time 00:22:20
5:24 PM: File Sweep Complete, Elapsed Time: 00:20:22
5:23 PM: Warning: TCompressedFile.GetStreams(2): Stream read error
5:21 PM: Warning: TCompressedFile.GetStreams(2): Stream read error
5:20 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssmsb328c2ca-ee0a-4ab7-b53a-8bf8e879f519.tmp". The operation completed successfully
5:20 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms022d3cb5-1675-4a11-8523-10fd969c2c03.tmp". The operation completed successfully
5:20 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms1487ccd4-3425-4556-8c9b-dbabe9fccf1d.tmp". The operation completed successfully
5:20 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms3f4258e6-8fbf-49c5-a350-4999fae3dd85.tmp". The operation completed successfully
5:20 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssmsed6b9bed-d1a8-4312-b6b6-b6999385cc3d.tmp". The operation completed successfully
5:20 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms691bac29-85d2-4e63-9174-28e5d00e71c7.tmp". The operation completed successfully
5:20 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms30616e42-c311-4ac9-bfad-5a123f96a490.tmp". The operation completed successfully
5:20 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms1eb8f2a6-2527-4ca4-8188-a8e57739b106.tmp". The operation completed successfully
5:20 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssmse77b3017-de28-49ea-a387-94eb006a3665.tmp". The operation completed successfully
5:20 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms9109837c-da66-469d-bc0c-3aa4c3a131db.tmp". The operation completed successfully
5:20 PM: Warning: Failed to open file "c:\windows\temp\mcmsc_gsk8xm0dtcgjai3". The operation completed successfully
5:20 PM: Warning: Failed to open file "c:\documents and settings\owner\application data\mozilla\firefox\profiles\default.ynj\parent.lock". The operation completed successfully
5:20 PM: Warning: Failed to open file "c:\windows\temp\mcmsc_igamq8z4ohjl4p1". The operation completed successfully
5:04 PM: Starting File Sweep
5:04 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
5:04 PM: Starting Cookie Sweep
5:04 PM: Registry Sweep Complete, Elapsed Time:00:00:25
5:04 PM: HKLM\software\microsoft\uniqdata\ (ID = 1997747)
5:04 PM: Found Adware: virtumonde
5:04 PM: Starting Registry Sweep
5:04 PM: Memory Sweep Complete, Elapsed Time: 00:01:30
5:02 PM: Starting Memory Sweep
5:02 PM: Start Custom Sweep
5:02 PM: Sweep initiated using definitions version 1046
Keylogger: Off
5:00 PM: Informational: ShieldEmail: Start monitoring port 25 for mail activities
E-mail Attachment: On
5:00 PM: Informational: ShieldEmail: Start monitoring port 110 for mail activities
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites: Off
Hosts File Shield: On
Internet Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
File System Shield: On
Execution Shield: On
System Services Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
5:00 PM: Shield States
5:00 PM: License Check Status (0): Success
5:00 PM: Spyware Definitions: 1046
5:00 PM: Spy Sweeper 5.5.7.103 started
5:00 PM: Spy Sweeper 5.5.7.103 started
5:00 PM: | Start of Session, Sunday, December 09, 2007 |
***************

#14 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:18 PM

Posted 08 December 2007 - 08:29 PM

Hello,

Excellent news. :wacko: You're most welcome. :thumbsup:

Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.

Below I have included a number of recommendations on how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously! These few simple steps can stave off the vast majority of spyware problems.

Regularly go to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows, including the latest version of Internet Explorer. This can patch many of the security holes through which attackers can gain access to your computer. You should also turn on the Windows automatic update feature.

You should definitely maintain a firewall. Some good free firewalls are Kerio, or Outpost. I use Comodo on my own system and really like it. http://comodo.com
A tutorial on understanding and using firewalls may be found here.

In order to protect yourself against spyware, you should consider installing and running the following free programs:

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

IE/Spyad:
It places over 5000 malicious websites and domains in your IE's restricted zone.
IE/Spyad

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. A lot of free software can bundle other software, including spyware.

Please make sure to run your antivirus software regularly, and to keep it up-to-date.

You have a wonderful holiday season as well! :blink:
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#15 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:18 PM

Posted 13 December 2007 - 02:54 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users