Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Virtumonde et al


  • This topic is locked This topic is locked
2 replies to this topic

#1 adf1962

adf1962

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:38 PM

Posted 11 October 2008 - 09:52 PM

Alrightee then, hereís the story.

It all began a couple of days ago when I saw the Windows Update in the bottom right of my screen switch to OFF. I went to Security Center in Control Panel to switch it ON but nothing happened. Thatís when I realized I had a problem. Thatís when the bogus pop-ups started saying they were from the Security Center and were doing a scan.

I downloaded and ran Spybot a couple of times which did clean up some malware. This is when I noticed that I might have the Virtumonde virus.

Another symptom is that my screen background went to white. Any attempts to try and fix it through the Display Properties didnít work because there were only three tabs instead of the regular five. The Desktop tab was missing. A quick search on the Internet took me to

Thanks to Bleeping Computer I found out about the tweak at http://www.kellys-korner-xp.com/xp_tweaks.htm . When I apply the registry fix, it puts the Display Properties back to normal . . until the next time I restart the computer. And it confirms that there is actually a bogus bmp file that makes the screen go white. Although Norton catches the virus, it gets activated before Norton can stop the screen from going white.

I did try ComboFix but canít get the screen to run. . .it sort of starts the initialization and then . . .nothing. I must be doing something wrong?

Oh and here's the best part . . is this ever diabolical . . I get what looks like a Blue Screen of Death . . which then appears to reboot . . .except it's a fake. It's actually a screen-saver that kicks in which makes you think you have a blue screen . . .forcing you to turn off the computer. It's not until you move your mouse that you realize it's a screen-saver.

And so . . the next step was to run HiJackThis hoping someone can see what I canít. Any suggestions or advice would be great. Thanks in advance for anything you can provide.

ADF

===================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:38:56 PM, on 2008-10-11
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\system32\LVComsX.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://windiwsfsearch.com
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://windiwsfsearch.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://windiwsfsearch.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.ca.dell.com/content/default.as...;l=en&s=gen
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://windiwsfsearch.com/ie6.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://windiwsfsearch.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.ca.dell.com/content/default.as...;l=en&s=gen
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www1.ca.dell.com/content/default.as...;l=en&s=gen
O2 - BHO: (no name) - {2007820B-DDB0-4BFE-B2ED-EAF24FABC86C} - C:\WINDOWS\system32\yayxxxXq.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [openvpn-gui] C:\Program Files\OpenVPN\bin\openvpn-gui.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [BellCanada_McciTrayApp] C:\Program Files\BellCanada\McciTrayApp.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Bell\Security Manager\ZkRunOnceR.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [prunnet] "C:\DOCUME~1\Tony\LOCALS~1\Temp\prun.exe"
O4 - HKLM\..\Run: [lphc3nvj0eca3] C:\WINDOWS\system32\lphc3nvj0eca3.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Tair] "C:\WINDOWS\system32\SSTEM3~1\wowexec.exe" -vt ndrv
O4 - HKCU\..\Run: [Qchnh] "C:\Documents and Settings\Tony\My Documents\s?mbols\w?nlogon.exe"
O4 - HKCU\..\Run: [prunnet] "C:\DOCUME~1\Tony\LOCALS~1\Temp\prun.exe"
O4 - HKUS\S-1-5-21-3860373334-2885350956-181780697-500\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'Administrator')
O4 - HKUS\S-1-5-21-3860373334-2885350956-181780697-500\..\RunOnce: [SpybotDeletingB532] command /c del "C:\Program Files\Outerinfo\FF\install.rdf" (User 'Administrator')
O4 - HKUS\S-1-5-21-3860373334-2885350956-181780697-500\..\RunOnce: [SpybotDeletingD952] cmd /c del "C:\Program Files\Outerinfo\FF\install.rdf" (User 'Administrator')
O4 - HKUS\S-1-5-21-3860373334-2885350956-181780697-500\..\RunOnce: [SpybotDeletingB9022] command /c del "C:\Program Files\Outerinfo\FF\components\OuterinfoAds.xpt" (User 'Administrator')
O4 - HKUS\S-1-5-21-3860373334-2885350956-181780697-500\..\RunOnce: [SpybotDeletingD1824] cmd /c del "C:\Program Files\Outerinfo\FF\components\OuterinfoAds.xpt" (User 'Administrator')
O4 - HKUS\S-1-5-21-3860373334-2885350956-181780697-500\..\RunOnce: [SpybotDeletingB6653] command /c del "C:\WINDOWS\system32\inxdwext.dll" (User 'Administrator')
O4 - HKUS\S-1-5-21-3860373334-2885350956-181780697-500\..\RunOnce: [SpybotDeletingD3403] cmd /c del "C:\WINDOWS\system32\inxdwext.dll" (User 'Administrator')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Event Planner Reminder.lnk = C:\Program Files\Creative Home\Hallmark Card Studio 2006\Planner\PLNRnote.exe
O4 - Global Startup: HPAiODevice(hp psc 900 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - https://webmail.us-resources.com/dwa7W.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9541D7A2-AEB9-4B63-8C25-CD1FB2433AF1}: NameServer = 192.168.2.1
O20 - Winlogon Notify: __c0092668 - C:\WINDOWS\system32\__c0092668.dat (file missing)
O21 - SSODL: JcZgSr - {44A63D61-EE0C-97CB-3CAF-1B926BE92182} - C:\WINDOWS\system32\epxbne.dll (file missing)
O23 - Service: AbelService - Unknown owner - C:\Program Files\AbelCam\AbelService.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DB2 JDBC Applet Server (DB2JDS) - International Business Machines Corporation - C:\Program Files\IBM\SQLLIB\BIN\db2jds.exe
O23 - Service: DB2 Security Server (DB2NTSECSERVER) - International Business Machines Corporation - C:\Program Files\IBM\SQLLIB\BIN\db2sec.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DynDNS Updater Service (DynDNS_Updater_Service) - Kana Solution - C:\Program Files\DynDNS Updater\DynDNS.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Program Files\OpenVPN\bin\openvpnserv.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: sasrfc Service (sasrfcService) - Unknown owner - C:\Program Files\SAS Institute\SAS\V8\access\sasexe\sasrfc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Tango Service (TangoService) - Unknown owner - C:\Program Files\Bell\Access Manager\app\TangoService.exe (file missing)
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 10974 bytes

Edited by adf1962, 11 October 2008 - 10:03 PM.


BC AdBot (Login to Remove)

 


m

#2 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:11:38 PM

Posted 20 October 2008 - 10:35 AM

Hello adf1962,

I apologise for the delay, the forum is busy.

If you still need help, post a new HijackThis log, from Normal mode if possible.
If not post one from Safe mode.

Avoid using your pc in Safe mode with Network support, as you are not protected.
Try to avoid Internet untill we get it cleaned.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#3 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:11:38 PM

Posted 26 October 2008 - 02:25 AM

Due to the lack of feedback, this Topic is now closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users