Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde Infection? Others? Oh what a Christmas....!


  • This topic is locked This topic is locked
2 replies to this topic

#1 Orbitboy

Orbitboy

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 24 December 2008 - 09:19 AM

Hi and Merry Christmas! I hope someone has some time over the holiday to help out!!!!
(I'll be here working on it at least....)
My daughter picked up something I believe is Vundo from a Poke-man site. The malware
continually pops up ads promoting some antivirus software and hijacks the webpage. I don't
know if there may be other infections - 'm sure she clicked on the ads and tried to use them
in an attempt to "cover her tracks" - she didn't want anyone to know she was the one that
"caught" the infection - Typhoid Mary....
I used an AVG scan and Spybot S&D in safe mode to try and rid the PC of the infection but as
soon as I rebooted it came right back. Rerunning Spybot shows the same infections even though
they were supposedly fixed in safe mode. I figure my only hope now is posting a HighJackThis
log and getting some help. Hope someone is still "out there" this holiday....
....and hope your's is a Merry one!!!!!!
(It's tough wrapping and fixing the PC at the same time....)

Thank You!!

Orbitboy

DDS.txt below, Attach.txt well, Attached!


DDS (Version 1.1.0) - NTFSx86
Run by Dad at 8:59:02.17 on Wed 12/24/2008
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.321 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CVSEXPSS.EXE
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\SXPESVC.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\PixArt\PAC7302\Monitor.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Dad\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.comcast.net/home.html
uInternet Settings,ProxyServer = http=68.37.65.157:9201
BHO: N/A: {3F90FB8C-445D-4EB6-9E2C-42039BDD346C} - c:\windows\system32\pmnmkjkL.dll
BHO: N/A: {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - c:\windows\system32\cbXOEvSj.dll
BHO: SSVHelper Class: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: AVG Security Toolbar: {A057A204-BACC-4D26-9990-79A187E2698E} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: Veoh Browser Plug-in: {D0943516-5076-4020-A3B5-AEFAF26AB263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
TB: Winamp Toolbar: {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - c:\program files\winamp toolbar\winamptb.dll
TB: AVG Security Toolbar: {A057A204-BACC-4D26-9990-79A187E2698E} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [Aim6]
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [PAC7302_Monitor] c:\windows\pixart\pac7302\Monitor.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [2c5cc4c1] rundll32.exe "c:\windows\system32\nfybjkvc.dll",b
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\tabuse~1.lnk - c:\windows\system32\wtablet\TabUserW.exe
uPolicies-system: DisableLockWorkstation = 1 (0x1)
dPolicies-system: DisableLockWorkstation = 1 (0x1)
IE: &Winamp Search - c:\documents and settings\all users\application data\winamp toolbar\ietoolbar\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: ebay.com\my
Trusted Zone: amaena.com
Trusted Zone: antimalwareguard.com
Trusted Zone: antispyexpert.com
Trusted Zone: avsystemcare.com
Trusted Zone: gomyhit.com
Trusted Zone: imageservr.com
Trusted Zone: imagesrvr.com
Trusted Zone: onerateld.com
Trusted Zone: safetydownload.com
Trusted Zone: spyguardpro.com
Trusted Zone: storageguardsoft.com
Trusted Zone: trustedantivirus.com
Trusted Zone: virusremover2008.com
Trusted Zone: virusschlacht.com
TCP: {1313B309-FBF4-4735-8F67-A2337DF998E3} = 192.168.0.1,4.2.2.2
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} -
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} -
WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} -
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: cbXOEvSj - cbXOEvSj.dll
Notify: LMIinit - LMIinit.dll
AppInit_DLLs: avgrsstx.dll dwmpib.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: Caloguni - {869059F9-3C51-4CBF-AAAD-DB7B8D666D36} - c:\windows\system32\x32uwmak.dll
SEH: SABShellExecuteHook Class: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
c:\windows\system32\cbXOEvSj.dll
SecurityProviders: rpasspc.dll, msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\pmnmkjkL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\dad\applic~1\mozilla\firefox\profiles\wyq47ula.default\
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll
FF - plugin: c:\program files\gametap\bin\release\npgametaptool.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-6-24 97928]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-6-24 26824]
R1 SASDIFSV;SASDIFSV;\??\c:\program files\superantispyware\SASDIFSV.SYS [2006-10-10 5632]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\SASKUTIL.sys [2007-2-27 32256]
R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-4 98304]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-6-24 231704]
R2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\logmein\x86\RaInfo.sys [2007-4-17 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;\??\c:\windows\system32\drivers\LMIRfsDriver.sys [2007-6-14 47640]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-4 118784]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\ViewpointService.exe" [2007-12-29 24652]
R3 PAC7302;PAC7302 VGA USB Camera;c:\windows\system32\drivers\PAC7302.SYS [2008-11-15 457856]
S2 Ca504av;Mega Camera, WDM Video Capture;c:\windows\system32\drivers\Ca504av.sys [2006-9-24 516149]
S3 CDCCG;Machoman V-CD 0.53!machoman China;c:\windows\system32\drivers\cdg.sys [2007-10-19 26640]
S3 SASENUM;SASENUM;\??\c:\program files\superantispyware\SASENUM.SYS [2006-2-16 4096]
S3 USBCamera;Mega Camera Still Image Capture, Version 1.00;c:\windows\system32\drivers\Bulk504.sys [2006-9-24 10986]
S4 LMIRfsClientNP;LMIRfsClientNP; []

=============== Created Last 30 ================


==================== Find3M ====================

2008-12-05 05:54 73,048 a------- c:\docume~1\dad\applic~1\GDIPFONTCACHEV1.DAT
2008-11-11 22:20 5,595,185 a------- c:\windows\system32\MSO9.dll
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 19:35 83,288 a------- c:\windows\system32\LMIRfsClientNP.dll
2008-10-16 19:35 28,984 a------- c:\windows\system32\LMIport.dll
2008-10-16 19:35 23,736 a------- c:\windows\system32\LMImirr.dll
2008-10-16 19:35 10,040 a------- c:\windows\system32\lmimirr2.dll
2008-10-16 19:35 87,352 a------- c:\windows\system32\LMIinit.dll
2008-10-16 15:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-03 05:02 247,326 a------- c:\windows\system32\strmdll.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2005-05-13 16:12 217,073 a--shr-- c:\windows\meta4.exe
2005-10-24 10:13 66,560 a--shr-- c:\windows\MOTA113.exe
2005-10-13 20:27 422,400 a--shr-- c:\windows\x2.64.exe
2005-10-07 18:14 308,224 a--shr-- c:\windows\system32\avisynth.dll
2005-07-14 11:31 27,648 a--shr-- c:\windows\system32\AVSredirect.dll
2005-06-26 14:32 616,448 a--shr-- c:\windows\system32\cygwin1.dll
2005-06-21 21:37 45,568 a--shr-- c:\windows\system32\cygz.dll
2004-01-24 23:00 70,656 a--shr-- c:\windows\system32\i420vfw.dll
2006-04-27 09:24 2,945,024 a--shr-- c:\windows\system32\Smab.dll
2005-02-28 12:16 240,128 a--shr-- c:\windows\system32\x.264.exe
2004-01-24 23:00 70,656 a--shr-- c:\windows\system32\yv12vfw.dll
2008-08-29 08:20 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082920080830\index.dat
2007-11-02 09:35 16,384 a--sh--- c:\windows\temp\cookies\index.dat
2007-11-02 09:35 16,384 a--sh--- c:\windows\temp\history\history.ie5\index.dat
2007-11-02 09:35 32,768 a--sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 9:00:32.03 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:05 PM

Posted 04 January 2009 - 06:42 PM

Hello Orbitboy,

Posted Image

Sorry about the delay.:thumbsup: If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you. To get HijackThis:

Please do this:
1. Download HijackThis™ here:
http://www.trendsecure.com/portal/en-US/th.../hijackthis.php

2. Click 'Do a System Scan and Save log'.
The HJT log will open in notepad.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:05 PM

Posted 13 January 2009 - 03:29 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users