Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

virtumonde & ctfmon infection


  • This topic is locked This topic is locked
10 replies to this topic

#1 robert jensen

robert jensen

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 02 January 2009 - 01:09 AM

Here's the info... Thanks in advance

We have Webroot Spy Sweeper & McAfee Security Center running on the computer (a Dell Inspiron running XP). We have McAfee Virus Scan and McAfee Firewall active on the computer and all were active, but obviously someone clicked ok to install something from a random website...

The initial symptom was a popup warning me my computer was infected and that I needed to buy malware removal software whenever I opened Firefox or IE.

Things I did immediately done
- uninstalled Mozilla
- installed Google Chrome
- stopped using IE
- Ran SpySweeper and fixed everything it identified. Webroot Spy Sweeper initially identified that virtumonde was on the computer, and wouldn't come off.

The above steps allowed us to run pretty much normally for a week, but I have been working all daytoday trying to get it virus/spyware clear.


What I have done today.
- Searched on virtumonde and found bleepingcomputer
- downloaded and ran Spybot and rebooted while disconnected from the internet
- Immunized everything with Spybot
- Used the Spybot Startup tool to remove anything flagged as a virus
- downloaded Malwarebytes Anti-Malware, ran and saved log (below) re-booted
- downloaded dds, ran and saved DDS.txt

Then I did it all again, and again ... in all I have run the steps above at least 5 times.
on the DDS list below is a file c:\windows\system32\hyliwrhl.ini that I think may have been the file that instigated the issues I saw on the 24th. I checked and it is no longer in the directory (I didn't explicitly delete it).

The last thing I did before writing this was go into add/delete programs and look to see if CTFMON was active on my computer (following the directions on the MS website) and it isn't, so I think it is the virus (as per Spybot's startup warning). --- EDIT --- After reading more about ctfmon it sounds like IE starts it up, which could explain why it isn't showing up as a virus on any scans yet alternate text formats aren't enabled for Word. END EDIT.

Anyway, Here is where things currently stand.

Spy Sweeper says that virtumonde is still on the computer but is blocked
CTFMON.EXE puts itself back into the startup list and is listed as a task
Malwarebytes' Anti-Malware is saying that there are no issues, as is Spybot, but Spy Sweeper says that virtumonde is still on the computer

I can now use IE without the annoying popups but I am not confident that everything is off of the computer... mainly because ctfmon.exe keeps starting up. Below are the print outs from DDS and Anti-Malware. Any suggestions on next steps would be appreciated.

Thanks in advance,
Rob Jensen

-----*-----*-----*-----*-----*-----*-----*-----*-----*-----*-----*-----*-----*


DDS (Version 1.1.0) - NTFSx86
Run by admin at 19:50:08.04 on Thu 01/01/2009
Internet Explorer: 8.0.6001.18241
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1203 [GMT -8:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Documents and Settings\admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\mspaint.exe
C:\Documents and Settings\admin\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5080624
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5080624
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
uRun: [Google Update] "c:\documents and settings\admin\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [hpqSRMon] "c:\program files\hp\digital imaging\bin\hpqSRMon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SpySweeper] c:\program files\webroot\spy sweeper\SpySweeperUI.exe /startintray
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: tuvWoljI - tuvWoljI.dll
Notify: WRNotifier - WRLogonNTF.dll
AppInit_DLLs: ruyojz.dll pvkfzl.dll iagaxt.dll cdlqnr.dll xvbgmg.dll bhxtau.dll tocfpb.dll aebbpe.dll grszal.dll wncmlk.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-6-23 201320]
R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\adobe\photoshop elements 6.0\PhotoshopElementsFileAgent.exe [2007-9-10 124832]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-6-23 358224]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-6-23 144704]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;"c:\program files\webroot\spy sweeper\SpySweeper.exe" [2008-7-4 3572592]
R3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys [2009-1-1 38496]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-6-23 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-6-23 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-6-23 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-6-23 40488]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-6-23 33832]

=============== Created Last 30 ================

2009-01-01 16:36 <DIR> --d----- c:\docume~1\admin\applic~1\Malwarebytes
2009-01-01 16:36 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-01 16:36 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-01 16:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-01 16:36 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-01 15:39 <DIR> --d----- c:\docume~1\admin\applic~1\MalwareRemovalBot
2009-01-01 13:33 <DIR> --d----- c:\program files\Cobian Backup 8
2009-01-01 13:23 <DIR> --dsh--- c:\documents and settings\admin\PrivacIE
2009-01-01 13:11 <DIR> --d----- c:\program files\Cobian Backup 9
2009-01-01 11:49 <DIR> --d----- c:\docume~1\admin\applic~1\Webroot
2009-01-01 11:48 <DIR> --d----- c:\documents and settings\admin
2009-01-01 10:16 391 a------- c:\windows\wininit.ini
2009-01-01 09:51 <DIR> -cd----- c:\docume~1\alluse~1\applic~1\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}
2009-01-01 09:50 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-01-01 09:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-01-01 09:28 129,024 a------- c:\windows\system32\wncmlk.dll
2009-01-01 09:27 129,024 a------- c:\windows\system32\scqgpius.dll
2008-12-30 09:28 129,024 a------- c:\windows\system32\aebbpe.dll
2008-12-30 09:28 129,024 a------- c:\windows\system32\twygpppf.dll
2008-12-30 09:22 72,704 a------- c:\windows\system32\ychimxkx.dll
2008-12-27 07:42 56 a---h--- c:\windows\system32\ezsidmv.dat
2008-12-27 07:18 <DIR> --d----- c:\program files\Skype
2008-12-26 19:39 195,096 a------- c:\windows\system32\lvci11801048.dll
2008-12-26 19:39 627,864 a------- c:\windows\system32\drivers\lvrs.sys
2008-12-26 19:27 1,920,920 a----r-- c:\windows\system32\drivers\lvpopflt.sys
2008-12-26 19:26 0 a------- c:\windows\system32\drivers\lvuvc.hs
2008-12-26 19:26 195,096 a----r-- c:\windows\system32\lvci1150.dll
2008-12-26 19:26 4,658,584 a------- c:\windows\system32\drivers\lvuvc.sys
2008-12-26 19:26 490,008 a------- c:\windows\system32\LVUI2.dll
2008-12-26 19:26 465,432 a------- c:\windows\system32\LVUI2RC.dll
2008-12-26 19:26 416,280 a------- c:\windows\system32\LVCodec2.dll
2008-12-26 19:26 66,482 a------- c:\windows\system32\lvcoinst.ini
2008-12-26 19:26 41,752 a------- c:\windows\system32\drivers\LVUSBSta.sys
2008-12-26 19:26 25,974 a------- c:\windows\system32\Repository.reg
2008-12-26 19:26 0 a------- c:\windows\system32\drivers\logiflt.iad
2008-12-26 19:26 23,832 a------- c:\windows\system32\drivers\lvuvcflt.sys
2008-12-26 15:08 127,034 -----r-- c:\windows\bwUnin-8.1.1.50-8876480SL.exe
2008-12-26 15:02 5,504 a------- c:\windows\system32\drivers\MSTEE.sys
2008-12-26 15:02 5,504 a------- c:\windows\system32\dllcache\mstee.sys
2008-12-26 15:00 53,760 a------- c:\windows\system32\vfwwdm32.dll
2008-12-26 15:00 53,760 a------- c:\windows\system32\dllcache\vfwwdm32.dll
2008-12-26 15:00 91,136 a------- c:\windows\system32\kswdmcap.ax
2008-12-26 15:00 91,136 a------- c:\windows\system32\dllcache\kswdmcap.ax
2008-12-26 15:00 61,952 a------- c:\windows\system32\kstvtune.ax
2008-12-26 15:00 61,952 a------- c:\windows\system32\dllcache\kstvtune.ax
2008-12-26 15:00 43,008 a------- c:\windows\system32\ksxbar.ax
2008-12-26 15:00 43,008 a------- c:\windows\system32\dllcache\ksxbar.ax
2008-12-26 15:00 20,992 a------- c:\windows\system32\dshowext.ax
2008-12-26 15:00 20,992 a------- c:\windows\system32\dllcache\dshowext.ax
2008-12-25 14:07 0 a------- c:\windows\system32\񀿉
2008-12-25 14:01 10 a------- C:\usb001
2008-12-24 23:59 <DIR> --d----- c:\windows\system32\appmgmt
2008-12-24 15:50 120 ---sh--- c:\windows\system32\hyliwrhl.ini
2008-12-24 14:02 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-23 15:46 120 ---sh--- c:\windows\system32\nvttdebm.ini
2008-12-22 10:04 120 ---sh--- c:\windows\system32\joryernw.ini
2008-12-22 09:09 <DIR> -cd-h--- c:\windows\ie8
2008-12-21 10:01 120 ---sh--- c:\windows\system32\njslfkfl.ini

==================== Find3M ====================

2008-10-24 03:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 04:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 04:36 286,720 -------- c:\windows\system32\dllcache\gdi32.dll
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-16 12:38 133,120 -------- c:\windows\system32\dllcache\extmgr.dll
2008-10-16 05:11 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 08:34 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2008-10-15 08:18 152,384 a------- c:\windows\system32\FNTCACHE.DAT
2008-09-24 11:31 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092420080925\index.dat

============= FINISH: 19:51:04.98 ===============

-----*-----*-----*-----*-----*-----*-----*-----*-----*-----*-----*-----*-----*


Malwarebytes' Anti-Malware 1.31
Database version: 1591
Windows 5.1.2600 Service Pack 3

1/1/2009 9:17:32 PM
mbam-log-2009-01-01 (21-17-32).txt

Scan type: Quick Scan
Objects scanned: 90441
Time elapsed: 17 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by robert jensen, 02 January 2009 - 01:39 AM.


BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:06:04 AM

Posted 03 January 2009 - 05:08 PM

Hello Robert Jensen and welcome to BleepingComputer,

1. * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click Delete.
  • Click Delete Files, Delete cookies and Delete history
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
2. Please download ComboFix from one of the locations below, and save it to your Desktop.

Link
Link
Link

Double click the ComboFix icon to run it.
If ComboFix askes you to install the Recovery Console, please do so..
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.
Once the Recovery Console is installed, continue with the malware scan.

Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 robert jensen

robert jensen
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 04 January 2009 - 02:52 AM

ComboFix is recommending that I close McAfee. I have been trying for over an hour and I can't figure out how to stop the McAfee engine process. It has a feature that doesn't let you stop it even if admin, which is probably a good thing, but in this case very frustrating.

Any suggestions?

#4 robert jensen

robert jensen
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 04 January 2009 - 03:22 AM

I went ahead and ran Combofix with most of McAfee turned off. But short of unistalling I couldn't get the McAfee and SpySweeper engines turned off.

I have attached the Combofix log.

Let me know if I need to uninstall McAfee and Spy Sweeper and run again

Thanks
Rob

Attached Files

  • Attached File  log.txt   20.07KB   21 downloads


#5 robert jensen

robert jensen
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 04 January 2009 - 05:21 AM

Major ugly update.

After posting my log, I re-booted and logged into my wife's acct (we have XP with multiple users set up). My wife is the primary user of this computer. All my work was done under a separate user id (which had admin rights).

Anyway, after re-booting and going in as her user id her outlook express was gone (I checked add/remove programs and it was gone gone)... It was there prior to running combofix, but in its place was some generic internet email, and when I clicked on it I started getting internet pop-ups (mixed porn and anti-virus) by the dozen. Actually Spy Sweeper was blocking them but I was still getting the SS pop-ups.

Luckily I had restore points from Friday and Saturday, so I restored to Saturday and her outlook is back, and the popups are gone. But

Any suggestion?

Rob

#6 robert jensen

robert jensen
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 04 January 2009 - 06:08 AM

One more piece of the puzzle.

After Combofix ran I tried to run Spy Sweeper because that is the one that was saying virtumonde was on my computer. When I tried it came up with an error (sorry, didn't write it down).

Anyway, I uninstalled it using add/remove programs then reinstalled from the CD. It was when I rebooted after reinstalling that my computer went balistic with popups and OE was gone.

I mention this because after writing the last email I noticed that after restoring my system back to yesterday morning SpySweeper was no longer loaded (I will come back to this). So I put the CD back in and reinstalled it. As soon as it was installed and rebooted it started with the popups again. I quickly exited the software (right clicked on the icon in the lower right toolbar), and uninstalled it using Add/Remove, then re-booted. No more pop-ups, and this time no impact on OE.

Interesting thing about the restore: In addition to SS not being on the computer after restore, I had removed IE8 beta today also to allow the McAfee security center to load properly (you get a blank screen with IE8 beta -- known bug). I had removed IE8 so I could see the SC in an attempt to stop it before running ComboFix.

So that's were I stand know.

McAfee and SpyBot loaded, Spy Sweeper off my system, but obviously with an infected file somewhere as I doubt the shrink-wrapped CD had a virus on in. My system is telling me it is clean (at least McAfee, Spybot and Malwarebyte's AntiMalware can't find any).

Any suggestions on what I should do next?
Rob

#7 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:06:04 AM

Posted 04 January 2009 - 04:09 PM

Hello Rob,

Looking at your earlier posted ComboFix log, the tool didn't change anything from Outlook Express !
Doing a rollback however from IE8 to IE7 can have some consequences for Outlook Express, as it's installed along IE. :thumbsup:

You can either run another DDS scan (from an account with full admin rights, which one isn't important),
or run ComboFix again.
If something is still present, DDS will show it, ComboFix will eiter show or tackle it.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#8 robert jensen

robert jensen
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 05 January 2009 - 02:15 AM

I think I have things clean. See attached.

Attached Files

  • Attached File  DDS.txt   12.06KB   2 downloads
  • Attached File  log2.txt   16.57KB   3 downloads


#9 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:06:04 AM

Posted 05 January 2009 - 05:14 AM

Hello Rob,

Your logs look good now. :thumbsup:

Navigate, using Windows Explorer, to and delete the following folders and files if still present:c:\windows\Tasks\dxwiwkxz.job <== file
c:\windows\Tasks\wxlaewzi.job <== file
If you're having problems removing a file/folder, reboot your Computer once again and try to remove it after reboot.

You can remove all used tools and folders created in the process.
To remove ComboFix :
Go to Start > Run, and copy and paste next command in the field:ComboFix /u
Make sure there's a space between Combofix and /u
Then press Enter.
This will uninstall Combofix, delete its related folders and files, restore your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Any problems left ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#10 robert jensen

robert jensen
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 06 January 2009 - 02:29 AM

THanks :thumbsup:

#11 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:06:04 AM

Posted 06 January 2009 - 08:40 AM

Glad we could help, Rob :thumbsup:

Please read this Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks.
To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Please also read Tony Klein's excellent article: How I got Infected in the First Place
and/or Grinlers tutorial on how malware is hidden and installed

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users