Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde and Seneka infection


  • Please log in to reply
1 reply to this topic

#1 shevy61

shevy61

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:47 AM

Posted 23 January 2009 - 11:43 AM

I've run ComboFix, MBAM (several times) and HijackThis.I think I'm clean now, but I wanted to post my logfile and let the experts take a look. Here is the log from the DDS download.


DDS (Ver_09-01-19.01) - NTFSx86
Run by markt at 11:10:36.06 on 2009-01-23
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1982.1504 [GMT -5:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\markt\Desktop\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\markt\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4080721
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [WinVNC] "c:\program files\realvnc\winvnc\WinVNC.exe" -servicehelper
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SigmatelSysTrayApp] stsystra.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
TCP: {6E804C3C-1604-45ED-9627-C9ED82D31F30} = 10.10.10.9,10.10.10.1
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\markt\applic~1\mozilla\firefox\profiles\7jvo5lss.default\
FF - HiddenExtension: XUL Cache: {87528A8B-F45A-479D-B641-AEB8F1062D54} - c:\windows\system32\config\systemprofile\local settings\application data\{87528a8b-f45a-479d-b641-aeb8f1062d54}\
FF - HiddenExtension: XUL Cache: {D176094A-CB62-49E9-A533-9C5EE5506261} - c:\documents and settings\markt\local settings\application data\{D176094A-CB62-49E9-A533-9C5EE5506261}

============= SERVICES / DRIVERS ===============

R0 AFPAnsi;Alfa File Protector Ansi;c:\windows\system32\drivers\AFPAnsi.sys [2009-1-22 43936]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-5-28 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-5-28 55024]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R1 SuperMounter;SuperMounter;c:\windows\system32\drivers\supermounter.sys [2009-1-22 11264]
R3 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-7-19 192160]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-1-5 99376]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090105.009\naveng.sys [2009-1-5 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090105.009\navex15.sys [2009-1-5 876112]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-5-28 7408]
R4 ASFIPmon;Broadcom ASF IP Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2006-3-17 65536]
R4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-7-19 169632]
R4 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-9-27 116464]
S0 cerc6;cerc6; [x]
S3 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-9-27 1813232]

=============== Created Last 30 ================

2009-01-23 10:16 <DIR> --d----- C:\ComboFix
2009-01-23 09:51 <DIR> --d----- c:\docume~1\markt\applic~1\Malwarebytes
2009-01-23 09:51 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-23 09:51 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-23 09:51 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-23 09:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-23 09:05 <DIR> a-dshr-- C:\cmdcons
2009-01-23 09:03 161,792 a------- c:\windows\SWREG.exe
2009-01-23 09:03 98,816 a------- c:\windows\sed.exe
2009-01-22 17:06 <DIR> --d----- c:\windows\pss
2009-01-22 16:43 79 a------- c:\windows\SuperUtil.ini
2009-01-22 16:08 1,485,312 a------- c:\windows\system32\vbsbak.dat
2009-01-22 16:08 1,473,536 a------- c:\windows\system32\context.dll
2009-01-22 16:08 269,824 a------- c:\windows\system32\baksm.dll
2009-01-22 16:08 269,824 a------- c:\windows\system32\baksm.dat
2009-01-22 16:08 261,120 a------- c:\windows\system32\supermenuhook.dll
2009-01-22 16:08 89,088 a------- c:\windows\system32\Shreder.dll
2009-01-22 16:08 73,728 a------- c:\windows\system32\smh.dat
2009-01-22 16:08 44,000 a------- c:\windows\system32\drivers\AFPUni.sys
2009-01-22 16:08 43,936 a------- c:\windows\system32\drivers\AFPAnsi.sys
2009-01-22 16:08 11,264 a------- c:\windows\system32\drivers\supermounter.sys
2009-01-22 16:08 6,144 a------- c:\windows\system32\SuperRes.dll
2009-01-22 16:08 <DIR> --d----- c:\program files\SuperLogix
2009-01-22 15:38 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-22 09:43 6,066,176 -c------ c:\windows\system32\dllcache\ieframe.dll
2009-01-22 09:43 991,232 -c------ c:\windows\system32\dllcache\ieframe.dll.mui
2009-01-22 09:43 459,264 -c------ c:\windows\system32\dllcache\msfeeds.dll
2009-01-22 09:43 383,488 -c------ c:\windows\system32\dllcache\ieapfltr.dll
2009-01-22 09:43 267,776 -c------ c:\windows\system32\dllcache\iertutil.dll
2009-01-22 09:43 52,224 -c------ c:\windows\system32\dllcache\msfeedsbs.dll
2009-01-22 09:43 13,824 -c------ c:\windows\system32\dllcache\ieudinit.exe
2009-01-22 09:43 2,455,488 -c------ c:\windows\system32\dllcache\ieapfltr.dat
2009-01-22 09:43 63,488 -c------ c:\windows\system32\dllcache\icardie.dll
2009-01-22 09:35 118 a------- c:\windows\system32\MRT.INI
2009-01-14 15:50 272,128 -c------ c:\windows\system32\dllcache\bthport.sys
2009-01-14 15:30 2,189,184 -c------ c:\windows\system32\dllcache\ntoskrnl.exe
2009-01-14 15:30 2,145,280 -c------ c:\windows\system32\dllcache\ntkrnlmp.exe
2009-01-14 15:30 2,066,048 -c------ c:\windows\system32\dllcache\ntkrnlpa.exe
2009-01-14 15:30 2,023,936 -c------ c:\windows\system32\dllcache\ntkrpamp.exe
2009-01-14 15:21 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2009-01-14 15:10 0 a------- c:\windows\vpc32.INI
2009-01-14 14:21 46,592 ac------ c:\windows\system32\dllcache\svcext51.dll
2009-01-14 14:20 57,399 ac------ c:\windows\system32\dllcache\cplexe.exe
2009-01-14 14:19 488 a---hr-- c:\windows\system32\logonui.exe.manifest
2009-01-14 14:19 749 a---hr-- c:\windows\WindowsShell.Manifest
2009-01-14 14:19 749 a---hr-- c:\windows\system32\wuaucpl.cpl.manifest
2009-01-14 14:19 749 a---hr-- c:\windows\system32\sapi.cpl.manifest
2009-01-14 14:19 749 a---hr-- c:\windows\system32\nwc.cpl.manifest
2009-01-14 14:19 749 a---hr-- c:\windows\system32\ncpa.cpl.manifest
2009-01-14 14:11 136,797 a------- c:\windows\system32\nvapps.nvb
2009-01-14 09:02 <DIR> --d----- c:\windows\Dell
2009-01-13 03:59 664 a------- c:\windows\system32\d3d9caps.dat
2009-01-09 10:37 <DIR> --d----- C:\VundoFix Backups
2009-01-09 10:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-01-09 10:30 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-01-09 10:30 <DIR> --d----- c:\docume~1\markt\applic~1\SUPERAntiSpyware.com
2009-01-09 10:30 <DIR> --d----- c:\program files\common files\Wise Installation Wizard

==================== Find3M ====================

2009-01-14 14:18 23,428 a------- c:\windows\system32\emptyregdb.dat
2008-12-11 05:57 333,952 a------- c:\windows\system32\drivers\srv.sys

============= FINISH: 11:10:48.03 ===============

Thanks for looking, and any input you can give me.

Mike

BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:04:47 PM

Posted 26 January 2009 - 09:54 AM

Hello Mike and welcome to Bleeping Computer,

1. Please download GooredFix and save it to your Desktop.
  • Select "2. Fix Goored" by typing 2 and pressing Enter.
  • Make sure all instances of Firefox are closed at this point.
  • Type y at the prompt and press Enter again.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.

2. Please read this tutorial carefully to download ComboFix from one of the locations specified, and save it to your Desktop.
Double click the ComboFix icon to run it.
If ComboFix askes you to install the Recovery Console, please do so..
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.
Once the Recovery Console is installed, continue with the malware scan.

Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbup2:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users