Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde and other trojans


  • This topic is locked This topic is locked
10 replies to this topic

#1 Derenion

Derenion

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:40 AM

Posted 04 May 2009 - 04:02 PM

I think I'm infected by a version of the Virtumonde virus (at least, it's popped up several times when I've run super antispyware). I've run Super antispyware, adaware, pc tools spyware doctor several times the past few days and they always find something but it never gets rid of everything, and again I've seen Virtumonde pop up a few times. Hopefully one of you can give me a hand with this.

here is the DDS file, and attached is the attach file as directed.


DDS (Ver_09-03-16.01) - NTFSx86
Run by Robert Jackson at 15:55:12.82 on Mon 05/04/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.1548 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\hwupgrade.exe
C:\WINDOWS\system32\ntvbn.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Robert Jackson\Local Settings\Temporary Internet Files\Content.IE5\8O947M3N\dds[1].scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
mWindow Title = Windows Internet Explorer provided by Comcast
mSearchMigratedDefaultURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
uInternet Connection Wizard,ShellNext = iexplore
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [igndlm.exe] c:\program files\ign\download manager\dlm.exe /windowsstart /startifwork
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [DownloadAccelerator] "c:\program files\dap\DAP.EXE" /STARTUP
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [DL32] DL32
uRun: [Diagnostic Manager] c:\docume~1\robert~1\locals~1\temp\3509285064.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [HW Upgrade] c:\windows\hwupgrade.exe
mRun: [ntvbn] c:\windows\system32\ntvbn.exe
mRun: [LG] c:\windows\hwupgrade.exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
dRun: [<NO NAME>] c:\windows\temp\jhilux.exe
dRun: [uidenhiufgsduiazghs] c:\windows\temp\jhilux.exe
dRun: [Diagnostic Manager] c:\windows\temp\2336725120.exe
uPolicies-explorer: NoStartMenuSubFolders = 0 (0x0)
uPolicies-explorer: NoCommonGroups = 0 (0x0)
uPolicies-explorer: NoPrinters = 0 (0x0)
uPolicies-explorer: NoRecentDocsNetHood = 0 (0x0)
uPolicies-explorer: NoChangeAnimation = 0 (0x0)
IE: &Clean Traces - c:\program files\dap\privacy package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\dap\dapextie.htm
IE: Download &all with DAP - c:\program files\dap\dapextie2.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.8.110.cab
DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} - hxxp://www.acclaim.com/cabs/acclaim_v5.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SpywareGuard.Handler: {81559c35-8464-49f7-bb0e-07a383bef910} - c:\program files\spywareguard\spywareguard.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\robert~1\applic~1\mozilla\firefox\profiles\5b89fpoq.default\
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - prefs.js: browser.startup.homepage - hxxp://www.daemon-search.com/startpage
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7171
FF - prefs.js: network.proxy.type - 1
FF - component: c:\program files\daemon tools toolbar\firefoxdtt\components\DTToolbarFF.dll
FF - component: c:\program files\dap\dapfirefox\components\DAPFireFox.dll
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\ign\download manager\npfpdlm.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

============= SERVICES / DRIVERS ===============

R0 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2008-8-10 40840]
R0 lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-5-2 64160]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-1-17 28544]
R1 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2008-8-10 66952]
R1 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2008-8-10 81288]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-5-28 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-5-28 55024]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-3-26 55152]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2008-8-10 356920]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2008-8-10 1079176]
R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-1-14 226656]
R3 hwdrv;hwdrv;c:\windows\system32\drivers\hwdrv.sys [2009-5-2 4096]
S0 Phb84;Phb84;c:\windows\system32\drivers\phb84.sys --> c:\windows\system32\drivers\Phb84.sys [?]
S2 lavasoft ad-aware service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 953168]
S3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2007-7-20 84992]
S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360]
S3 Idmapeaun;Idmapeaun; [x]
S3 mbamswissarmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-1-17 38496]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys --> c:\windows\system32\drivers\rt2870.sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-5-28 7408]
S3 XDva098;XDva098;\??\c:\windows\system32\xdva098.sys --> c:\windows\system32\XDva098.sys [?]
S3 XDva143;XDva143;\??\c:\windows\system32\xdva143.sys --> c:\windows\system32\XDva143.sys [?]
S4 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2009-1-17 419448]

=============== Created Last 30 ================

2009-05-04 15:20 292 a------- c:\windows\system32\ikhcore.cfg
2009-05-03 22:32 <DIR> --d----- C:\VundoFix Backups
2009-05-03 22:08 46 a------- c:\windows\system32\p2hhr.bat
2009-05-03 22:07 17,920 a------- c:\windows\system32\ak1.exe
2009-05-02 13:43 389,120 a------- c:\windows\system32\CF30247.exe
2009-05-02 13:00 664 a------- c:\windows\system32\d3d9caps.dat
2009-05-02 10:46 15,688 a------- c:\windows\system32\lsdelete.exe
2009-05-02 10:40 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-05-02 10:38 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-02 10:37 <DIR> --d----- c:\program files\Lavasoft
2009-05-02 10:36 1 a------- c:\windows\9g2234wesdf3dfgjf23
2009-05-02 10:36 2 ----h--- c:\windows\t55ft2692f44.dat
2009-05-02 10:36 <DIR> --d----- c:\windows\system32\796525
2009-05-02 10:36 578,560 a------- c:\windows\system32\hagmuxiu
2009-05-02 10:36 7,680 a------- C:\okex.exe
2009-05-02 10:36 55,296 a------- C:\wavunte.exe
2009-05-02 10:36 4,096 a------- c:\windows\system32\drivers\hwdrv.sys
2009-05-02 10:36 93,564 a------- c:\windows\system32\drivers\af7bd14.sys
2009-05-02 10:36 42,496 a--sh--- c:\windows\system32\ntvbn.exe
2009-05-02 10:36 13,824 a--sh--- c:\windows\msncom.exe
2009-05-02 10:35 21,504 ---sh--- c:\windows\hwupgrade.exe
2009-05-02 10:35 2 a------- C:\1679616913
2009-05-02 10:35 7,680 a------- C:\celkadaa.exe
2009-05-02 10:35 578,560 a------- c:\windows\system32\dllcache\user32.dll
2009-05-02 10:35 55,296 a------- C:\xnev.exe
2009-05-02 10:35 9,216 a------- c:\windows\instsp2.exe
2009-05-02 10:29 <DIR> --d----- c:\docume~1\robert~1\applic~1\pidle
2009-04-30 03:01 177,152 -------- c:\windows\system32\dllcache\msctfime.ime
2009-04-27 18:23 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Trymedia
2009-04-27 18:23 <DIR> --d----- c:\program files\Sony Pictures Games
2009-04-25 08:27 2,722,845 a------- c:\windows\system32\GameMon.des
2009-04-25 08:25 4,682 a------- c:\windows\system32\npptNT2.sys
2009-04-25 08:25 5,174 a------- c:\windows\system32\nppt9x.vxd
2009-04-25 05:28 <DIR> --d----- c:\program files\ʢ
2009-04-21 00:01 <DIR> --d----- c:\program files\Perfect World Entertainment
2009-04-20 22:52 21,840 a------t c:\windows\system32\SIntfNT.dll
2009-04-20 22:52 17,212 a------t c:\windows\system32\SIntf32.dll
2009-04-20 22:52 12,067 a------t c:\windows\system32\SIntf16.dll
2009-04-20 22:42 36,891 a------- c:\windows\DIIUnin.dat
2009-04-20 22:42 94,208 a------- c:\windows\DIIUnin.exe
2009-04-20 22:42 2,829 a------- c:\windows\DIIUnin.pif
2009-04-20 22:35 <DIR> --d----- c:\program files\Diablo II
2009-04-20 22:14 <DIR> --d----- c:\docume~1\robert~1\applic~1\DAEMON Tools Pro
2009-04-20 22:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\DAEMON Tools Lite
2009-04-20 21:40 <DIR> --d----- c:\program files\DAEMON Tools Toolbar
2009-04-20 21:40 <DIR> --d----- c:\program files\DAEMON Tools Lite
2009-04-20 21:40 <DIR> --d----- c:\docume~1\robert~1\applic~1\DAEMON Tools Lite
2009-04-16 20:32 473,600 -------- c:\windows\system32\dllcache\fastprox.dll
2009-04-16 20:32 401,408 -------- c:\windows\system32\dllcache\rpcss.dll
2009-04-16 20:32 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-04-16 20:32 110,592 -------- c:\windows\system32\dllcache\services.exe
2009-04-16 20:32 729,088 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 20:32 714,752 -------- c:\windows\system32\dllcache\ntdll.dll
2009-04-16 20:32 617,472 -------- c:\windows\system32\dllcache\advapi32.dll
2009-04-16 20:32 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 20:32 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 20:16 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-16 20:16 1,203,922 -------- c:\windows\system32\dllcache\sysmain.sdb
2009-04-16 20:16 215,552 -------- c:\windows\system32\dllcache\wordpad.exe
2009-04-15 17:39 <DIR> --d----- c:\program files\common files\Blizzard Entertainment
2009-04-15 17:32 <DIR> --d----- c:\program files\World of Warcraft
2009-04-08 00:37 <DIR> --d----- c:\program files\Ryzom

==================== Find3M ====================

2009-05-02 13:49 578,560 a------- c:\windows\system32\user32.dll
2009-05-02 13:45 182,656 a------- c:\windows\system32\drivers\ndis.sys
2009-05-02 10:52 66,952 a------- c:\windows\system32\drivers\iksysflt.sys
2009-05-02 10:52 81,288 a------- c:\windows\system32\drivers\iksyssec.sys
2009-05-02 10:52 40,840 a------- c:\windows\system32\drivers\ikfilesec.sys
2009-05-02 10:35 51,200 a--sh--- c:\windows\system32\liputiji.exe
2009-03-21 09:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-15 00:10 50,688 a------- c:\windows\system32\wbhelp2.dll
2009-03-06 09:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-02 19:18 826,368 a------- c:\windows\system32\wininet.dll
2009-03-02 19:18 826,368 a------- c:\windows\system32\dllcache\wininet.dll
2009-02-27 23:54 636,072 -------- c:\windows\system32\dllcache\iexplore.exe
2009-02-20 05:20 70,656 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 05:20 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-02-20 00:14 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2009-02-09 07:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 07:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 07:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 07:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 06:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 06:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-02-07 19:02 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-06 19:03 307,576 a------- c:\windows\WLXPGSS.SCR
2009-02-06 18:52 49,504 a------- c:\windows\system32\sirenacm.dll
2009-02-06 06:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 06:08 2,189,056 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 06:06 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 06:06 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 05:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 05:39 35,328 a------- c:\windows\system32\dllcache\sc.exe
2009-02-06 05:32 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-06 05:32 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2008-04-19 15:54 32 ac------ c:\docume~1\alluse~1\applic~1\ezsid.dat
2009-02-02 10:29 49,152 a--sh--- c:\windows\system32\gopufuzi.dll.vir

============= FINISH: 15:56:48.67 ===============

Thank you so very much.

Attached Files



BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:11:40 AM

Posted 10 May 2009 - 04:42 PM

Hi Derenion,

My name is Syler and I will be helping you to clean your computer, please give me some time
to look over your logs and I will get back to you as soon as possible.

Thanks

unite.jpg


#3 Derenion

Derenion
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:40 AM

Posted 11 May 2009 - 05:59 PM

Thank you very much anxiously awaiting your reply.

#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:11:40 AM

Posted 12 May 2009 - 12:19 PM

Hi Derenion,

I see you have quite alot of Anti-Spyware programs, Whilst having protection is good, having to much can
cause problems. I would like you to uninstall Spyware Doctor, unless you paid for it and are desperate
to keep it, I belive it can be a resource hog and it's not any better than the other programs you have.

Please go to Add/Remove programs and uninstall Spyware Doctor, instructions can be found here if needed.

You also need to temporarily disable Ad-Watch before you continue as this can interfere with the tools we
are going to use, instructions can be found here

I don't see an Anti Virus Program running on your machine, You must install one before you continue.
  • Download and install an antivirus program, and make sure that you keep it updated
New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
Two good antivirus programs free for non-commercial home use are Avast! and Antivir
Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.




We will begin with ComboFix.

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix


Please post back here with ComboFix.txt.

Thanks

unite.jpg


#5 Derenion

Derenion
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:40 AM

Posted 12 May 2009 - 06:57 PM

Okay I have done as asked, taken spyware doctor off, disabled adaware live and run combo fix (attached is the log) and installed antivir free edition. hopefully those will help. will wait to see if there's anything else you'd like me to do, and thank you very much for the help =).

Attached Files



#6 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:11:40 AM

Posted 13 May 2009 - 09:31 AM

I don't see any signs that you have installed an Anti-Virus it could be that you did not follow
my instruction in the order they were given, it's important to do so as they are set out the
way they are for a reason. You are still badly infected but I want to make sure you have an AV
installed before continuing.
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT .
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
Cheers

unite.jpg


#7 Derenion

Derenion
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:40 AM

Posted 16 May 2009 - 11:00 AM

Here are the logs you requested, didn't realize I needed to have the antivirus before I ran the combofix since I would've had to have it off for it. I did run the antivirus and it seemed to get rid of a lot of trojans but here's the logs.

Attached Files

  • Attached File  info.txt   45.52KB   3 downloads
  • Attached File  log.txt   37.77KB   3 downloads


#8 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:11:40 AM

Posted 18 May 2009 - 09:30 AM

Hi Derenion,


One or more of the identified infections is a backdoor trojan/Rootkit.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you decide you want to proceed with trying to clean your machine please follow these next steps.


Peer-to-Peer Programs Warning
Your log shows that you are using so called peer-to-peer or file-sharing programs (in your case uTorrent). These programs allow to share files between users as the name(s) suggest. In today's world cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: File-Sharing, otherwise known as Peer To Peer and Risks of File-Sharing Technology.

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organizations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

It is your decision whether or not you wish to keep your program(s). However, please refrain from using them until your computer has been declared clean.


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\hwupgrade.exe
C:\WINDOWS\system32\ntvbn.exe
C:\WINDOWS\system32\winsmb.exe
E:\setup.exe
c:\windows\system32\lds.exe
c:\windows\msncom.exe
C:\okex.exe
C:\wavunte.exe
C:\celkadaa.exe
C:\xnev.exe
c:\windows\system32\gopufuzi.dll.vir
c:\windows\system32\drivers\af7bd14.sys
C:\WINDOWS\system32\drivers\apb8u23l.sys
C:\WINDOWS\system32\drivers\Idmapeaun.sys
c:\windows\system32\Drivers\Phb84.sys
c:\windows\system32\drivers\hwdrv.sys

Folder::
c:\windows\system32\796525
c:\documents and settings\All Users\Application Data\Trymedia

Registry::
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"HW Upgrade"=-
"ntvbn"=-
"LG"=-
"winsmb"=-
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"DL32"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"SYS32DLL"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Phb84.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Phb84.sys]

Driver::
af7bd14
ovfsthqjbpjcxewygehhbgiamdxdybawuynsfi
apb8u23l
Idmapeaun
Phb84
hwdrv

Rootkit::
ovfsthqqjbsyuhyebdinlrrulvrmdlwwjropkg.sys

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Next

We need to scan for Rootkits with GMER

1. Please download GMER from one of the following locations, and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zip Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
2. Close any and all open programs, as this process may crash your computer.
3. Double click Posted Imageor Posted Image on your desktop.
4. Allow the gmer.sys driver to load if asked.
5. You may see this window. If you do, click No.
Posted Image
6. Click onPosted Image and wait for the scan to finish.
7. If you see a rootkit warning window, click OK.
8. Push Posted Image and save the logfile to your desktop.
9. Copy and Paste the contents of that file in your next post.


Then please post back with the Gmer logfile and ComboFix.txt.

Thanks

Edited by syler, 18 May 2009 - 04:12 PM.

unite.jpg


#9 Derenion

Derenion
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:40 AM

Posted 19 May 2009 - 07:44 PM

I think I'm giong to go with the reformat. don't have anything of real value on the computer, backed up a few pictures and such, so shouldn't be too painful starting back up.

#10 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:11:40 AM

Posted 20 May 2009 - 04:32 AM

Ok no problem , thanks for letting me no :thumbup2: , I will have this thread closed.

unite.jpg


#11 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:40 AM

Posted 20 May 2009 - 04:56 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :thumbup2:

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users