PDA

View Full Version : Virtumonde maybe/problems still


emsdallas
2008-07-19, 09:06
I believe my problem is Virtumode. I installed SopCast earlier this week and have had major problems since.

Multiple IE browers open with a variety of different crappy websites
Automatic download of a virus program
Privacy setting for cookies keeps resetting to accept ALL cookies
Automatic Updates Service has been disabled/cannot enable or reinstall

I ran Spybot,default mode-resident ie turned off, multiple times in safe mode,fixed and problems keep re-appearing.

I ran VirtumondoBegone, also in safe mode, which seemed to help with the multiple windows opening and the auto download of that unrequested virus program has stopped.

I reset the registry's permissions, but still auto updates cannot be enabled or reinstalled, and the privacy setting for ie6 keeps accepting ALL cookies.

After this post, I will install and run Kaspersky.

I have XP Pro with SP2 and IE6.

Here's my HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:32:02 AM, on 07/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe
C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
c:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program

Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program

Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [ScreenPrint32] C:\Program Files\ScreenPrint32

v3\ScreenPrint32.exe -startup
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media

Creator 8\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft

IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program

Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search &

Destroy\TeaTimer.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

Office\Office10\OSA.EXE
O8 - Extra context menu item: E-&mail Page - C:\WINDOWS\Web\Mailto_URL.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: MS-KB - {8b2d996f-b7d1-4961-a929-414d9cf5ba7b} -

http://support.microsoft.com/default.aspx?scid=FH;EN-US;KBHOWTO (file

missing)
O9 - Extra 'Tools' menuitem: MS-KB - {8b2d996f-b7d1-4961-a929-414d9cf5ba7b} -

http://support.microsoft.com/default.aspx?scid=FH;EN-US;KBHOWTO (file

missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration -

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -

{e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage

Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control)

- http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {54BA1E8F-818D-407F-949D-BAE1692C5C18} (Attribute Class) -

http://gemal.dk/browserspy/capicom.dll
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class)

-

http://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWeb

Control.cab?1209273253774
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/w

uweb_site.cab?1216436125906
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) -

http://liveupdate.msi.com.tw/autobios/LOnline/install.cab
O23 - Service: APC UPS Service - American Power Conversion Corporation -

C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program

Files\FolderSize\FolderSizeSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision

Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel

32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service

(LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common

Files\LightScribe\LSSrvc.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common

Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe

--
End of file - 4846 bytes

This is a first for me; I normally don't download-install unrecommended programs, so I'll definitely not do that again.

Thanks for your help!!!

Elaine
:oops:
ken545
2008-07-22, 04:35
Hello Elaine

Welcome to Safer Networking.

Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.



Please download Malwarebytes' Anti-Malware from Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) or Here (http://www.besttechie.net/tools/mbam-setup.exe)

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.<-- Don't forget this
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply along with a New Hijackthis log.



Elaine, I can't read your HJT log the way you posted it, do it this way.


Open HJT Scan and Save a Log File, it will open in Notepad
Go to Format and make sure Wordwrap is Unchecked
Go to Edit> Select All.....Edit > Copy and Paste the new log into this thread by using the Post Reply and not start a New Thread.



Post the Malwarebytes log and a new HJT log please