Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: that vicious virtumonde and sinister smitfraud!

  1. #1
    Junior Member
    Join Date
    Dec 2008
    Posts
    9

    Default that vicious virtumonde and sinister smitfraud!

    Hello and happy new year.

    I've been infected with Virtumonde, Virtumonde.generic, and SmitFraud. They are pernicious buggers: I have used both spybot and symantec to clean up my machine, but the infections have always come back.

    I have identified a dll file in my system32 folder, which is associated with the infection, but I can't remove it manually because it is associated with the explorer.exe and winlogon.exe processes.

    The hijackthis log is below.

    Thank you so much for your help and patience.

    ******************

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:10:57 AM, on 1/1/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
    C:\Program Files\Symantec AntiVirus\SavRoam.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\WINDOWS\system32\DSentry.exe
    C:\WINDOWS\system32\WLTRAY.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Apoint\HidFind.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.princeton.edu/
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\system32\DSentry.exe
    O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sd...0Installer.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1126734610611
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1217348810272
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = princeton.edu
    O17 - HKLM\Software\..\Telephony: DomainName = princeton.edu
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = princeton.edu
    O18 - Filter hijack: text/html - {b71badaa-f02c-4705-b998-3ee462dbb2e6} - C:\WINDOWS\system32\mst120.dll
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
    O24 - Desktop Component 1: (no name) - C:\WINDOWS\SCI\Documentation\desktop.htm

    --
    End of file - 5339 bytes

  2. #2
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,252

    Default

    Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
    "BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
    All advice given is taken at your own risk.
    Please make sure you have read this information so we are on the same page.

    Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
    The junk can be tough to remove, so do not expect fast or easy.

    I apologize for the wait, volunteers are swamped at all forums with infected computers. If you have resolved your issues, please post to let me know so I can close this topic.

    1) Please DO NOT ENABLE Spybot S&D TeaTimer while we work together.

    2)A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use

    Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    • See this Link for programs that need to be disabled and instruction on how to disable them.
    • Remember to re-enable them when we're done.

    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

    *If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

    Tutorial if needed
    http://www.bleepingcomputer.com/comb...o-use-combofix

    3) Post also an uninstall list: Open Hijackthis.
    Click the "Open the Misc Tools" section Button.
    Click the "Open Uninstall Manager" Button.
    Click the "Save list..." Button.
    Save it to your desktop. Copy and paste the contents into your reply.
    Image: http://img.bleepingcomputer.com/tuto...nstall-man.jpg

    Thanks
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

  3. #3
    Junior Member
    Join Date
    Dec 2008
    Posts
    9

    Default thank you very much

    1. I have read the entire "before you post" thread (and had done already). Teatimer has been disabled.
    2. I will keep the computer offline except when working with you or checking for your replies.
    3. I do not expect fast or easy, and I very much appreciate your help and patience.
    4. I have turned off Windows firewall and Symantec Antivirus. I turned off the Symantec autoprotect temporarily. Should I turn I use the "permanent" option?

    5. Here are the three logs you asked for -- combofix, hijackthis, and hijackthis uninstall.

    COMBOFIX LOG

    ComboFix 09-01-05.05 - pcturner 2009-01-06 15:05:28.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.70 [GMT -5:00]
    Running from: c:\documents and settings\pcturner\Desktop\ComboFix.exe
    AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\system32\byXPJArO.dll
    c:\windows\system32\OrAJPXyb.ini
    c:\windows\system32\OrAJPXyb.ini2
    c:\windows\wiaserviv.log

    .
    ((((((((((((((((((((((((( Files Created from 2008-12-06 to 2009-01-06 )))))))))))))))))))))))))))))))
    .

    2009-01-03 13:50 . 2009-01-03 13:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\TVU Networks
    2009-01-02 21:36 . 2009-01-02 21:36 <DIR> d-------- c:\documents and settings\pcturner\LocalLow
    2008-12-23 18:52 . 2008-12-23 18:52 <DIR> d-------- c:\program files\Trend Micro
    2008-12-22 23:44 . 2009-01-06 15:11 2,206 --a------ c:\windows\system32\wpa.dbl
    2008-12-21 16:42 . 2008-12-21 16:42 302,592 --a------ c:\windows\system32\imvtlvvq.gti

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-01-06 20:11 --------- d-----w c:\program files\Symantec AntiVirus
    2009-01-06 19:22 --------- d-----w c:\program files\TVAnts
    2008-12-22 17:18 --------- d-----w c:\program files\HP
    2008-12-15 15:39 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2008-12-14 21:59 --------- d-----w c:\program files\Spybot - Search & Destroy
    2008-11-25 03:08 --------- d-----w c:\program files\Microsoft Silverlight
    2003-03-12 09:16 307,200 ----a-w c:\program files\internet explorer\plugins\djvu0407.dll
    2003-03-12 09:16 303,104 ----a-w c:\program files\internet explorer\plugins\djvu0409.dll
    2003-03-12 09:16 311,296 ----a-w c:\program files\internet explorer\plugins\djvu040c.dll
    2003-03-12 09:16 299,008 ----a-w c:\program files\internet explorer\plugins\djvu0411.dll
    2003-03-12 09:16 303,104 ----a-w c:\program files\internet explorer\plugins\djvu0412.dll
    2003-03-12 09:16 290,816 ----a-w c:\program files\internet explorer\plugins\djvu0804.dll
    2003-03-12 09:15 122,880 ----a-w c:\program files\internet explorer\plugins\DjVuCntl.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
    "DVDSentry"="c:\windows\system32\DSentry.exe" [2003-02-06 28672]
    "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-05-29 52840]
    "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-10-07 125368]
    "SpybotSnD"="c:\program files\Spybot - Search & Destroy\SpybotSD.exe" [2008-07-07 4891472]

    [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
    Source= c:\windows\SCI\Documentation\desktop.htm
    FriendlyName=

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
    --a------ 2005-11-10 20:05 344064 c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CARPService]
    --a------ 2002-10-17 10:54 4608 c:\windows\system32\carpserv.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "Ati HotKey Poller"=2 (0x2)
    "MDM"=2 (0x2)

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\program files\Symantec Antivirus\rtvscan.exe"= c:\program files\Symantec Antivirus\rtvscan.exe:128.112.128.49/255.255.255.255:Enabled:SAV
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "38037:TCP"= 38037:TCP:128.112.128.49/255.255.255.255:Enabled:SAVManaged1
    "38037:UDP"= 38037:UDP:128.112.128.49/255.255.255.255:Enabled:SAVManaged1
    "2967:UDP"= 2967:UDP:128.112.128.49/255.255.255.255:Enabled:SAVManaged3
    "38292:TCP"= 38292:TCP:128.112.128.49/255.255.255.255:Enabled:SAVManaged2
    "38292:UDP"= 38292:UDP:128.112.128.49/255.255.255.255:Enabled:SAVManaged2
    "38293:UDP"= 38293:UDP:128.112.128.49/255.255.255.255:Enabled:SAVManaged4
    "2967:TCP"= 2967:TCP:128.112.128.49/255.255.255.255:Enabled:SAVManaged3

    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-07 99376]
    R3 OZSCR;O2Micro SmartCardBus Smartcard Reader;c:\windows\system32\drivers\ozscr.sys [2004-10-25 92550]
    R4 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2007-10-07 116664]
    .
    Contents of the 'Scheduled Tasks' folder

    2009-01-06 c:\windows\Tasks\HP WEP.job
    - c:\program files\HP\Dfawep\bin\hpbdfawep.exe []

    2009-01-06 c:\windows\Tasks\syejapda.job
    - c:\windows\system32\rundll32.exe [2008-04-13 19:12]
    .
    - - - - ORPHANS REMOVED - - - -

    BHO-{2B81323E-EB86-4769-ABAE-EA2B135FA22D} - (no file)
    BHO-{AE4C8C56-4CF6-4539-9530-94FEB90C80FF} - c:\windows\system32\byXPJArO.dll
    BHO-{AFDF1845-3B2D-493F-BCF0-FED64F40C379} - (no file)
    BHO-{BA438CAD-237B-4197-BA5E-F332FC8C133E} - c:\windows\system32\efcBrQIc.dll


    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.princeton.edu/
    uInternet Connection Wizard,ShellNext = iexplore
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

    O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
    c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

    O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
    FF - ProfilePath - c:\documents and settings\pcturner\Application Data\Mozilla\Firefox\Profiles\chjqyo0s.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.princeton.edu/main/
    FF - plugin: c:\documents and settings\pcturner\Local Settings\Application Data\Octoshape\Octoshape Streaming Services\octoprogram-L03-NMS0810164_SUA_900\npoctoshape.dll
    FF - plugin: c:\program files\Java\jre1.5.0_08\bin\NPJava11.dll
    FF - plugin: c:\program files\Java\jre1.5.0_08\bin\NPJava12.dll
    FF - plugin: c:\program files\Java\jre1.5.0_08\bin\NPJava13.dll
    FF - plugin: c:\program files\Java\jre1.5.0_08\bin\NPJava14.dll
    FF - plugin: c:\program files\Java\jre1.5.0_08\bin\NPJava32.dll
    FF - plugin: c:\program files\Java\jre1.5.0_08\bin\NPJPI150_08.dll
    FF - plugin: c:\program files\Java\jre1.5.0_08\bin\NPOJI610.dll
    FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\np32dsw.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npnul32.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\nppdf32.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\nppl3260.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin2.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin3.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin4.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin5.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin6.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin7.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\nprjplug.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\nprpjplug.dll
    FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
    FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
    FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll
    .

    **************************************************************************

    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-01-06 15:11:38
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(860)
    c:\windows\system32\Ati2evxx.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
    c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
    c:\windows\system32\WLTRYSVC.EXE
    c:\windows\system32\BCMWLTRY.EXE
    c:\windows\system32\scardsvr.exe
    c:\program files\Symantec AntiVirus\DefWatch.exe
    c:\program files\Dell\QuickSet\NicConfigSvc.exe
    c:\program files\Symantec AntiVirus\Rtvscan.exe
    c:\windows\system32\wscntfy.exe
    c:\program files\Apoint\hidfind.exe
    c:\windows\system32\spool\drivers\w32x86\3\HP1006MC.EXE
    c:\program files\Apoint\ApntEx.exe
    .
    **************************************************************************
    .
    Completion time: 2009-01-06 15:14:56 - machine was rebooted
    ComboFix-quarantined-files.txt 2009-01-06 20:14:49

    Pre-Run: 12,440,559,616 bytes free
    Post-Run: 12,379,066,368 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

    180

    HIJACKTHIS LOG

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 3:33:22 PM, on 1/6/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
    C:\Program Files\Symantec AntiVirus\SavRoam.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\WINDOWS\system32\DSentry.exe
    C:\WINDOWS\system32\WLTRAY.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Apoint\HidFind.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\pcturner\Desktop\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.princeton.edu/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\system32\DSentry.exe
    O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sd...0Installer.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1126734610611
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1217348810272
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = princeton.edu
    O17 - HKLM\Software\..\Telephony: DomainName = princeton.edu
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = princeton.edu
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
    O24 - Desktop Component 1: (no name) - C:\WINDOWS\SCI\Documentation\desktop.htm

    --
    End of file - 5777 bytes

    HIJACKTHIS UNINSTALL LOG

    Adobe Flash Player 9 ActiveX
    Adobe Flash Player Plugin
    Adobe Reader 7.0.8
    Adobe Shockwave Player
    Adobe SVG Viewer 3.0
    ALPS Touch Pad Driver
    ATI - Software Uninstall Utility
    ATI Control Panel
    ATI Display Driver
    Broadcom Gigabit Integrated Controller
    CDisplay 1.8
    C-Major Audio
    Conexant D480 MDC V.92 Modem
    Dell Wireless WLAN Card
    DjVu Browser Plug-in 4.0
    DVDSentry
    Easy CD Creator 5 Basic
    ffdshow (remove only)
    Gaim (remove only)
    GTK+ Runtime 2.6.9 rev a (remove only)
    HijackThis 2.0.2
    Hotfix for Windows Media Format SDK (KB902344)
    HP LaserJet P1000 series
    HPCarePackProducts
    InterVideo WinDVD
    iTunes
    J2SE Runtime Environment 5.0 Update 6
    J2SE Runtime Environment 5.0 Update 8
    LiveUpdate 3.2 (Symantec Corporation)
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Hotfix (KB886903)
    Microsoft .NET Framework 2.0
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Data Access Components KB870669
    Microsoft Office XP Professional
    Microsoft Silverlight
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Mozilla Firefox (3.0.5)
    Mozilla Thunderbird (1.5.0.7)
    MrvlUsgTracking
    Netflix Movie Viewer
    O2Micro Smartcard Driver
    QuickSet
    QuickShot 1.52
    QuickTime
    RealPlayer
    Security Update for Microsoft .NET Framework 2.0 (KB917283)
    Security Update for Microsoft .NET Framework 2.0 (KB922770)
    SigmaTel AC97 Audio Drivers
    Spybot - Search & Destroy
    SSH Secure Shell
    Symantec AntiVirus
    VideoLAN VLC media player 0.8.6i
    Windows Genuine Advantage v1.3.0254.0
    Windows Media Format 11 runtime
    Windows Media Format 11 runtime
    Windows Media Format SDK Hotfix - KB891122
    Windows Media Player 11
    Windows Media Player 11
    Windows XP Service Pack 3
    WinRAR archiver

    THANK YOU VERY MUCH

  4. #4
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,252

    Default

    From the looks of the combofix report, you removed a good bit of the infection but did not get it all. Virtumonde can morph and recreate as you are aware.

    c:\windows\system32\imvtlvvq.gti <<< tell me what this file is. If you don't know, make sure you can view all files and folders:
    http://www.bleepingcomputer.com/tuto...utorial62.html
    scan the file with at least one of these free onlines scanners and post the results:
    http://virusscan.jotti.org/
    http://www.kaspersky.com/scanforvirus
    http://www.virustotal.com/


    Let's proceed like this:

    Please download ATF Cleaner by Atribune
    http://www.atribune.org/public-beta/ATF-Cleaner.exe
    Save it to your Desktop. Run ATF Cleaner
    Double-click ATF-Cleaner.exe to run the program.
    Click Select All found at the bottom of the list.
    Click the Empty Selected button.
    Click Exit on the Main menu to close the program.

    *Cleaning Prefetch may result in a few slow starts until the folder is repopulated:
    http://www.windowsnetworking.com/art...efetch-XP.html

    Download Malwarebytes' Anti-Malware to your Desktop
    http://www.malwarebytes.org/

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform FULL SCAN, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
    * Please post contents of that file & a new HJT log in your next reply.

    Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

    Tutorial if needed:
    http://www.techsupportteam.org/forum...ware-mbam.html

    How is the computer running now?

    Thanks

    This can be done as time permits, but it is important.
    Uninstall list: I look for malware and security issues and will not know all of your programs, but you should.
    Hackers are using out of date programs to infect folks more and more,
    Here is a small free tool that lets you know when something needs an update if you are interested:
    http://secunia.com/vulnerability_scanning/personal/ While PSI runs in the System Tray for realtime notifications, I personally prefer to turn it off in MSConfig and run it from All Programs when I want to do a check.

    Adobe Reader 7.0.8 <<< out of date and unsafe, see this:
    http://news.cnet.com/8301-1009_3-100...ml?tag=nl.e433
    http://www.filehippo.com/download_adobe_reader/
    (if you want a smaller program, look at this one)
    Foxit Reader 2.3 for Windows (make sure to uncheck toolbars)
    http://www.foxitsoftware.com/pdf/rd_intro.php

    J2SE Runtime Environment 5.0 Update 6
    J2SE Runtime Environment 5.0 Update 8

    Out of date and unsafe, see this:
    http://forums.spybot.info/showpost.p...80&postcount=2
    Be aware of this information so you can opt out of anything you do not want.
    Microsoft Does MSN Toolbar Distribution Deal With Java:
    http://searchengineland.com/microsof...java-15413.php
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

  5. #5
    Junior Member
    Join Date
    Dec 2008
    Posts
    9

    Default

    Quote Originally Posted by pskelley View Post
    c:\windows\system32\imvtlvvq.gti <<< tell me what this file is. If you don't know, make sure you can view all files and folders:
    http://www.bleepingcomputer.com/tuto...utorial62.html
    scan the file with at least one of these free onlines scanners and post the results:
    http://virusscan.jotti.org/
    http://www.kaspersky.com/scanforvirus
    http://www.virustotal.com/
    before I follow the rest of your instructions, I would like to know whether I should delete the file you asked about.

    Here is the VirusTotal report on it (Kapersky came up with nothing):
    Antivirus Version Last Update Result
    a-squared 4.0.0.73 2009.01.06 -
    AhnLab-V3 2009.1.6.3 2009.01.06 -
    AntiVir 7.9.0.45 2009.01.06 -
    Authentium 5.1.0.4 2009.01.06 -
    Avast 4.8.1281.0 2009.01.06 Win32:Trojan-gen {Other}
    AVG 8.0.0.199 2009.01.06 Vundo.CQ
    BitDefender 7.2 2009.01.06 -
    CAT-QuickHeal 10.00 2009.01.06 -
    ClamAV 0.94.1 2009.01.06 -
    Comodo 884 2009.01.06 -
    DrWeb 4.44.0.09170 2009.01.06 -
    eTrust-Vet 31.6.6294 2009.01.06 Win32/VundoCryptorAA!generic
    Ewido 4.0 2008.12.31 -
    F-Prot 4.4.4.56 2009.01.06 -
    F-Secure 8.0.14470.0 2009.01.06 -
    Fortinet 3.117.0.0 2009.01.06 -
    GData 19 2009.01.06 Win32:Trojan-gen {Other}
    Ikarus T3.1.1.45.0 2009.01.06 -
    K7AntiVirus 7.10.578 2009.01.06 Trojan.Win32.Malware.1
    Kaspersky 7.0.0.125 2009.01.06 -
    McAfee 5486 2009.01.05 -
    McAfee+Artemis 5487 2009.01.06 -
    Microsoft 1.4205 2009.01.06 Trojan:Win32/Vundo.D
    NOD32 3744 2009.01.06 -
    Norman 5.80.02 2009.01.06 W32/Virtumonde.AJBZ
    Panda 9.0.0.4 2009.01.06 -
    PCTools 4.4.2.0 2009.01.06 -
    Prevx1 V2 2009.01.06 Fraudulent Security Program
    Rising 21.11.12.00 2009.01.06 AdWare.Win32.Undef.drs
    SecureWeb-Gateway 6.7.6 2009.01.06 -
    Sophos 4.37.0 2009.01.06 Troj/Virtum-Gen
    Sunbelt 3.2.1809.2 2008.12.22 -
    Symantec 10 2009.01.06 -
    TheHacker 6.3.1.4.209 2009.01.06 -
    TrendMicro 8.700.0.1004 2009.01.06 -
    VBA32 3.12.8.10 2009.01.06 -
    ViRobot 2009.1.6.1546 2009.01.06 -
    VirusBuster 4.5.11.0 2009.01.06 -
    Additional information
    File size: 302592 bytes
    MD5...: d60b3712ffd96b743bcde081dbc83153
    SHA1..: 039dc7f4b5ebf87fecd50ba1d1d1fa4508ea1b85
    SHA256: e8ef6ec913422f6eb2009a295b861b40c11d753bfefd11c312472cdf68262c83
    SHA512: c0b2c671d8fcec2fb82325f22a94b2cda5543908f9af71caf1601aa36e335477
    b684b71be5825e0b6950cdf9477e166ed1ebb4451fd544ab370c66c622b139d1
    ssdeep: 6144:ZKA2n1MEdxvWmG4agGgevwWC52X4jmCVmq9WJ0qVdqMdhS6HVfgUXSwZOCH
    3ZZa3:IA21vLSsKwWC5njh8q9WiqVdqohS6tfO
    PEiD..: -
    TrID..: File type identification
    Win32 Executable Generic (38.5%)
    Win32 Dynamic Link Library (generic) (34.2%)
    Clipper DOS Executable (9.1%)
    Generic Win/DOS Executable (9.0%)
    DOS Executable Generic (9.0%)
    PEInfo: PE Structure information

    ( base data )
    entrypointaddress.: 0x1009f870
    timedatestamp.....: 0x48235752 (Thu May 08 19:41:06 2008)
    machinetype.......: 0x14c (I386)

    ( 5 sections )
    name viradd virsiz rawdsiz ntrpy md5
    .text 0x1000 0x1000 0x200 7.57 6d4a00f5c899093b31fe85456c2d65d8
    .rdata 0x2000 0x1000 0x200 7.57 ac8248760dc3205e4644fd3bd41d4e0a
    .data 0x3000 0x9b000 0x46a00 8.00 b10b0e36aa43c3044b4ad4d72677617f
    .reloc 0x9e000 0x1000 0x400 2.30 32bedec89d0ea566829b6f32717b5f03
    .pdata 0x9f000 0x3000 0x2800 4.80 a8b3f4e7840a4bffc4b8ba47747afa28

    ( 4 imports )
    > USER32.dll: SystemParametersInfoA, GetSystemMetrics
    > KERNEL32.dll: ExitProcess, GetSystemInfo, CreateFileA
    > GDI32.dll: CreateHalftonePalette
    > comdlg32.dll: PrintDlgExW

    ( 0 exports )
    Prevx info: <a href='http://info.prevx.com/aboutprogramtext.asp?PX5=0ED1B9B200D038F99EBA04C7B31EAF00DAED8CC8' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=0ED1B9B200D038F99EBA04C7B31EAF00DAED8CC8</a>

    ********

    I was pretty sure it was associated with the virus because of the modified/created date.

    I am also suspicious of this file, in the same folder, which appeared today just about the time I ran Combofix: wpa.dbl

    But it seems clean, according to VirusTotal:

    Antivirus Version Last Update Result
    a-squared 4.0.0.73 2009.01.06 -
    AhnLab-V3 2009.1.6.3 2009.01.06 -
    AntiVir 7.9.0.45 2009.01.06 -
    Authentium 5.1.0.4 2009.01.06 -
    Avast 4.8.1281.0 2009.01.06 -
    AVG 8.0.0.199 2009.01.06 -
    BitDefender 7.2 2009.01.06 -
    CAT-QuickHeal 10.00 2009.01.06 -
    ClamAV 0.94.1 2009.01.06 -
    Comodo 884 2009.01.06 -
    DrWeb 4.44.0.09170 2009.01.06 -
    eTrust-Vet 31.6.6294 2009.01.06 -
    Ewido 4.0 2008.12.31 -
    F-Prot 4.4.4.56 2009.01.06 -
    F-Secure 8.0.14470.0 2009.01.06 -
    Fortinet 3.117.0.0 2009.01.06 -
    GData 19 2009.01.06 -
    Ikarus T3.1.1.45.0 2009.01.06 -
    K7AntiVirus 7.10.578 2009.01.06 -
    Kaspersky 7.0.0.125 2009.01.06 -
    McAfee 5486 2009.01.05 -
    McAfee+Artemis 5487 2009.01.06 -
    Microsoft 1.4205 2009.01.06 -
    NOD32 3744 2009.01.06 -
    Norman 5.80.02 2009.01.06 -
    Panda 9.0.0.4 2009.01.06 -
    PCTools 4.4.2.0 2009.01.06 -
    Prevx1 V2 2009.01.06 -
    Rising 21.11.12.00 2009.01.06 -
    SecureWeb-Gateway 6.7.6 2009.01.06 -
    Sophos 4.37.0 2009.01.06 -
    Sunbelt 3.2.1809.2 2008.12.22 -
    Symantec 10 2009.01.06 -
    TheHacker 6.3.1.4.209 2009.01.06 -
    TrendMicro 8.700.0.1004 2009.01.06 -
    VBA32 3.12.8.10 2009.01.06 -
    ViRobot 2009.1.6.1546 2009.01.06 -
    VirusBuster 4.5.11.0 2009.01.06 -
    Additional information
    File size: 2206 bytes
    MD5...: 83d3b9be4187c1a524b6edd1c2a556e3
    SHA1..: 34e32d476a86d9aa00229ae1f901494c1ca4c557
    SHA256: 8a1396942dfac4bed6675f8b7af809f8ad9b6096663375eea5412dfe9faeff85
    SHA512: febe6cbf36d4da6f5b6ee202a8fb9f2944786faf9ff6a91378f08650ea0e4e23
    9e4cd0d702bc852507e574568e007b5c8eb5be606c1af95bd6bcc93c87f620cc
    ssdeep: 48:aqBbkVrGcF8FVxuQ4Ro5Heo5kTgTvW3Mq3rvFaIPUuzsLdhQdngAH2:3KVj8F
    VEQuo5HxK1aIvzsLdhQ+y2
    PEiD..: -
    TrID..: File type identification
    Unknown!
    PEInfo: -

    *************

    Should I delete one or both before proceeding?

    Thank you

  6. #6
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,252

    Default

    c:\windows\system32\wpa.dbl <<< this one when I Google returns this:
    http://www.google.com/search?hl=en&q...earch&aq=f&oq=
    Which appears to be a valid Windows file as you can see.
    See this: http://www.extremetech.com/article2/...1151566,00.asp

    I personally would be nervous about deleting that file.

    As you can also see here:
    2008-12-22 23:44 . 2009-01-06 15:11 2,206 --a------ c:\windows\system32\wpa.dbl

    imvtlvvq.gti <<< has been on the computer since 12/21 and it appears to be bad, the other one appears to be valid which is how the scans report it.
    2008-12-21 16:42 . 2008-12-21 16:42 302,592 --a------ c:\windows\system32\imvtlvvq.gti


    imvtlvvq.gti <<< I suggest you delete this file ONLY, then complete the balance of the instructions.

    Thanks for checking.

    Phil
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

  7. #7
    Junior Member
    Join Date
    Dec 2008
    Posts
    9

    Default

    I deleted the .gti file and not the .dbl file. Then I followed your instructions with ATF Cleaner and Malwarebytes' Anti-Malware.

    Here is the log from Malwarebytes' Anti-Malware:

    Malwarebytes' Anti-Malware 1.32
    Database version: 1625
    Windows 5.1.2600 Service Pack 3

    1/6/2009 5:38:33 PM
    mbam-log-2009-01-06 (17-38-33).txt

    Scan type: Full Scan (C:\|D:\|)
    Objects scanned: 97747
    Time elapsed: 39 minute(s), 4 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 4
    Registry Values Infected: 1
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 4

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
    C:\Qoobox\Quarantine\C\WINDOWS\system32\byXPJArO.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{E141A96D-B285-49E5-9F13-F945BFEB67D7}\RP135\A0014622.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{E141A96D-B285-49E5-9F13-F945BFEB67D7}\RP148\A0019190.dll (Trojan.Vundo) -> Quarantined and deleted successfully.


    Here is the log from HijackThis:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 5:41:39 PM, on 1/6/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
    C:\Program Files\Symantec AntiVirus\SavRoam.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\WINDOWS\system32\DSentry.exe
    C:\WINDOWS\system32\WLTRAY.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Apoint\HidFind.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Documents and Settings\pcturner\Desktop\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.princeton.edu/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\system32\DSentry.exe
    O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
    O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sd...0Installer.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1126734610611
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1217348810272
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = princeton.edu
    O17 - HKLM\Software\..\Telephony: DomainName = princeton.edu
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = princeton.edu
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
    O24 - Desktop Component 1: (no name) - C:\WINDOWS\SCI\Documentation\desktop.htm

    --
    End of file - 5977 bytes


    Once we have successfully cleaned my system, I would like to ask you some questions about the programs you pointed out as dangerous. Thank you again.

  8. #8
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,252

    Default

    Remove combofix from the computer like this:

    Click START then RUN
    Now type or copy Combofix /u in the runbox and click OK.
    Note the space between the X and the U, it needs to be there.



    Clean the System Restore files like this:

    Turn off System Restore.
    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    Check Turn off System Restore.
    Click Apply, and then click OK.

    Reboot

    Turn ON System Restore,
    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    UN-Check *Turn off System Restore*.
    Click Apply, and then click OK.

    Update MBAM and scan to be sure we missed none of the junk, there is no need to post a clean scan result.
    (MBAM is yours to keep if you wish, update it and run it once a month or so)

    Update Symantec and scan the system, to be sure it is running right and scanning clean. If you have problems with the program, contact tech support for instructions.
    http://www.symantec.com/enterprise/support/index.jsp

    If all is well at this point, let me know and I will close the topic.


    Some good information for you:
    http://users.telenet.be/bluepatchy/m...wcomputer.html
    http://www.microsoft.com/windowsxp/u...s/mcgill1.mspx

    Here is some great information from experts in this field that will help you stay clean and safe online.
    http://users.telenet.be/bluepatchy/m...revention.html
    http://forums.spybot.info/showthread.php?t=279
    http://russelltexas.com/malware/allclear.htm
    http://forum.malwareremoval.com/viewtopic.php?t=14
    http://www.bleepingcomputer.com/forums/topict2520.html
    http://cybercoyote.org/security/not-admin.shtml

    http://www.malwarecomplaints.info/

    Thanks...pskelley
    Safer Networking Forums
    http://www.spybot.info/en/donate/index.html
    If you are reading this information...thank a teacher,
    If you are reading it in English...thank a soldier.

    http://users.telenet.be/bluepatchy/m...oes/Links.html
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

  9. #9
    Junior Member
    Join Date
    Dec 2008
    Posts
    9

    Default

    everything seems to be clean, and I figured out the questions I'd wanted to ask you. Except these two:

    1. Is there anything I should do in the next week or two to make sure that my computer is genuinely clean?

    and (though I know this is a little bit out of your jurisdiction) can you direct me to a list of things I can do to prevent identity theft after having had spyware on my machine? (E.g., change credit card passwords.)

    Thank you so much for your help.

  10. #10
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,252

    Default

    First question:
    as far as I am concerned the computer is clean, the word "genuinely" means nothing to me in this context. You can run scans forever and each will find junk according to the database they maintain, but we have destroyed the ability to execute. If you want scans to run, look at the list I provided at the end.

    Second question:
    Start here >> http://www.dslreports.com/faq/10451
    Google for the information you want, for instance "prevent identity theft"
    returns 671,000 possible sites for information.
    http://www.google.com/search?hl=en&q...earch&aq=f&oq=

    Here are some good links from Microsoft:
    . Security At Home site
    http://www.microsoft.com/athome/security/default.mspx
    . Security Tips & Talk blog
    http://blogs.msdn.com/securitytipstalk/default.aspx
    . RSS feed: Get security information delivered to you
    http://www.microsoft.com/athome/secu...s/default.mspx
    . Security video tutorials
    http://www.microsoft.com/athome/secu...s/default.mspx
    . Security community for home users
    http://www.microsoft.com/athome/secu...p/default.mspx
    . Support for your computer security issues
    http://www.microsoft.com/athome/secu...t/default.mspx
    . Worldwide computer security information
    http://www.microsoft.com/athome/secu...e/default.mspx

    Hope that helps
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •