Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 25

Thread: Virtumonde infection

  1. #11
    Junior Member
    Join Date
    Jan 2009
    Posts
    13

    Default

    --------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER 7 REPORT
    Friday, January 23, 2009
    Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
    Kaspersky Online Scanner 7 version: 7.0.25.0
    Program database last update: Friday, January 23, 2009 17:01:56
    Records in database: 1675780
    --------------------------------------------------------------------------------

    Scan settings:
    Scan using the following database: extended
    Scan archives: yes
    Scan mail databases: yes

    Scan area - My Computer:
    A:\
    C:\
    D:\

    Scan statistics:
    Files scanned: 51627
    Threat name: 3
    Infected objects: 6
    Suspicious objects: 0
    Duration of the scan: 02:58:30


    File name / Threat name / Threats count
    C:\Qoobox\Quarantine\C\WINDOWS\system32\akiahuat.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.gdm 1
    C:\Qoobox\Quarantine\C\WINDOWS\system32\digeste.dll.vir Infected: Trojan.Win32.Agent.biua 1
    C:\Qoobox\Quarantine\C\WINDOWS\system32\efcCssRl.dll.vir Infected: Trojan.Win32.Monder.arsi 1
    C:\Qoobox\Quarantine\C\WINDOWS\system32\gklqbw.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.gdm 1
    C:\Qoobox\Quarantine\C\WINDOWS\system32\iitimrdh.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.gdm 1
    C:\Qoobox\Quarantine\C\WINDOWS\system32\ykmvco.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.gdm 1

    The selected area was scanned.



    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 22:30, on 2009-01-23
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16762)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
    C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
    C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
    C:\WINDOWS\system32\drivers\KodakCCS.exe
    C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe
    C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\ScsiAccess.EXE
    C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
    C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
    C:\Program Files\BroadJump\Client Foundation\CFD.exe
    C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
    C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Trent Kucher\Desktop\Gooch38\Gooch38.exe.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
    O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
    O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
    O4 - HKLM\..\Run: [SmartGuardian] C:\Program Files\ITE\Smart Guardian\ITESmart.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
    O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://files.member.yahoo.com/dl/installs/sbc/yinst.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1120326078671
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1125620040031
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...23/mcgdmgr.cab
    O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
    O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
    O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe
    O23 - Service: ForceWare user log service (nSvcLog) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcDataSrv.exe
    O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcSandraSrv.exe
    O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE

    --
    End of file - 7331 bytes

  2. #12
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Empty this folder:

    C:\Qoobox\Quarantine

    Empty Recycle Bin.

    Still problems?
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  3. #13
    Junior Member
    Join Date
    Jan 2009
    Posts
    13

    Default

    My computer doesn't seem to have the popup and redirect problems since I ran ComboFix. It seems to be running OK, but there are a few things I've noticed that maybe have no relation to the previous Virtumonde infection.

    1) When I click to open a Windows Internet Explorer browser, it sometimes locks up and says it is "Not Responding" so I have to close it down and try starting it again. It seems to always work OK the second time. Now it did this before, but only rarely. Since the fix it seems to happen about 25% of the time. It's not a big problem, I'm just wondering why it may be happening.

    2) My free antivirus program, Avira AntiVir, now says I don't have a valid license and won't let me update it. As a free program I thought I didn't need a license, but I guess that maybe it was a trial version and the trial period has run out.

    3) Just before this response, I ran Spybot S&D out of curiosity, and there where 8 hits. Most were tracking cookies except 2 which it didn't list any information on - Casale Media, and Right Media. Everything was cleaned. Normally I don't get these tracking cookies, but I'm guessing that since to fix my computer that we had to turn off all the virus and maleware protection programs and firewalls, that is why I got all these tracking cookies.

    Hopefully none of this is anything to worry about and my computer is finally clean.

    Thanks,

    Trent

  4. #14
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    1) Does that happen also with other browsers?

    2) Here is a valid license key for antivir free. You should be able to load it via help - licensemanagement

    3) I will give a bit later tips for preventing those from coming.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  5. #15
    Junior Member
    Join Date
    Jan 2009
    Posts
    13

    Default

    1) I'm not sure if it happens with other browsers. While I have Firefox, I haven't used it in a couple years so I haven't been updating it. I know most security people recommend using a different browser than IE, but I just was used to it and it was what I use at work too. I guess I can update my Firefox and see how it works. Is that your recommendation?

    2) Thank you for the license.

    Trent

  6. #16
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    1) Yes I can also redirect you to some windows forum if you like to?
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  7. #17
    Junior Member
    Join Date
    Jan 2009
    Posts
    13

    Default

    Sure, if you have a windows forum that you think could help me, then I'd be interested in going to take a look.

    I'll also upgrade my Firefox. Mine is at least 2 years old (probably 3), is it better to just uninstall and download the newest version, or to try to try to upgrade it?

    Regards,

    Trent

  8. #18
    Junior Member
    Join Date
    Jan 2009
    Posts
    13

    Default

    After I updated my Avira anti-virus program, I started running it. I probably should have waited until you told me everything was good. It said found a virus in "KSU.cab" in the Kodak/Easyshare directory. It says that this file has the trojan "TR/BHO.SecretCrush". Avira then said that ComboFix.exe was a virus, so I ignored it and stopped the scan until you tell me that everything is good.

    Trent

  9. #19
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Those are both false positives, you can ignore them.

    As you have very old version of Firefox, uninstallation and fresh installation is best way here.

    Still some other concerns?
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  10. #20
    Junior Member
    Join Date
    Jan 2009
    Posts
    13

    Default

    No other concerns. I guess I'm ready to do the final cleanup if that is what you suggest.

    I'll uninstall Firefox and download a new version and give it a try. I'll wait a while until we've done the cleanup and it looks like my computer is running fine. I have noticed that you often post some information as to how to make IE safer. I would be interested in this information just in case I decide Firefox isn't for me and I got back to IE.

    Thanks,

    Trent

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •