Results 1 to 9 of 9

Thread: Possible Virtumonde infection

  1. #1
    Junior Member
    Join Date
    Nov 2010
    Posts
    5

    Default Possible Virtumonde infection

    Hi,

    During a routine check with Spybot, the program discovered 2 Virtumonde files, a library and a settings files. The program was able to remove the settings, but apparently not the library, even though it was repeated from a reboot.

    The machine has had no apparent symptoms (at least not any of those described publicly), and there is no entry for "MS Juan" in the registry.

    Per your request, here is DDS.txt (attach.txt is zipped and attached:


    DDS (Ver_10-11-27.01) - NTFSx86
    Run by Paul at 9:39:23.15 on Sat 11/27/2010
    Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_22
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.237 [GMT -5:00]

    AV: AVG Anti-Virus Free Edition 2011 *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

    ============== Running Processes ===============

    C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
    C:\WINDOWS\system32\ibmpmsvc.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\IPSSVC.EXE
    C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
    C:\WINDOWS\system32\acs.exe
    C:\Program Files\AVG\AVG10\avgwdsvc.exe
    C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Omniquad MyPrivacy\MyPrivacy\mpsvc.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\System32\StkASv2K.exe
    C:\WINDOWS\System32\TPHDEXLG.EXE
    C:\WINDOWS\system32\TpKmpSVC.exe
    C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
    C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
    C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
    C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
    C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
    C:\Program Files\AVG\AVG10\avgnsx.exe
    C:\Program Files\AVG\AVG10\avgemcx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\IBM ThinkVantage\Common\Logger\logmon.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\PROGRA~1\AVG\AVG10\avgrsx.exe
    C:\Program Files\AVG\AVG10\avgcsrvx.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\system32\TpShocks.exe
    C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
    C:\Program Files\ThinkPad\UltraNav Wizard\UNavTray.EXE
    C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
    C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
    C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
    C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
    C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe
    C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe
    C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
    C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Lexmark 7100 Series\lxbxmon.exe
    C:\Program Files\Lexmark 7100 Series\ezprint.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\AVG\AVG10\avgtray.exe
    C:\WINDOWS\system32\lxbxcoms.exe
    C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
    C:\Program Files\QUICKENW\QWDLLS.EXE
    C:\WINDOWS\system32\ntvdm.exe
    C:\Program Files\PopTray\PopTray.exe
    C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
    C:\Program Files\AVG\AVG10\avgcsrvx.exe
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Thunderbird\thunderbird.exe
    C:\xfer\dds.com

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.lenovo.com/us/en/
    uSearch Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    mDefault_Page_URL = hxxp://www.lenovo.com/us/en/
    uInternet Connection Wizard,ShellNext = hxxp://www.lenovo.com/us/en/
    mSearchAssistant = hxxp://www.google.com/ie
    BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
    BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
    mRun: [TpShocks] TpShocks.exe
    mRun: [TP4EX] tp4ex.exe
    mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
    mRun: [TPHOTKEY] c:\progra~1\lenovo\pkgmgr\hotkey\TPHKMGR.exe
    mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
    mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
    mRun: [suScheduler] c:\program files\thinkvantage\systemupdate\UCLauncher.exe /SCHEDULER
    mRun: [LPManager] c:\progra~1\thinkv~2\prdctr\LPMGR.exe
    mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
    mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
    mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
    mRun: [AwaySch] c:\program files\lenovo\awaytask\AwaySch.EXE
    mRun: [cssauth] "c:\program files\ibm thinkvantage\client security solution\cssauth.exe" silent
    mRun: [PDService.exe] "c:\program files\ibm thinkvantage\safeguard privatedisk\pdservice.exe"
    mRun: [DiskeeperSystray] "c:\program files\diskeeper corporation\diskeeper\DkIcon.exe"
    mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe
    mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe
    mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
    mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
    mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
    mRun: [UVS10 Preload] c:\program files\ulead systems\ulead videostudio se dvd\uvPL.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [lxbxmon.exe] "c:\program files\lexmark 7100 series\lxbxmon.exe"
    mRun: [EzPrint] "c:\program files\lexmark 7100 series\ezprint.exe"
    mRun: [LXBXCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXBXtime.dll,_RunDLLEntry@16
    mRun: [Virtual PDF Printer] c:\program files\virtual pdf printer\VirtualPDFPrinter.exe
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
    StartupFolder: c:\docume~1\paul\startm~1\programs\startup\anw.lnk - c:\program files\anw\ANW.EXE
    StartupFolder: c:\docume~1\paul\startm~1\programs\startup\poptray.lnk - c:\program files\poptray\PopTray.exe
    StartupFolder: c:\documents and settings\paul\start menu\programs\startup\subst.bat
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\billmi~1.lnk - c:\program files\quickenw\BILLMIND.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\thinkpad\bluetooth software\BTTray.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quicke~1.lnk - c:\program files\quickenw\QWDLLS.EXE
    uPolicies-explorer: NoRecentDocsNetHood = 01000000
    IE: Send to &Bluetooth Device... - c:\program files\thinkpad\bluetooth software\btsendto_ie_ctx.htm
    IE: {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - c:\program files\lenovo\pkgmgr\\PkgMgr.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4.2/jinstall-142-win.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
    Notify: ACNotify - ACNotify.dll
    Notify: AwayNotify - c:\program files\lenovo\awaytask\AwayNotify.dll
    Notify: igfxcui - igfxdev.dll
    Notify: tpfnf2 - notifyf2.dll
    Notify: tphotkey - tphklock.dll
    AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
    LSA: Notification Packages = scecli csspwntfy

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\paul\applic~1\mozilla\firefox\profiles\n05hqncv.default\
    FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Extension: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
    FF - Extension: Java Console: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
    FF - Extension: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
    FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
    FF - Extension: Adblock: {34274bf4-1d97-a289-e984-17e546307e4f} - c:\docume~1\paul\applic~1\mozilla\firefox\profiles\n05hqncv.default\extensions\{34274bf4-1d97-a289-e984-17e546307e4f}

    ============= SERVICES / DRIVERS ===============

    R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
    R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 249424]
    R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
    R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 299984]
    R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2010-11-10 6127184]
    R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
    R2 PrivateDisk;PrivateDisk;c:\program files\ibm thinkvantage\safeguard privatedisk\privatediskm.sys [2005-11-15 46142]
    R2 smi2;smi2;c:\program files\smi2\smi2.sys [2005-12-21 3968]
    R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
    R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
    R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]
    S2 smihlp;SMI helper driver;\??\c:\program files\thinkvantage fingerprint software\smihlp.sys --> c:\program files\thinkvantage fingerprint software\smihlp.sys [?]

    =============== File Associations ===============

    .txt=UltraEdit.txt

    =============== Created Last 30 ================


    ==================== Find3M ====================

    2010-11-21 15:47:01 5427 ----a-w- c:\windows\system32\EGATHDRV.SYS
    2010-09-15 08:50:37 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-09-15 06:29:49 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2006-05-03 09:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll
    2007-02-21 10:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll
    2007-12-17 12:43:00 27648 --sh--w- c:\windows\system32\Smab0.dll

    ============= FINISH: 9:40:04.48 ===============

    Thank you in advance for any help.

    Paul G

  2. #2
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,067

    Default

    hi pgurwitz,

    Sorry for the delay, no shortage of posters. If you still need help reply back.
    How Can I Reduce My Risk?

  3. #3
    Junior Member
    Join Date
    Nov 2010
    Posts
    5

    Default

    Yes I would, thank you.

  4. #4
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,067

    Default

    ok we will get a download to use as another check for malware:

    Please download the free version of Malwarebytes to your desktop.

    Double-click mbam-setup.exe and follow the prompts to install the program.

    Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

    If an update is found, it will download and install the latest version.

    Once the program has loaded, select Perform FULL SCAN, then click Scan.
    When the scan is complete, click OK, then Show Results to view the results.

    Be sure that everything is checked, and click *Remove Selected.*

    *A restart of your computer may be required to remove some items. If prompted please restart your computer to complete the fix.*

    When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
    Post the log in your reply.
    How Can I Reduce My Risk?

  5. #5
    Junior Member
    Join Date
    Nov 2010
    Posts
    5

    Default

    Thanks. Malware Bytes detected 6 infections and says it healed them all. Here's the log file:

    Malwarebytes' Anti-Malware 1.50
    www.malwarebytes.org

    Database version: 5241

    Windows 5.1.2600 Service Pack 2
    Internet Explorer 6.0.2900.2180

    12/3/2010 6:50:39 PM
    mbam-log-2010-12-03 (18-50-38).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 211078
    Time elapsed: 31 minute(s), 52 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 2
    Folders Infected: 1
    Files Infected: 3

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    c:\documents and settings\all users\application data\10397344 (Rogue.Multiple) -> Quarantined and deleted successfully.

    Files Infected:
    c:\documents and settings\Paul\application data\wiaserva.log (Malware.Trace) -> Quarantined and deleted successfully.
    c:\documents and settings\Paul\oashdihasidhasuidhiasdhiashdiuasdhasd (Malware.Trace) -> Quarantined and deleted successfully.
    c:\documents and settings\all users\application data\10397344\10397344 (Rogue.Multiple) -> Quarantined and deleted successfully.


    What's next?

    Paul

  6. #6
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,067

    Default

    ok. check Spybot for updates then re-run it and see what it comes up with this time around.
    How Can I Reduce My Risk?

  7. #7
    Junior Member
    Join Date
    Nov 2010
    Posts
    5

    Default

    I ran Spybot again; it found a w32.autorun.tmp, and says it fixed it. The logs are attached here:


    --- Report generated: 2010-12-04 12:25 ---

    Win32.AutoRun.tmp: [SBI $751B1850] Settings (Registry value, fixed)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman


    --- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

    2009-01-26 blindman.exe (1.0.0.8)
    2009-01-26 SDFiles.exe (1.6.1.7)
    2009-01-26 SDMain.exe (1.0.0.6)
    2009-01-26 SDShred.exe (1.0.2.5)
    2009-01-26 SDUpdate.exe (1.6.0.12)
    2008-07-07 SDWinSec.exe (1.0.0.12)
    2009-01-26 SpybotSD.exe (1.6.2.46)
    2009-01-26 TeaTimer.exe (1.6.4.26)
    2009-05-22 unins000.exe (51.49.0.0)
    2009-01-26 Update.exe (1.6.0.7)
    2009-11-04 advcheck.dll (1.6.5.20)
    2007-04-02 aports.dll (2.1.0.0)
    2008-06-14 DelZip179.dll (1.79.11.1)
    2008-09-15 SDHelper.dll (1.6.2.14)
    2008-06-19 sqlite3.dll
    2008-10-22 Tools.dll (2.1.6.8)
    2009-01-16 UninsSrv.dll (1.0.0.0)
    2010-06-29 Includes\Adware.sbi (*)
    2010-11-30 Includes\AdwareC.sbi (*)
    2010-08-13 Includes\Cookies.sbi (*)
    2010-09-22 Includes\Dialer.sbi (*)
    2010-11-30 Includes\DialerC.sbi (*)
    2010-01-25 Includes\HeavyDuty.sbi (*)
    2010-11-30 Includes\Hijackers.sbi (*)
    2010-11-30 Includes\HijackersC.sbi (*)
    2010-09-15 Includes\iPhone.sbi (*)
    2010-08-02 Includes\Keyloggers.sbi (*)
    2010-11-30 Includes\KeyloggersC.sbi (*)
    2004-11-29 Includes\LSP.sbi (*)
    2010-09-13 Includes\Malware.sbi (*)
    2010-12-01 Includes\MalwareC.sbi (*)
    2010-05-18 Includes\PUPS.sbi (*)
    2010-10-12 Includes\PUPSC.sbi (*)
    2010-01-25 Includes\Revision.sbi (*)
    2009-01-13 Includes\Security.sbi (*)
    2010-11-30 Includes\SecurityC.sbi (*)
    2008-06-03 Includes\Spybots.sbi (*)
    2008-06-03 Includes\SpybotsC.sbi (*)
    2010-06-29 Includes\Spyware.sbi (*)
    2010-11-30 Includes\SpywareC.sbi (*)
    2010-03-08 Includes\Tracks.uti
    2010-11-02 Includes\Trojans.sbi (*)
    2010-11-30 Includes\TrojansC-02.sbi (*)
    2010-11-30 Includes\TrojansC-03.sbi (*)
    2010-11-30 Includes\TrojansC-04.sbi (*)
    2010-11-30 Includes\TrojansC-05.sbi (*)
    2010-11-30 Includes\TrojansC.sbi (*)
    2008-03-04 Plugins\Chai.dll
    2008-03-05 Plugins\Fennel.dll
    2008-02-26 Plugins\Mate.dll
    2007-12-24 Plugins\TCPIPAddress.dll

    Do I need to do anything else?

    Thanks
    Paul

  8. #8
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,067

    Default

    Hi,

    thanks for the info.
    Do I need to do anything else?
    If Spybots not finding Virtumonde anymore, then we are done. You can keep Malwarebytes, note that the free version must be updated manually and a scan started manually. Its good practice to keep it updated even if you dont scan with it at that time.
    So if all is good, some tips to help you remain malware free:

    10 Tips for Prevention and Avoidance of Malware:
    There is no reason why your computer can not stay malware free.

    No software can think for you. Help yourself. In no special order:

    1) It is essential to keep your OS,(Windows) browser (IE, FireFox) and other software up to date to "patch" vulnerabilities that could be exploited. Visit Windows Update frequently or use the Windows auto-updates feature. Staying updated is also essential for other web based applications like Java, Adobe Flash/Reader, iTunes etc. More and more third party applications are being targeted. Not sure if you are using the latest version of software? Check their version status here.

    2) Know what you are installing to your computer. A lot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. More and more legitimate software is installing useless toolbars if not unchecked first. Do not install any files from ads, popups or random links. Do not fall for fake warnings about virus and trojans being found on your computer and you are then prompted to install software to remedy this. See also the signs that you may have malware on your computer.

    3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. If either of these frequently find malware then its time to *review your computer habits*.

    4) Refrain from clicking on links or attachments via E-Mail, IM, IRC, Chat Rooms, Blogs or Social Networking Sites, no matter how tempting or legitimate the message may seem. See also E-mail phishing Tricks.

    5) Do not click on ads/pop ups or offers from websites requesting that you need to install software to your computer--*for any reason*. Use the Alt+F4 keys to close the window.

    6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website to install components?

    7) Consider the use of limited (non-privileged) accounts for everyday use, rather than administrator accounts. Limited accounts can help prevent *malware from installing and lessen its potential impact.* This is exactly what user account control (UAC) in Windows Vista and Windows 7 attempts to address.

    8) Install and understand the *limitations* of a software firewall.

    9) A tool for automatically hardening and securing Internet Explorer 8.0. Requires site registration for downloading. Changes some of the default settings of IE 8.0, Read the FAQ's. Or see a slide show Here and do it yourself. How to harden FireFox for safer surfing.

    10) Warez, cracks etc are very popular for carrying malware payloads. If you look for these you will encounter malware. If you download/install files via p2p networks you will encounter malware. Can you really trust the source of the file?


    More info/tips with pictures in links below.

    Happy Safe Surfing.
    How Can I Reduce My Risk?

  9. #9
    Junior Member
    Join Date
    Nov 2010
    Posts
    5

    Default

    Thanks a lot; I really appreciate it.

    Paul

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •