Results 1 to 10 of 27

Thread: Fraud.InternetSecurity2011 and Virtumonde

Threaded View

Previous Post Previous Post   Next Post Next Post
  1. 2011-04-22, 22:17 #1
    JakeM
    JakeM is offline
    Junior Member
    Join Date
    Apr 2011
    Posts
    13

    Default

    Hey guys, I've been trying to remove some malware from my computer via conventional methods such as scans for the last week or so.

    System information:

    Windows Vista Home Premium (32 bit)
    Intel (R) Core(TM)2 Duo CPU E6550 @ 2.33GHz
    3.00 GB RAM
    NVIDIA GeForce 8800 GTS 512


    The programs I use for scans are SpyBot - Search and Destroy (1.6.2), Malwarebytes' Anti Malware, and Microsoft Security Essentials. Whenever I run a scan with any of these three, SpyBot is the only program that turns up a result, which is Fraud.InternetSecurity2011. While watching which files the cleaner is analyzing, I see other names with the word fraud, and Virtumonde.

    The major symptoms I am experiencing are slow internet access, and sometimes my internet connection dies altogether. Some processes proceed slower but only at a slightly noticeable rate.

    • I have run ERUNT and set a registry backup point.


    DDS:

    DDS (Ver_11-03-05.01) - NTFSx86
    Run by Jake at 10:30:24.00 on Fri 04/22/2011
    Internet Explorer: 8.0.6001.19048 BrowserJavaVersion: 1.6.0_24
    .
    ============== Running Processes ===============
    .
    .
    ============== Pseudo HJT Report ===============
    .
    uWindow Title = Internet Explorer provided by Dell
    uSearch Bar = hxxp://www.google.com/ie
    uSearch Page = hxxp://www.google.com
    uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2786678
    uInternet Settings,ProxyOverride = <local>;*.local
    mSearchAssistant = hxxp://www.google.com/ie
    uURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTor.dll
    mURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTor.dll
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll
    BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    BHO: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTor.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
    TB: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTor.dll
    TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll
    TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
    TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    uRun: [Google Update] "c:\users\jake\appdata\local\google\update\GoogleUpdate.exe" /c
    uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
    mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
    mRun: [CTxfiHlp] CTXFIHLP.EXE
    mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: Free YouTube Download - c:\users\jake\appdata\roaming\dvdvideosoftiehelpers\freeyoutubedownload.htm
    IE: Free YouTube to MP3 Converter - c:\users\jake\appdata\roaming\dvdvideosoftiehelpers\freeyoutubetomp3converter.htm
    IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08}
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
    IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    Trusted Zone: passport.com
    Trusted Zone: passport.net
    Trusted Zone: windowsonecare.com
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: igfxcui - igfxdev.dll
    Hosts: 127.0.0.1 www.spywareinfo.com
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\jake\appdata\roaming\mozilla\firefox\profiles\opymsnq6.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/?wl=true
    FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFFab&query=
    FF - prefs.js: network.proxy.ftp - 62.193.226.25
    FF - prefs.js: network.proxy.ftp_port - 80
    FF - prefs.js: network.proxy.gopher - 62.193.226.25
    FF - prefs.js: network.proxy.gopher_port - 80
    FF - prefs.js: network.proxy.http - 62.193.226.25
    FF - prefs.js: network.proxy.http_port - 80
    FF - prefs.js: network.proxy.socks - 62.193.226.25
    FF - prefs.js: network.proxy.socks_port - 80
    FF - prefs.js: network.proxy.ssl - 62.193.226.25
    FF - prefs.js: network.proxy.ssl_port - 80
    FF - prefs.js: network.proxy.type - 0
    FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
    FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
    FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
    FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
    FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
    FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
    FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
    FF - plugin: c:\programdata\nexonus\ngm\npNxGameUS.dll
    FF - plugin: c:\users\jake\appdata\local\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\users\jake\program files\dna\plugins\npbtdna.dll
    FF - Ext: NASA Night Launch: - %profile%\extensions\nasanightlaunch@example.com
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
    .
    ============= SERVICES / DRIVERS ===============
    .
    .
    =============== Created Last 30 ================
    .
    2011-04-22 17:29:12 -------- d-----w- C:\desktop
    2011-04-22 05:32:22 28752 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{5d3244b6-790a-48ac-83d8-ef2523845551}\MpKsl1e8b060d.sys
    2011-04-22 05:32:01 7071056 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{5d3244b6-790a-48ac-83d8-ef2523845551}\mpengine.dll
    2011-04-15 04:02:48 34304 ----a-w- c:\windows\system32\atmlib.dll
    2011-04-15 04:02:48 292864 ----a-w- c:\windows\system32\atmfd.dll
    2011-04-15 04:00:17 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
    2011-04-15 04:00:17 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
    2011-04-15 04:00:17 213504 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
    2011-04-15 04:00:17 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-04-15 03:59:02 1162240 ----a-w- c:\windows\system32\mfc42u.dll
    2011-04-15 03:59:02 1136640 ----a-w- c:\windows\system32\mfc42.dll
    2011-04-15 03:57:47 305152 ----a-w- c:\windows\system32\drivers\srv.sys
    2011-04-15 03:57:46 146432 ----a-w- c:\windows\system32\drivers\srv2.sys
    2011-04-15 03:57:46 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
    2011-04-15 03:54:30 86528 ----a-w- c:\windows\system32\dnsrslvr.dll
    2011-04-15 03:54:30 25088 ----a-w- c:\windows\system32\dnscacheugc.exe
    2011-04-15 03:53:15 2041856 ----a-w- c:\windows\system32\win32k.sys
    2011-04-15 03:51:59 739328 ----a-w- c:\windows\system32\inetcomm.dll
    2011-04-15 03:50:44 420864 ----a-w- c:\windows\system32\vbscript.dll
    2011-04-15 03:47:02 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
    2011-04-05 14:30:20 439632 ------w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{8cdaf883-a1dc-4617-a619-fa088096a045}\gapaengine.dll
    2011-04-04 03:38:57 -------- d-----w- c:\users\jake\appdata\roaming\iTunesControl
    2011-04-04 03:38:57 -------- d-----w- c:\program files\iTunesControl
    2011-03-27 18:24:52 439632 ------w- c:\progra~2\microsoft\microsoft antimalware\definition updates\nisbackup\gapaengine.dll
    2011-03-26 23:08:59 -------- d-----w- c:\users\jake\appdata\roaming\DVDVideoSoft
    2011-03-26 18:22:55 -------- d-----w- c:\program files\Amnesia - The Dark Descent
    .
    ==================== Find3M ====================
    .
    2011-03-12 20:15:07 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-02-22 14:13:01 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
    2011-02-22 13:33:12 1068544 ----a-w- c:\windows\system32\DWrite.dll
    2011-02-22 13:33:09 797696 ----a-w- c:\windows\system32\FntCache.dll
    2011-02-22 06:21:28 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-02-22 06:17:08 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-02-22 06:16:53 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-02-22 06:16:40 71680 ----a-w- c:\windows\system32\iesetup.dll
    2011-02-22 06:16:40 109056 ----a-w- c:\windows\system32\iesysprep.dll
    2011-02-22 05:20:39 385024 ----a-w- c:\windows\system32\html.iec
    2011-02-22 04:43:54 133632 ----a-w- c:\windows\system32\ieUnatt.exe
    2011-02-22 04:42:38 1638912 ----a-w- c:\windows\system32\mshtml.tlb
    .
    ============= FINISH: 10:31:40.44 ===============
    I have the Attach.txt, but in one of the first lines it says do not post this log unless specifically asked.

    I ran RootAlyzer, got these results, and took no action because I don't know what it means or how to do anything about it.

    // info: Rootkit removal help file
    // copyright: (c) 2008-2009 Safer-Networking Ltd. All rights reserved.

    :: RootAlyzer Results
    File:"No admin in ACL","C:\ProgramData\Microsoft\Network\Connections\pbk_old\rasphone.pbk"
    File:"Unknown ADS","C:\Fraps\Movies\hl2 2010-12-02 20-52-32-11.avi:TOC.WMV:$DATA"
    Directory:"No admin in ACL","C:\ProgramData\Microsoft\OFFICE\DATA"

    If there is any more information you would like about my computer or programs I have by all means just ask.

    I attached the compressed attach.txt file.
    Last edited by tashi; 2011-04-22 at 22:52. Reason: Merged two posts :-)
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules