Results 1 to 10 of 31

Thread: Virtumonde, Antivirus Override, and more

Hybrid View

Previous Post Previous Post   Next Post Next Post
  1. #1
    Member SLRHCristy's Avatar
    Join Date
    Jan 2008
    Location
    Riverton
    Posts
    50

    Default Virtumonde, Antivirus Override, and more

    Hello,
    Seems like we are quite infected. Started with fake antivirus notifications (title of window popping up was "Windows Vista 2012 Alert" or something similar), which also suppressed our normal security warnings that pop up-I used to ignore those, thinking they were just free trials of random products trying to get us to purchase them. I use S&D to clear viruses and then they are right back again the next time I log on, and now a Virtumonde virus has shown up. Not very computer savvy, and certain we are not using any/enough/correct programs to stay protected-need some help cleaning and then protecting our computer. Any help is very much appreciated.

    Thanks!

    .
    DDS (Ver_2011-06-12.02) - NTFSx86
    Internet Explorer: 8.0.6001.19048 BrowserJavaVersion: 1.6.0_20
    Run by Jason at 0:21:01 on 2011-06-16
    Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2036.1191 [GMT -6:00]
    .
    AV: avast! antivirus *Enabled/Outdated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
    SP: avast! antivirus *Enabled/Outdated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
    c:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\DRIVERS\xaudio.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\WUDFHost.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Windows\System32\mobsync.exe
    C:\Windows\RtHDVCpl.exe
    C:\hp\support\hpsysdrv.exe
    C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
    C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Portrait Displays\HP My Display\dthtml.exe
    C:\Windows\System32\hkcmd.exe
    C:\Windows\System32\igfxpers.exe
    C:\Program Files\Alwil Software\Avast4\ashDisp.exe
    C:\Windows\System32\wpcumi.exe
    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
    C:\Windows\ehome\ehtray.exe
    C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
    C:\Program Files\Common Files\SupportSoft\bin\bcont.exe
    C:\Windows\System32\rundll32.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
    C:\Windows\system32\wuauclt.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files\Common Files\Java\Java Update\jucheck.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.comcast.net?cid=NET_mmhpset
    uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Presario&pf=desktop
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Presario&pf=desktop
    uInternet Settings,ProxyOverride = *.local
    BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
    BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
    TB: {5617ECA9-488D-4BA2-8562-9710B9AB78D2} - No File
    uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
    uRun: [HPAdvisor] c:\program files\hewlett-packard\hp advisor\HPAdvisor.exe autorun=AUTORUN
    uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
    uRun: [Desktop Software] "c:\program files\common files\supportsoft\bin\bcont.exe" /ini "c:\program files\comcastui\desktop software\uinstaller.ini" /fromrun /starthidden
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [Ylukamoheyeva] rundll32.exe "c:\users\jason\appdata\local\dins049.dll",Startup
    uRun: [Rdateno] rundll32.exe "c:\users\jason\appdata\local\ayodipokidupa.dll",Startup
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun: [RtHDVCpl] RtHDVCpl.exe
    mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
    mRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [DT HPW] c:\program files\portrait displays\hp my display\DTHtml.exe -startup_folder
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
    mRun: [WPCUMI] c:\windows\system32\WpcUmi.exe
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [Lexmark X1100 Series] "c:\program files\lexmark x1100 series\lxbkbmgr.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [Rdateno] rundll32.exe "c:\users\jason\appdata\local\ayodipokidupa.dll",Startup
    StartupFolder: c:\users\jason\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
    LSP: c:\windows\system32\wpclsp.dll
    DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/VistaMSNPUplden-us.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    TCP: DhcpNameServer = 192.168.0.1 205.171.3.25
    TCP: Interfaces\{F7BD6E73-F03E-4C12-85B8-8ADE8BF19A9B} : DhcpNameServer = 192.168.0.1 205.171.3.25
    Notify: igfxcui - igfxdev.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\jason\appdata\roaming\mozilla\firefox\profiles\fjz7lecu.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2310140&SearchSource=3&q={searchTerms}
    FF - prefs.js: browser.search.selectedEngine - LegendsOfZork Customized Web Search
    FF - prefs.js: browser.startup.homepage - www.msn.com
    FF - component: c:\users\jason\appdata\roaming\mozilla\firefox\profiles\fjz7lecu.default\extensions\{0fc0ec69-5eca-413a-a7cb-765fff3f9768}\components\FFExternalAlert.dll
    FF - component: c:\users\jason\appdata\roaming\mozilla\firefox\profiles\fjz7lecu.default\extensions\{0fc0ec69-5eca-413a-a7cb-765fff3f9768}\components\RadioWMPCore.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    FF - Ext: Sukoku: {7AB6D133-2A14-4C11-B3AD-35B1548D38F9} - c:\program files\mozilla firefox\extensions\{7AB6D133-2A14-4C11-B3AD-35B1548D38F9}
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: LegendsOfZork Toolbar: {0fc0ec69-5eca-413a-a7cb-765fff3f9768} - %profile%\extensions\{0fc0ec69-5eca-413a-a7cb-765fff3f9768}
    FF - Ext: XULRunner: {AAE87C63-8801-4CCB-8775-6E1A609F940C} - c:\users\jason\appdata\local\{AAE87C63-8801-4CCB-8775-6E1A609F940C}
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-2-11 114768]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-2-11 20560]
    R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2009-2-11 53328]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-2-11 138680]
    R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-10-24 1153368]
    R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-2-11 254040]
    R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-2-11 352920]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    .
    =============== Created Last 30 ================
    .
    2011-06-14 08:22:35 0 ----a-w- c:\users\jason\appdata\local\Pbegaxacodene.bin
    2011-06-14 08:22:34 -------- d-----w- c:\users\jason\appdata\local\{AAE87C63-8801-4CCB-8775-6E1A609F940C}
    2011-06-09 23:13:26 1062984 ----a-w- c:\users\jason\gotomypc_540.exe
    .
    ==================== Find3M ====================



    .
    .
    ============= FINISH: 0:22:11.14 ===============

    SPYBOT S&D Results:

    Virtumonde.prx: [SBI $0E36D458] Autorun settings (Rdateno) (Registry value, nothing done)
    HKEY_USERS\S-1-5-21-1516005676-1222019494-700852110-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rdateno

    Virtumonde.prx: [SBI $0E36D458] Program file (File, nothing done)
    C:\Users\Jason\AppData\Local\ayodipokidupa.dll
    Properties.size=274432
    Properties.md5=868349B56DD907AF13B139AB2B113DEE
    Properties.filedate=1200882262
    Properties.filedatetext=2008-01-20 20:24:21

    Virtumonde.prx: [SBI $0E36D458] Autorun settings (Rdateno) (Registry value, nothing done)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rdateno

    Virtumonde.prx: [SBI $0E36D458] Autorun settings (Rdateno) (Registry value, nothing done)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rdateno


    --- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

    2009-01-26 blindman.exe (1.0.0.8)
    2009-01-26 SDFiles.exe (1.6.1.7)
    2009-01-26 SDMain.exe (1.0.0.6)
    2009-01-26 SDShred.exe (1.0.2.5)
    2009-01-26 SDUpdate.exe (1.6.0.12)
    2009-01-26 SDWinSec.exe (1.0.0.12)
    2009-01-26 SpybotSD.exe (1.6.2.46)
    2009-03-05 TeaTimer.exe (1.6.6.32)
    2009-10-24 unins000.exe (51.49.0.0)
    2009-01-26 Update.exe (1.6.0.7)
    2009-11-04 advcheck.dll (1.6.5.20)
    2007-04-02 aports.dll (2.1.0.0)
    2008-06-14 DelZip179.dll (1.79.11.1)
    2009-01-26 SDHelper.dll (1.6.2.14)
    2008-06-19 sqlite3.dll
    2009-01-26 Tools.dll (2.1.6.10)
    2009-01-16 UninsSrv.dll (1.0.0.0)
    2011-03-18 Includes\Adware.sbi (*)
    2011-05-17 Includes\AdwareC.sbi (*)
    2010-08-13 Includes\Cookies.sbi (*)
    2010-12-14 Includes\Dialer.sbi (*)
    2011-03-08 Includes\DialerC.sbi (*)
    2011-02-24 Includes\HeavyDuty.sbi (*)
    2011-03-29 Includes\Hijackers.sbi (*)
    2011-05-16 Includes\HijackersC.sbi (*)
    2010-09-15 Includes\iPhone.sbi (*)
    2010-12-14 Includes\Keyloggers.sbi (*)
    2011-03-08 Includes\KeyloggersC.sbi (*)
    2004-11-29 Includes\LSP.sbi (*)
    2011-04-05 Includes\Malware.sbi (*)
    2011-06-07 Includes\MalwareC.sbi (*)
    2011-02-24 Includes\PUPS.sbi (*)
    2011-05-24 Includes\PUPSC.sbi (*)
    2010-01-25 Includes\Revision.sbi (*)
    2011-02-24 Includes\Security.sbi (*)
    2011-05-03 Includes\SecurityC.sbi (*)
    2008-06-03 Includes\Spybots.sbi (*)
    2008-06-03 Includes\SpybotsC.sbi (*)
    2011-02-24 Includes\Spyware.sbi (*)
    2011-05-31 Includes\SpywareC.sbi (*)
    2010-03-08 Includes\Tracks.uti
    2011-05-17 Includes\Trojans.sbi (*)
    2011-05-11 Includes\TrojansC-02.sbi (*)
    2011-05-11 Includes\TrojansC-03.sbi (*)
    2011-06-06 Includes\TrojansC-04.sbi (*)
    2011-06-06 Includes\TrojansC-05.sbi (*)
    2011-06-07 Includes\TrojansC.sbi (*)
    2008-03-04 Plugins\Chai.dll
    2008-03-05 Plugins\Fennel.dll
    2008-02-26 Plugins\Mate.dll
    2007-12-24 Plugins\TCPIPAddress.dll

  2. #2
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Hi SLRHCristy

    We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

    http://www.bleepingcomputer.com/comb...o-use-combofix

    * Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    Please include the C:\ComboFix.txt in your next reply for further review.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  3. #3
    Member SLRHCristy's Avatar
    Join Date
    Jan 2008
    Location
    Riverton
    Posts
    50

    Default Combofix.txt

    Hello,

    Here is the combofix log for your review.

    Thanks!

    ComboFix 11-06-15.04 - Jason 06/16/2011 12:33:46.2.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2036.1137 [GMT -6:00]
    Running from: c:\users\Jason\Downloads\ComboFix.exe
    AV: avast! antivirus *Disabled/Outdated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
    SP: avast! antivirus *Disabled/Outdated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\program files\Sukoku
    c:\program files\Sukoku\sukoku.dll
    c:\program files\Sukoku\uninstall.exe
    c:\programdata\Sukoku
    c:\users\Jason\AppData\Local\{AAE87C63-8801-4CCB-8775-6E1A609F940C}
    c:\users\Jason\AppData\Local\{AAE87C63-8801-4CCB-8775-6E1A609F940C}\chrome.manifest
    c:\users\Jason\AppData\Local\{AAE87C63-8801-4CCB-8775-6E1A609F940C}\chrome\content\_cfg.js
    c:\users\Jason\AppData\Local\{AAE87C63-8801-4CCB-8775-6E1A609F940C}\chrome\content\overlay.xul
    c:\users\Jason\AppData\Local\{AAE87C63-8801-4CCB-8775-6E1A609F940C}\install.rdf
    c:\users\Jason\AppData\Local\ayodipokidupa.dll
    c:\users\Jason\AppData\Local\dins049.dll
    c:\users\Jason\gotomypc_540.exe
    c:\windows\system32\jusched.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-05-16 to 2011-06-16 )))))))))))))))))))))))))))))))
    .
    .
    2011-06-16 18:41 . 2011-06-16 18:41 -------- d-----w- c:\users\Public\AppData\Local\temp
    2011-06-16 18:41 . 2011-06-16 18:41 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-06-16 18:41 . 2011-06-16 18:41 -------- d-----w- c:\users\cristy\AppData\Local\temp
    2011-06-16 18:41 . 2011-06-16 18:41 -------- d-----w- c:\users\cass\AppData\Local\temp
    2011-06-14 08:22 . 2011-06-16 14:48 0 ----a-w- c:\users\Jason\AppData\Local\Pbegaxacodene.bin
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
    "HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2008-01-19 942080]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
    "Desktop Software"="c:\program files\Common Files\SupportSoft\bin\bcont.exe" [2009-04-24 1025320]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RtHDVCpl"="RtHDVCpl.exe" [2008-07-03 6266880]
    "hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
    "OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
    "DT HPW"="c:\program files\Portrait Displays\HP My Display\DTHtml.exe" [2007-06-30 278528]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-03-26 141848]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-03-26 166424]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-03-26 133656]
    "avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-09-15 81000]
    "WPCUMI"="c:\windows\system32\WpcUmi.exe" [2006-11-02 176128]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
    .
    c:\users\Jason\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    S1 aswSP;avast! Self Protection; [x]
    S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-09-15 20560]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\DRIVERS\aswMonFlt.sys [2009-09-15 53328]
    S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-06-16 c:\windows\Tasks\User_Feed_Synchronization-{75F4A956-7178-4257-A9AE-BB2C68A6FF0E}.job
    - c:\windows\system32\msfeedssync.exe [2011-04-17 04:43]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.comcast.net?cid=NET_mmhpset
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Presario&pf=desktop
    uInternet Settings,ProxyOverride = *.local
    LSP: c:\windows\system32\wpclsp.dll
    TCP: DhcpNameServer = 192.168.0.1 205.171.3.25
    FF - ProfilePath - c:\users\Jason\AppData\Roaming\Mozilla\Firefox\Profiles\fjz7lecu.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2310140&SearchSource=3&q={searchTerms}
    FF - prefs.js: browser.search.selectedEngine - LegendsOfZork Customized Web Search
    FF - prefs.js: browser.startup.homepage - www.msn.com
    FF - Ext: Sukoku: {7AB6D133-2A14-4C11-B3AD-35B1548D38F9} - c:\program files\Mozilla Firefox\extensions\{7AB6D133-2A14-4C11-B3AD-35B1548D38F9}
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: LegendsOfZork Toolbar: {0fc0ec69-5eca-413a-a7cb-765fff3f9768} - %profile%\extensions\{0fc0ec69-5eca-413a-a7cb-765fff3f9768}
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKCU-Run-Ylukamoheyeva - c:\users\Jason\AppData\Local\dins049.dll
    HKCU-Run-Rdateno - c:\users\Jason\AppData\Local\ayodipokidupa.dll
    HKLM-Run-Lexmark X1100 Series - c:\program files\Lexmark X1100 Series\lxbkbmgr.exe
    HKLM-Run-Rdateno - c:\users\Jason\AppData\Local\ayodipokidupa.dll
    AddRemove-Sukoku - c:\program files\Sukoku\uninstall.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-06-16 12:44
    Windows 6.0.6001 Service Pack 1 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\HWP26A4\4&2d4f67a9&0&UID16843008\Device Parameters\MODES]
    @DACL=(02 0000)
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\HWP26A4\4&2d4f67a9&0&UID16843008\Properties\{83da6326-97a6-4088-9453-a1923f573b29}]
    @DACL=(02 0000)
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\HWP26A4\4&2d4f67a9&0&UID16843008\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}]
    @DACL=(02 0000)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Alwil Software\Avast4\aswUpdSv.exe
    c:\program files\Alwil Software\Avast4\ashServ.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Common Files\Portrait Displays\Shared\DTSRVC.exe
    c:\program files\Common Files\LightScribe\LSSrvc.exe
    c:\windows\system32\DRIVERS\xaudio.exe
    c:\program files\Alwil Software\Avast4\ashMaiSv.exe
    c:\windows\system32\WUDFHost.exe
    c:\program files\Alwil Software\Avast4\ashWebSv.exe
    c:\windows\RtHDVCpl.exe
    c:\program files\Alwil Software\Avast4\ashDisp.exe
    c:\windows\system32\igfxsrvc.exe
    c:\windows\System32\rundll32.exe
    c:\windows\System32\rundll32.exe
    c:\windows\System32\rundll32.exe
    c:\program files\Common Files\Portrait Displays\Shared\HookManager.exe
    c:\windows\ehome\ehmsas.exe
    c:\program files\Windows Media Player\wmpnetwk.exe
    c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
    c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
    c:\windows\servicing\TrustedInstaller.exe
    c:\program files\Common Files\Java\Java Update\jucheck.exe
    .
    **************************************************************************
    .
    Completion time: 2011-06-16 12:50:56 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-06-16 18:50
    ComboFix2.txt 2009-11-01 17:25
    .
    Pre-Run: 257,522,483,200 bytes free
    Post-Run: 257,487,187,968 bytes free
    .
    - - End Of File - - 39351B85201F9584C65826A8BC860962

  4. #4
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Hi

    Does spybot still find something and do you still have same symptoms?
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  5. #5
    Member SLRHCristy's Avatar
    Join Date
    Jan 2008
    Location
    Riverton
    Posts
    50

    Default Still showing same viruses upon startup and running S&D

    Hello Shaba,

    Yes, the same viruses still show up once I have shut down and re-started. We have used the internet over the past few days, but these are the same viruses that showed up originally before the virtumonde popped into the picture, and they show up every time we restart the system. Each time I turn on the computer, I run Spybot, fix problems, then shut down. And once I log in again, the viruses are back. I did as instructed and ran combofix and then ran spybot per your instructions, and the viruses still show up...I no longer see the virtumonde and the windows security block/fake popups, but the same five viruses keep showing up in spybot. These were not listed on the first log I sent you since I had already run spybot several times before that and didn't think these would show back up again...

    Here is the log:


    DoubleClick: Tracking cookie (Firefox: Jason (default)) (Cookie, nothing done)


    MediaPlex: Tracking cookie (Firefox: Jason (default)) (Cookie, nothing done)


    FastClick: Tracking cookie (Firefox: Jason (default)) (Cookie, nothing done)


    FastClick: Tracking cookie (Firefox: Jason (default)) (Cookie, nothing done)


    FastClick: Tracking cookie (Firefox: Jason (default)) (Cookie, nothing done)


    FastClick: Tracking cookie (Firefox: Jason (default)) (Cookie, nothing done)


    Zedo: Tracking cookie (Firefox: Jason (default)) (Cookie, nothing done)


    Zedo: Tracking cookie (Firefox: Jason (default)) (Cookie, nothing done)


    Zedo: Tracking cookie (Firefox: Jason (default)) (Cookie, nothing done)


    Zedo: Tracking cookie (Firefox: Jason (default)) (Cookie, nothing done)


    Zedo: Tracking cookie (Firefox: Jason (default)) (Cookie, nothing done)


    Statcounter: Tracking cookie (Firefox: Jason (default)) (Cookie, nothing done)



    --- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

    2009-01-26 blindman.exe (1.0.0.8)
    2009-01-26 SDFiles.exe (1.6.1.7)
    2009-01-26 SDMain.exe (1.0.0.6)
    2009-01-26 SDShred.exe (1.0.2.5)
    2009-01-26 SDUpdate.exe (1.6.0.12)
    2009-01-26 SDWinSec.exe (1.0.0.12)
    2009-01-26 SpybotSD.exe (1.6.2.46)
    2009-03-05 TeaTimer.exe (1.6.6.32)
    2009-10-24 unins000.exe (51.49.0.0)
    2009-01-26 Update.exe (1.6.0.7)
    2009-11-04 advcheck.dll (1.6.5.20)
    2007-04-02 aports.dll (2.1.0.0)
    2008-06-14 DelZip179.dll (1.79.11.1)
    2009-01-26 SDHelper.dll (1.6.2.14)
    2008-06-19 sqlite3.dll
    2009-01-26 Tools.dll (2.1.6.10)
    2009-01-16 UninsSrv.dll (1.0.0.0)
    2011-03-18 Includes\Adware.sbi (*)
    2011-05-17 Includes\AdwareC.sbi (*)
    2010-08-13 Includes\Cookies.sbi (*)
    2010-12-14 Includes\Dialer.sbi (*)
    2011-03-08 Includes\DialerC.sbi (*)
    2011-02-24 Includes\HeavyDuty.sbi (*)
    2011-03-29 Includes\Hijackers.sbi (*)
    2011-05-16 Includes\HijackersC.sbi (*)
    2010-09-15 Includes\iPhone.sbi (*)
    2010-12-14 Includes\Keyloggers.sbi (*)
    2011-03-08 Includes\KeyloggersC.sbi (*)
    2004-11-29 Includes\LSP.sbi (*)
    2011-04-05 Includes\Malware.sbi (*)
    2011-06-07 Includes\MalwareC.sbi (*)
    2011-02-24 Includes\PUPS.sbi (*)
    2011-05-24 Includes\PUPSC.sbi (*)
    2010-01-25 Includes\Revision.sbi (*)
    2011-02-24 Includes\Security.sbi (*)
    2011-05-03 Includes\SecurityC.sbi (*)
    2008-06-03 Includes\Spybots.sbi (*)
    2008-06-03 Includes\SpybotsC.sbi (*)
    2011-02-24 Includes\Spyware.sbi (*)
    2011-05-31 Includes\SpywareC.sbi (*)
    2010-03-08 Includes\Tracks.uti
    2011-05-17 Includes\Trojans.sbi (*)
    2011-05-11 Includes\TrojansC-02.sbi (*)
    2011-05-11 Includes\TrojansC-03.sbi (*)
    2011-06-06 Includes\TrojansC-04.sbi (*)
    2011-06-06 Includes\TrojansC-05.sbi (*)
    2011-06-07 Includes\TrojansC.sbi (*)
    2008-03-04 Plugins\Chai.dll
    2008-03-05 Plugins\Fennel.dll
    2008-02-26 Plugins\Mate.dll
    2007-12-24 Plugins\TCPIPAddress.dll

  6. #6
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Those are not dangerous but more like harmless.

    Please see here how to prevent them coming.

    Let me know if it helped.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •