Another Virtumonde case. Please Help!!

[intelmic]

it sucks that I can't edit my posts...


anyways, here's a new combofix log after I understood and redid the findawf steps


ComboFix 07-12-15.5 - intelmic 2007-12-15 21:33:04.9 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.442 [GMT -5:00]
Running from: C:\Documents and Settings\intelmic\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-11-16 to 2007-12-16 )))))))))))))))))))))))))))))))
.

2007-12-15 18:57 . 2007-12-15 18:57 <DIR> d-------- C:\WINDOWS\LastGood
2007-12-15 18:57 . 2003-03-31 14:00 13,312 --a------ C:\WINDOWS\system32\OLDD.tmp
2007-12-14 21:24 . 2007-12-14 21:24 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-14 18:25 . 2007-12-14 18:25 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-12-14 18:23 . 2007-12-14 18:23 <DIR> d-------- C:\KAV
2007-12-14 15:27 . 2007-12-14 15:27 250 --a------ C:\WINDOWS\gmer.ini
2007-12-14 15:03 . 2007-12-14 15:03 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-14 15:03 . 2007-12-15 10:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-14 13:14 . 2007-12-14 13:14 <DIR> d-------- C:\VundoFix Backups
2007-12-14 11:56 . 2007-12-14 12:03 952,263 --ahs---- C:\WINDOWS\system32\orkcvkje.ini
2007-12-12 11:46 . 2007-12-12 11:46 <DIR> d-------- C:\WINDOWS\system32\su2
2007-12-12 11:46 . 2007-12-14 20:36 <DIR> d-------- C:\WINDOWS\system32\pi3
2007-12-12 11:45 . 2007-12-12 11:46 <DIR> d-------- C:\WINDOWS\system32\eu1
2007-12-12 11:45 . 2007-12-12 11:45 <DIR> d-------- C:\WINDOWS\system32\daSgo01
2007-12-12 11:45 . 2007-12-15 11:34 <DIR> d-------- C:\Temp
2007-12-06 21:07 . 2007-12-09 22:58 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-06 21:07 . 2007-12-06 21:07 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-16 02:32 --------- d-----w C:\Program Files\MSN Messenger
2007-12-16 02:32 --------- d-----w C:\Program Files\Easy Message
2007-12-16 02:25 --------- d-----w C:\Program Files\Winamp
2007-12-16 02:25 --------- d-----w C:\Program Files\Avast4
2007-12-14 18:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-14 09:36 --------- d-----w C:\Documents and Settings\intelmic\Application Data\uTorrent
2007-12-10 03:59 --------- d-----w C:\Documents and Settings\intelmic\Application Data\LimeWire
2007-12-07 17:44 --------- d-----w C:\Documents and Settings\intelmic\Application Data\mIRC
2007-12-07 17:42 --------- d-----w C:\Program Files\mIRC
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
2007-11-12 00:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-11-12 00:06 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2007-11-06 12:49 --------- d-----w C:\Program Files\XoftSpySE
2007-10-25 23:15 --------- d-----w C:\Program Files\Jasc Software Inc
2007-10-20 16:49 --------- d-----w C:\Program Files\PDF Merger
.

((((((((((((((((((((((((((((( snapshot@2007-12-15_17.00.28.09 )))))))))))))))))))))))))))))))))))))))))
.
+ 2003-03-31 19:00:00 13,312 ----a-w C:\WINDOWS\LastGood\system32\ctfmon.exe
+ 2004-08-04 05:56:50 15,360 -c--a-w C:\WINDOWS\system32\dllcache\ctfmon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-08-26 15:59]
"Gestionnaire Antidote.exe"="C:\PROGRA~1\Druide\Antidote\Antidote\Gestionnaire Antidote.exe" [2005-06-22 16:12]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="C:\WINDOWS\System32\bcmntray" []
"AGRSMMSG"="AGRSMMSG.exe" [2005-04-19 09:05 C:\WINDOWS\AGRSMMSG.exe]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 12:24]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-05-14 17:22]
"avast!"="C:\PROGRA~1\Avast4\ashDisp.exe" [2007-12-04 08:00]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\585e0725]
rundll32.exe C:\WINDOWS\system32\ejkvckro.dll,b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
C:\Program Files\Analog Devices\SoundMAX\bak\Smax4.exe /tray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2004-06-30 12:33 1388544 --a------ C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-07-12 03:00 132496 --a------ C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

R0 atiide;atiide;C:\WINDOWS\system32\DRIVERS\atiide.sys
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-12-13 01:49:44 C:\WINDOWS\Tasks\Critical Battery Alarm Program.job"
- C:\Documents and Settings\intelmic\Desktop\alarme.exe
"2007-12-13 01:49:43 C:\WINDOWS\Tasks\Low Battery Alarm Program.job"
- C:\Documents and Settings\intelmic\Desktop\alarme.exe
"2007-11-06 12:49:20 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-15 21:33:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-15 21:34:37
C:\ComboFix2.txt ... 2007-12-15 21:16
C:\ComboFix3.txt ... 2007-12-15 19:00

 

[pskelley]

it sucks that I can't edit my posts...

<<< that's no problem, it is for good reason. Folks were going back making all kinds of changes and this is for the best.

This was my second removal of this AWF trojan, I had asked a friend who is an expert with the tool to watch over my shoulder and now he will not have to. Great job spotting that:bigthumb:
I can point you to free trailing opportunities if you have an interest in learning more.

Let's have a look at the first Kapsersky scan: Friday, December 14, 2007 10:42:22 PM

This is your call, Kaspersky says it is a problem, but it may not be. If you want other opinions:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.63 skipped

Once you resolve that issue, it appears the rest are infected System Restore files.
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Remove combofix, the C:\qoobox\quarantine\ folder, Vundofix and the C:\VundofixBackups\ folder.

Restart your computer and run a new Kaspersky scan which should be clean. I do not need to see a clean scan.

Thanks...Phil

 

[intelmic]

Well thank you very much Phil.

I appreciated your help and super fast feedback.:2thumb: We can now close this case. As I see on the forum, this Virtumonde is really growing. I'm curious to know how it spreads itself so fast.


Thank you!

 

[pskelley]

Thanks for the feedback, take this information with you:
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

The infection has been around for a while now, it just seems to get harder and harder to remove as the hackers get smarter at hiding from us.

Have a look at the links I posted for Derek at the end of his topic.
http://forums.spybot.info/showthread.php?t=21408

Happy Holidays:santa: