Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojan infection Virtum-Gen, Dloadr-BEW, Bckdr-QJL


  • Please log in to reply

#1
tonytattoo

tonytattoo

    New Member

  • Member
  • Pip
  • 4 posts
Using machine normally and let it open to smaller children for a few days. When I re-booted my entire F:drive was blank 150G gone. I was able to run restore programs to get back some stuff but most of it is too ravaged to restore.

What do you suggest. Waiting for a Webroot AntiSpyware to complete scanning and I can run others as necessary. Also machine running much slower than normal.

T- :)
  • 0

Advertisements


#2
tonytattoo

tonytattoo

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
After running webroot AntiSpyware I saw that there were 3 trojans but after quarentine and deleting them a re-run still shows them in the system.

VIRTUM-GEN

DLOADR-BEW

BCKDR-QJL





Getting error REGT is not recognized as an internal or external command operable program or batch file when trying to run combofix.

ComboFix 07-11-01.1** - Tony 2007-11-03 0:11:28.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.705 [GMT -4:00]
Running from: C:\Documents and Settings\Tony\My Documents\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Documents and Settings\Tony\Application Data\ICROSO~1.NET
C:\Documents and Settings\Tony\Application Data\winantiviruspro2007freeinstall[1].exe
C:\Program Files\wintouch
C:\Program Files\wintouch\wintouch.cfg
C:\windows\Casino.ico
C:\windows\cookies.ini
C:\windows\dat.txt
C:\windows\Free Online Dating.ico
C:\windows\rs.txt
C:\windows\Spyware Remover.ico
C:\windows\system32\amirlout.dll
C:\windows\system32\apkdewso.exe
C:\windows\system32\app.exe
C:\windows\system32\asqdhhdk.dll
C:\windows\system32\bhpaqbkc.dll
C:\windows\system32\bkapengl.exe
C:\windows\system32\bszip.dll
C:\windows\system32\bxutolog.exe
C:\WINDOWS\system32\ckbqaphb.ini
C:\windows\system32\debbllbu.dll
C:\windows\system32\dgdimrav.dll
C:\windows\system32\drivers\core.cache.dsk
C:\windows\system32\drivers\core.sys
C:\windows\system32\drivers\npf.sys
C:\windows\system32\fnts~1
C:\windows\system32\fnts~1\F?nts\
C:\windows\system32\fxyxegxq.exe
C:\windows\system32\hcgwkudo.exe
C:\windows\system32\igkmwvnp.exe
C:\WINDOWS\system32\jajphkkj.ini
C:\windows\system32\jcicwkkl.exe
C:\windows\system32\jimqymdp.exe
C:\windows\system32\jixockvy.exe
C:\windows\system32\jkkhpjaj.dll
C:\WINDOWS\system32\kdhhdqsa.ini
C:\windows\system32\kewjqlsf.exe
C:\windows\system32\lamrsfcu.exe
C:\windows\system32\mkryeiyp.exe
C:\windows\system32\mrfyrdpy.dll
C:\windows\system32\nhqnvpgv.exe
C:\windows\system32\niydnmhg.exe
C:\WINDOWS\system32\nnppo.bak1
C:\WINDOWS\system32\nnppo.bak2
C:\WINDOWS\system32\nnppo.ini
C:\WINDOWS\system32\nnppo.ini2
C:\WINDOWS\system32\nnppo.tmp
C:\WINDOWS\system32\npuptiqn.ini
C:\windows\system32\nqitpupn.dll
C:\windows\system32\nsedsarm.exe
C:\windows\system32\packet.dll
C:\windows\system32\pthreadVC.dll
C:\WINDOWS\system32\tuolrima.ini
C:\WINDOWS\system32\ubllbbed.ini
C:\windows\system32\wnfrnlys.exe
C:\windows\system32\wpcap.dll
C:\windows\system32\xajagalo.exe
C:\WINDOWS\system32\ypdryfrm.ini
C:\windows\wr.txt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NPF
-------\DomainService
-------\nm
-------\NPF


((((((((((((((((((((((((( Files Created from 2007-10-03 to 2007-11-03 )))))))))))))))))))))))))))))))
.

2007-11-03 00:02 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-02 08:35 <DIR> d-------- C:\VundoFix Backups
2007-11-02 00:12 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2007-11-02 00:11 <DIR> d-------- C:\Program Files\AskSBar
2007-11-02 00:04 <DIR> d-------- C:\Program Files\Webroot
2007-11-02 00:04 <DIR> d-------- C:\Documents and Settings\Tony\Application Data\Webroot
2007-11-02 00:04 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2007-11-02 00:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2007-11-02 00:04 1,526,072 --a------ C:\WINDOWS\WRSetup.dll
2007-11-02 00:04 163,640 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-11-02 00:04 23,864 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-11-02 00:04 21,816 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-11-02 00:04 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB8.sys
2007-10-08 07:03 <DIR> d-------- C:\Documents and Settings\Tony\Application Data\Avanquest
2007-10-07 21:58 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\VCOM
2007-10-07 21:46 <DIR> dr-hs---- C:\_Backup.RC
2007-10-07 21:46 <DIR> d--h----- C:\_Backup
2007-10-07 21:41 <DIR> d-------- C:\Documents and Settings\Tony\Application Data\VCOM
2007-10-07 21:36 <DIR> d-------- C:\Program Files\VCOM
2007-10-05 00:10 <DIR> d-------- C:\Program Files\Incomplete

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-02 11:32 --------- d-----w C:\Program Files\Ouqbukyc
2007-11-02 03:46 --------- d-----w C:\Program Files\LimeWire
2007-10-09 06:42 --------- d-----w C:\Documents and Settings\Tony\Application Data\WholeSecurity
2007-10-08 02:08 --------- d-----w C:\Program Files\Logitech
2007-10-08 02:05 --------- d-----w C:\Program Files\NAVNT
2007-10-08 02:03 --------- d-----w C:\Program Files\Symantec
2007-10-08 02:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-10-08 02:01 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-08 02:00 --------- d-----w C:\Program Files\Notes
2007-10-08 01:32 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-09-30 22:50 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-09-30 04:16 --------- d-----w C:\Program Files\GameSpy Arcade
2007-09-30 00:46 --------- d-----w C:\Program Files\qzuzkdgl
2007-09-29 13:14 --------- d-----w C:\Documents and Settings\Tony\Application Data\System Tweaker
2007-09-28 06:30 --------- d-----w C:\Program Files\Pandora Recovery
2007-09-28 05:43 --------- d-----w C:\Documents and Settings\Tony\Application Data\PandoraRecovery
2007-09-27 03:36 --------- d-----w C:\Program Files\Microsoft Games
2007-09-27 02:59 --------- d-----w C:\Program Files\DivX
2007-09-16 18:18 --------- d-----w C:\Program Files\Java
2007-09-15 12:31 --------- d-----w C:\Program Files\iTunes
2007-09-15 12:30 --------- d-----w C:\Program Files\iPod
2007-09-15 12:23 --------- d-----w C:\Program Files\Apple Software Update
2007-09-10 23:09 --------- d-----w C:\Program Files\ATI Technologies
2007-09-06 05:04 --------- d-----w C:\Program Files\Privacy Mantra 2.04
2007-09-06 05:03 --------- d-----w C:\Program Files\Privacy Mantra 1.33
2007-09-06 02:27 --------- d-----w C:\Program Files\BulletProofSoft.com
2007-01-21 22:43 774,144 -c--a-w C:\Program Files\RngInterstitial.dll
2004-12-23 02:23 21,848 -c-ha-w C:\Documents and Settings\Tony\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
2007-11-02 00:11 66912 --a------ C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2007-11-02 00:11 267592 --a------ C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA}"= C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL [2007-11-02 00:11 267592]

[HKEY_CLASSES_ROOT\CLSID\{F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL [2007-11-02 00:11 267592]

[HKEY_CLASSES_ROOT\CLSID\{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\windows\system32\ctfmon.exe" [2004-08-04 03:56]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"<NO NAME>"="C:\Program Files\Western Digital\Data Lifeguard Tools\DataLifeguard.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"Checkpoint Notify"="C:\Program Files\VCOM\Fix-It\CheckpointNotify.exe"
"VundoFix"="C:\Documents and Settings\Tony\My Documents\vundofix.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideShutdownScripts"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"DisableLocalMachineRun"=1 (0x1)
"DisableCurrentUserRunOnce"=1 (0x1)
"DisableCurrentUserRun"=1 (0x1)
"DisableLocalMachineRunOnce"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoAutoTrayNotify"=1 (0x1)
"NoStartMenuMFUprogramsList"=1 (0x1)
"NoSMHelp"=1 (0x1)
"NoRecentDocsHistory"=1 (0x1)
"NoFavoritesMenu"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"svcWRSSSDK"=2 (0x2)
"imonNT"=2 (0x2)
"BlackICE"=2 (0x2)

R0 SSFS0BB8;Spy Sweeper File System Filer Driver: 0BB8;C:\windows\system32\Drivers\SSFS0BB8.SYS
R0 SSFS0BB9;Spy Sweeper File System Filer Driver: 0BB9;C:\windows\system32\Drivers\SSFS0BB9.SYS
R1 lusbaudio;Logitech USB Microphone;C:\windows\system32\drivers\lvsound2.sys
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\System32\inetsrv\inetinfo.exe
R3 QCAbsee;Logitech QuickCam Web(PID_0801);C:\windows\system32\DRIVERS\LVCA.sys
R3 smbusp;Intel® SMBus 2.0 Driver;C:\windows\system32\DRIVERS\smb.sys
S0 bthex;bthex;C:\windows\system32\drivers\bthex.sys
S1 atinnt;atinnt;C:\windows\system32\drivers\atinnt.sys
S1 ks2k;ks2k;C:\windows\system32\drivers\ks2k.sys
S2 ALIEHCD;ALi PCI to USB Enhanced Host Controller;C:\windows\system32\Drivers\ALIEHCI.sys
S2 BCMNTIO;BCMNTIO;\??\C:\PROGRA~1\CheckIt\DIAGNO~1\BCMNTIO.sys
S2 MAPMEM;MAPMEM;\??\C:\PROGRA~1\CheckIt\DIAGNO~1\MAPMEM.sys
S2 MKEUSB01;%MKEUSB01.SvcDesc%;C:\windows\system32\Drivers\MkeUsb01.sys
S3 aliroothub;USB 2.0 Root Hub;C:\windows\system32\DRIVERS\AliRtHub.sys
S3 IPSECSHM;Nortel IPSECSHM Adapter;C:\windows\system32\DRIVERS\ipsecw2k.sys
S3 MLFILEM;MLFILEM;\??\C:\windows\system32\drivers\MLFILEM.SYS
S3 usbprint;Microsoft USB PRINTER Class;C:\windows\system32\DRIVERS\usbprint.sys
S4 AutoExNT;AutoExNT;C:\windows\system32\AutoExNT.Exe
S4 Fix-It Task Manager;Fix-It Task Manager;C:\PROGRA~1\VCOM\Fix-It\mxtask.exe -Service

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cbc287d4-67c1-11db-8203-00104b625209}]
\Shell\AutoRun\command - E:\Autorun.exe /run
\Shell\Shell00\Command - E:\Autorun.exe /run
\Shell\Shell01\Command - E:\Autorun.exe /action
\Shell\Shell02\Command - E:\Autorun.exe /uninstall

.
Contents of the 'Scheduled Tasks' folder
"2007-10-31 02:01:07 C:\windows\Tasks\AppleSoftwareUpdate.job"
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-03 00:25:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-03 0:28:06 - machine was rebooted
.
--- E O F ---






HJT Log
Logfile of HijackThis v1.99.1
Scan saved at 12:33:41 AM, on 11/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\windows\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\windows\Explorer.EXE
C:\windows\system32\devldr32.exe
C:\windows\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\windows\system32\ctfmon.exe
C:\windows\system32\cidaemon.exe
C:\windows\system32\cidaemon.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Program Files\Netscape\Users\default\prefs.js)
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Checkpoint Notify] "C:\Program Files\VCOM\Fix-It\CheckpointNotify.exe"
O4 - HKLM\..\RunOnce: [VundoFix] "C:\Documents and Settings\Tony\My Documents\vundofix.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [] "C:\Program Files\Western Digital\Data Lifeguard Tools\DataLifeguard.exe"
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1191895906018
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - (no file)
O20 - Winlogon Notify: NavLogon - C:\windows\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\windows\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\windows\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\windows\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\windows\System32\Ati2evxx.exe (file missing)
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BlackICE - Unknown owner - C:\Program Files\Network ICE\BlackICE-3-1\blackd.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

Edited by tonytattoo, 02 November 2007 - 10:37 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP