system
June 20, 2009, 3:43pm
1
Here is the MBAM log file:
Malwarebytes’ Anti-Malware 1.38
Database version: 2314
Windows 5.1.2600
6/20/2009 10:36:49 AM
mbam-log-2009-06-20 (10-36-39).txt
Scan type: Full Scan (C:|D:|)
Objects scanned: 160949
Time elapsed: 37 minute(s), 15 second(s)
Memory Processes Infected: 2
Memory Modules Infected: 1
Registry Keys Infected: 14
Registry Values Infected: 6
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 24
Memory Processes Infected:
C:\WINDOWS\freddy46.exe (Worm.KoobFace) → No action taken.
C:\WINDOWS\pp10.exe (Worm.KoobFace) → No action taken.
Memory Modules Infected:
c:\program files\podmena\podmena.dll (Trojan.Agent) → No action taken.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\podmena (Trojan.Agent) → No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\podmena (Trojan.Agent) → No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\podmena (Trojan.Agent) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/downloaded program files/popcaploader.dll (Adware.PopCap) → No action taken.
HKEY_CLASSES_ROOT\TypeLib{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) → No action taken.
HKEY_CLASSES_ROOT\Interface{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) → No action taken.
HKEY_CLASSES_ROOT\Interface{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) → No action taken.
HKEY_CLASSES_ROOT\CLSID{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) → No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\podmenadrv (Trojan.Agent) → No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\podmenadrv (Trojan.Agent) → No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\podmenadrv (Trojan.Agent) → No action taken.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) → No action taken.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) → No action taken.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gcdlbuyxm (Trojan.FakeAlert.H) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\c:\WINDOWS\downloaded program files\popcaploader.dll (Adware.PopCap) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pp (Malware.Trace) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysfbtray (Worm.KoobFace) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysldtray (Backdoor.Bot) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\podmena (Trojan.Agent) → No action taken.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Program Files\podmena (Trojan.Downloader) → No action taken.
Files Infected:
C:\WINDOWS\SYSTEM32\kegbtdvr.exe (Trojan.FakeAlert.H) → No action taken.
c:\program files\podmena\podmena.dll (Trojan.Agent) → No action taken.
c:\WINDOWS\downloaded program files\popcaploader.dll (Adware.PopCap) → No action taken.
c:\program files\podmena\podmena.sys (Trojan.Agent) → No action taken.
c:\documents and settings\Default\local settings\Temp\stron_1245117177.exe (Trojan.LdPinch) → No action taken.
c:\documents and settings\Default\local settings\temporary internet files\Content.IE5\W096W2D1\fb.46[1].exe (Worm.Koobface) → No action taken.
c:\documents and settings\Default\local settings\temporary internet files\Content.IE5\SZ8ENGOM\pdrv[1].exe (Trojan.Dropper) → No action taken.
c:\documents and settings\Default\local settings\temporary internet files\Content.IE5\SZ8ENGOM\install[3].exe (Rogue.SystemSecurity) → No action taken.
c:\documents and settings\Default\Desktop\install.exe (Rogue.SystemSecurity) → No action taken.
c:\system volume information_restore{f6a55a90-a77a-40a4-a5bf-35438f2bf3fc}\RP548\A0154530.sys (Trojan.Agent) → No action taken.
C:\WINDOWS\pp10.exe (Malware.Trace) → No action taken.
c:\WINDOWS\freddy46.exe (Worm.KoobFace) → No action taken.
c:\documents and settings\Default\Cookies\MM2048.DAT (Trojan.Agent) → No action taken.
c:\documents and settings\Default\Cookies\MM256.DAT (Trojan.Agent) → No action taken.
C:\WINDOWS\ld09.exe (Backdoor.Bot) → No action taken.
c:\WINDOWS\SYSTEM32\stuffit5.engine-5.1.dll (Trojan.FakeAlert) → No action taken.
c:\WINDOWS\9g2234wesdf3dfgjf23 (Worm.KoobFace) → No action taken.
C:\WINDOWS\dk39fi4fe.dat (Worm.KoobFace) → No action taken.
c:\WINDOWS\zaponce53198.dat (Worm.Koobface) → No action taken.
c:\WINDOWS\zaponce53173.dat (Worm.Koobface) → No action taken.
c:\WINDOWS\zaponce53290.dat (Worm.Koobface) → No action taken.
c:\WINDOWS\zaponce52597.dat (Worm.Koobface) → No action taken.
c:\WINDOWS\zaponce52689.dat (Worm.Koobface) → No action taken.
C:\WINDOWS\bf23567.dat (Worm.KoobFace) → No action taken.
Thanks for any help you can give!
system
June 20, 2009, 4:04pm
2
Run MBAM again, this time, fix the threats found. Then reboot,run mbam again,( quick scan ) post a log, post a HJT log.Also run SAS, and post that log http://filehippo.com/download_superantispyware/
Stick to one thread,otherwise people get confused
system
June 20, 2009, 11:57pm
6
Ran MBAM and fixed threats - here is the report:
Malwarebytes’ Anti-Malware 1.38
Database version: 2314
Windows 5.1.2600
6/20/2009 5:51:51 PM
mbam-log-2009-06-20 (17-51-51).txt
Scan type: Full Scan (C:|D:|)
Objects scanned: 160654
Time elapsed: 33 minute(s), 6 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
system
June 20, 2009, 11:58pm
7
Ran SAS and fixed what it said to fix. It didn’t/couldn’t get rid of everything. Here’s the log:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 06/20/2009 at 06:40 PM
Application Version : 4.26.1004
Core Rules Database Version : 3949
Trace Rules Database Version: 1891
Scan type : Complete Scan
Total Scan Time : 00:46:26
Memory items scanned : 372
Memory threats detected : 0
Registry items scanned : 4602
Registry threats detected : 12
File items scanned : 17612
File threats detected : 1
Adware.VX2 Transponder Variant
HKLM\Software\Classes\CLSID{00000580-C637-11D5-831C-00105AD6ACF0}
HKCR\CLSID{00000580-C637-11D5-831C-00105AD6ACF0}
HKCR\CLSID{00000580-C637-11D5-831C-00105AD6ACF0}
HKCR\CLSID{00000580-C637-11D5-831C-00105AD6ACF0}\InprocServer32
HKCR\CLSID{00000580-C637-11D5-831C-00105AD6ACF0}\InprocServer32#ThreadingModel
HKCR\CLSID{00000580-C637-11D5-831C-00105AD6ACF0}\ProgID
HKCR\CLSID{00000580-C637-11D5-831C-00105AD6ACF0}\Programmable
HKCR\CLSID{00000580-C637-11D5-831C-00105AD6ACF0}\TypeLib
HKCR\CLSID{00000580-C637-11D5-831C-00105AD6ACF0}\VersionIndependentProgID
HKCR\MSView.MSViewObj.1
HKCR\MSView.MSViewObj
HKCR\TypeLib{11CC62B9-65F8-4A8B-B33F-5DE4E838442D}
C:\WINDOWS\MSVIEW.DLL
system
June 20, 2009, 11:59pm
8
Here is the HijackThis log after running both MBAM and SAS:
Logfile of HijackThis v1.99.1
Scan saved at 6:55:33 PM, on 6/20/2009
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Washer\washer.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\PROGRA~1\COMPAQ\EASYAC~1\BTTNSERV.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRAM FILES\COMPAQ\ON-SCREEN DISPLAY\OSD.EXE
C:\PROGRA~1\COMPAQ\EASYAC~1\EAUSBKBD.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.live.com/login.srf?wa=wsignin1.0&rpsnv=10&ct=1242394866&rver=5.5.4177.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefault.aspx&lc=1033&id=64855&mkt=en-US
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8081
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX
O4 - HKLM..\Run: [SystemTray] SysTray.Exe
O4 - HKLM..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [Bart Station] C:\Program Files\ISP50\hta\station.sbrt
O4 - HKLM..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM..\Run: [WinampAgent] “C:\Program Files\Winamp\Winampa.exe”
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM..\Run: [fhqixzuev] C:\WINDOWS\System32\kegbtdvr.exe
O4 - HKLM..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe “Default”
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [Washer] C:\Program Files\Washer\washer.exe /0
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: LimeShop Preferences - file://c:\Program Files\topMoxie\TEMP\limeshop_script.htmÿ
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7d90ae05585062/housecall.antivirus.com/housecall/xscan53.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: InCD File System Service (InCDsrv) - Unknown owner - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
system
June 21, 2009, 12:05am
9
When trying to remove the rest of the objects with SUPERAntiSpyware I get the error message below:
Microsoft Visual C++ Runtime Library
Runtime Error!
Program: c:\Program Files\SUPERAntiSpyware\ SUPERAntiSpyware.exe
R6025
pure virtual function call
Then SUPERAntiSpyware just exits out.
Thanks for any assistance!
system
June 21, 2009, 12:08am
10
Navigate to C:\WINDOWS\System32\kegbtdvr.exe, send kegbtdvr.exe to virustotal, and post the results please
http://www.virustotal.com/
system
June 21, 2009, 12:33am
11
Here is the reults from VirusTotal. FYI I could not find a KEGBTDVR.EXE anywhere in system32. The closest I could find was KEGBTDVR.EXE-31359DD3.pf and it was in windows\Prefetch. Here are the results for that file:
File KEGBTDVR.EXE-31359DD3.pf received on 2009.06.21 00:21:48 (UTC)
Current status: finished
Result: 0/41 (0%)
Antivirus Version Last Update Result
a-squared 4.5.0.18 2009.06.21 -
AhnLab-V3 5.0.0.2 2009.06.20 -
AntiVir 7.9.0.193 2009.06.20 -
Antiy-AVL 2.0.3.1 2009.06.19 -
Authentium 5.1.2.4 2009.06.20 -
Avast 4.8.1335.0 2009.06.20 -
AVG 8.5.0.339 2009.06.20 -
BitDefender 7.2 2009.06.21 -
CAT-QuickHeal 10.00 2009.06.19 -
ClamAV 0.94.1 2009.06.20 -
Comodo 1381 2009.06.20 -
DrWeb 5.0.0.12182 2009.06.21 -
eSafe 7.0.17.0 2009.06.18 -
eTrust-Vet 31.6.6570 2009.06.19 -
F-Prot 4.4.4.56 2009.06.20 -
F-Secure 8.0.14470.0 2009.06.19 -
Fortinet 3.117.0.0 2009.06.19 -
GData 19 2009.06.21 -
Ikarus T3.1.1.59.0 2009.06.21 -
Jiangmin 11.0.706 2009.06.20 -
K7AntiVirus 7.10.768 2009.06.19 -
Kaspersky 7.0.0.125 2009.06.21 -
McAfee 5652 2009.06.20 -
McAfee+Artemis 5652 2009.06.20 -
McAfee-GW-Edition 6.7.6 2009.06.20 -
Microsoft 1.4803 2009.06.20 -
NOD32 4174 2009.06.20 -
Norman 6.01.09 2009.06.19 -
nProtect 2009.1.8.0 2009.06.20 -
Panda 10.0.0.16 2009.06.20 -
PCTools 4.4.2.0 2009.06.20 -
Prevx 3.0 2009.06.21 -
Rising 21.34.52.00 2009.06.20 -
Sophos 4.42.0 2009.06.20 -
Sunbelt 3.2.1858.2 2009.06.20 -
Symantec 1.4.4.12 2009.06.21 -
TheHacker 6.3.4.3.350 2009.06.20 -
TrendMicro 8.950.0.1094 2009.06.20 -
VBA32 3.12.10.7 2009.06.21 -
ViRobot 2009.6.19.1796 2009.06.19 -
VirusBuster 4.6.5.0 2009.06.20 -
Additional information
File size: 17636 bytes
MD5…: 8162cb3478c45c7436ef6717edb2fb52
SHA1…: 3e6748bbb1b8c051a841173a0029d115985fbe33
SHA256: c977b373b05d1a69ee91142ab375bc5ada4bdd72d683eed4bb12df55aed0f254
ssdeep: 192:8dd4NdSbSbmJ3yM2yhwPYHi0hKVh8FUkjXTRlB2Hexl0maOGC2wk3CraO:83
UO4mJ3yM2yhFiwoh8h/2HCnAj3I
PEiD…: -
TrID…: File type identification
Microsoft Windows XP Prefetch file (98.9%)
LTAC compressed audio (v1.71) (1.0%)
PEInfo: -
PDFiD.: -
RDS…: NSRL Reference Data Set
system
June 21, 2009, 12:44am
12
Run HJT again, choose scan only.fix O4 - HKLM..\Run: [fhqixzuev] C:\WINDOWS\System32\kegbtdvr.exe
reboot
Run SAS and MBAM again, and post the log,thank you
system
June 21, 2009, 12:50am
13
This is the old HJT. You need to download 2.0.2 from Trend Secure. So uninstall the old one first, install 2.0.2, and post a fresh new HJT log.
system
June 21, 2009, 12:56am
14
I don’t think it will make much difference, do you ?
system
June 21, 2009, 9:08am
15
Especially if they are running Windows without any Service Packs.
Tarq57
June 22, 2009, 3:46am
16
There doesn’t appear to be much practical difference (for diagnosis purposes) between HjT 1.99 and 2.02.
Regarding your seriously out of date Windows, why?
You’re still using a non-patched version, and using IE6.
There actually isn’t a lot of point in trying to delete malware from this PC if you aren’t going to patch it. It will be like trying to keep water out of a roof full of holes. You’ll get sick of moving the buckets.
I’d get SP1, then get SP3, which can be installed on a XP SP1 system, then get the subsequent Ms updates.
system
June 22, 2009, 8:14am
17
[b]Infected In Twenty Minutes[/b]
Scott Granneman, 2004-08-19
What normally happens within twenty minutes? That’s how long your average unprotected PC running Windows XP, fresh out of the box, will last once it’s connected to the Internet.
http://www.securityfocus.com/columnists/262
Windows XP Service Pack 2 CD:
https://om2.one.microsoft.com/opa/CASearch.aspx?StoreID=d7a098f4-4034-4ccb-a785-9e890e6b4f5b&LocaleCode=en-us
Windows XP Service Pack 3 CD:
http://www.microsoft.com/windows/products/windowsxp/sp3/default.mspx